The Georgia Secretary of State’s office, which acknowledged last month it inadvertently released personal information on every registered voter in the state, has blamed a single employee for the breach. But records show the problem was deeper than the Secretary of State’s office has acknowledged, revealing a business culture that ignored written policies for the sake of expediency, according to a review by The Atlanta Journal-Constitution. Secretary of State Brian Kemp, who declined to answer the AJC’s questions, blamed the release of Social Security numbers, birth dates and drivers’ license numbers on Gary Cooley, a low-level computer programmer. Kemp quickly fired Cooley, saying he failed to follow data-handling procedures and covered up his mistake for weeks.
Yet employee statements, emails, policies and other documents — hundreds of pages included as exhibits to the report — present a more nuanced picture of an office that paid little attention to the policies put in place to safeguard data until it was too late.
The day after the breach was discovered, the chief information officer for Kemp’s office, Merritt Beaver, acknowledged the lackadaisical approach to policies in an email sent to IT staff. Any changes to the office software had to adhere to policy “starting immediately,” he wrote.