W-2 wage information of Kent city employees ‘inadvertently disclosed’ | Update

A city of Kent staff member “inadvertently disclosed to (another city) employee a file containing the 2020 W-2 Wage and Tax Statement information for all city employees,” according to an email sent by Chief Administrative Officer Pat Fitzpatrick to city employees.

In the Friday, Aug. 19 email, Fitzpatrick said he was writing to employees to let them know their personal information had likely been exposed to a fellow staff member.

“The city takes the protection of your personal information very seriously and I am contacting you directly to explain what occurred and the steps taken in response to the incident,” said Fitzpatrick, according to the email.

A person anonymously provided the email Monday, Aug. 22 to the Kent Reporter.

“On Friday, Aug. 12, an employee of the Police Department requested their personal W-2 and payroll information from 2020,” Fitzpatrick said in the email. “Later that day, a staff member inadvertently disclosed to the employee a file containing the 2020 W-2 Wage and Tax Statement information for all city employees.

“Believing the email and attachments received at their city email address were in response to their request, and without opening the attachment, the PD employee forwarded the information to a personal email account they share with their significant other. Once the employee opened the email attachment from their personal email account, they recognized they were provided information they should not have been provided and quickly notified the city to report the matter.

“The PD employee was contacted the following day and directed to delete the email from their personal email account. In follow-up communications, the PD employee confirmed that the email and W-2 information was not shared and was deleted from their personal email account, including their inbox and their deleted emails. IT also removed the email from the sender’s and recipient’s sent, received and deleted email files.”

Fitzpatrick explained what information was disclosed

“Information that was disclosed includes full names, addresses, Social Security numbers, salary information, and other related information found on a W-2 Wage and Tax Statement for those employed in 2020,” Fitzpatrick said in the email. “This inadvertent disclosure was discovered quickly, remedial action was taken promptly, and no personal identifiable information of any employee was recorded, retained, or otherwise used.”

Fitzpatrick said what steps city staff will take.

“While we are satisfied the disclosure did not occur as a result of nefarious actions and was not and will not be used for nefarious reasons, we are investigating the root cause of the inadvertent disclosure and will take appropriate steps to ensure, to the best of our ability, that this does not occur again,” Fitzpatrick said.

The city had about 734 employees in 2020, according to city budget documents.

Second email to employees

Fitzpatrick sent a second email to employees Monday, Aug. 22, which the Kent Reporter obtained through a public records request.

Fitzpatrick said that when city emails are sent to private emails – the emails are automatically encrypted while in transmission.

“For this reason, when it was sent outside of the city, it was not at risk of being accessed by someone that did not have direct access to the receiving employee’s personal email account,” Fitzpatrick said. “The receiving employee recognized the problem, notified the city as soon as the attachment was discovered, and did not share the attachment or its contents. Further, IT will remove (or has removed) the email from the city’s system and the employee will be signing a legal declaration that it was not shared with others.”

Fitzpatrick said through the city’s insurer, it has a law firm on retainer for these type of incidents.

“We have access to attorneys who are former federal prosecutors and national experts in the fields of cyber security and data breach, and they have on hand technical IT experts that assist them,” Fitzpatrick said. “The city also has a very knowledgeable IT group dedicated to cyber security. The risk of outside access was extremely low, all of the information available points to there being no outside access, and this incident did not meet the threshold of legal notice requirements.”

Fitzpatrick concluded the email with the following statement.

“I know this is unnerving and disappointing, and we are taking steps to ensure this does not happen again,” he said. “As an aside, I have a meeting with IT and the mayor (Dana Ralph) already scheduled on the topic of security and encryption for next week.”

Employee notice

In an Aug. 22 email to the Kent Reporter, Fitzpatrick said under state law, this accidental disclosure, which was reported within hours of its occurrence, did not trigger a legally required notification to affected employees.

“Notice was not required because the accidental disclosure here was not a qualifying breach under state law or made to a malicious actor,” he said. “Had the disclosure required notification, the city would have had 30 days within which to provide notice, as the law recognizes the need for a reasonable amount of time to determine what happened before issuing notice.”

Despite no required notification, the city let employees know about the incident.

“While notice was not legally required, administration determined that voluntary notification to the city of Kent family was appropriate,” Fitzpatrick said.

Fitzpatrick explained the reasons the city didn’t sent out notice right away but waited about a week.

“When the incident was discovered on a Friday evening, the city’s immediate and primary focus was to prevent further dissemination of the information,” he said. “Once that was accomplished, the city took steps to remove the information from computer servers. The effort then shifted to learning what happened and why. This was to ensure the city could provide accurate information to employees in order to prevent confusion and avoid unanswered questions. Once the specifics were determined, notice was provided to employees.”