t

W-2 wage information of Kent city employees ‘inadvertently disclosed’ | Update

Full names, addresses and Social Security numbers released in an email from one employee to another

A city of Kent staff member “inadvertently disclosed to (another city) employee a file containing the 2020 W-2 Wage and Tax Statement information for all city employees,” according to an email sent by Chief Administrative Officer Pat Fitzpatrick to city employees.

In the Friday, Aug. 19 email, Fitzpatrick said he was writing to employees to let them know their personal information had likely been exposed to a fellow staff member.

“The city takes the protection of your personal information very seriously and I am contacting you directly to explain what occurred and the steps taken in response to the incident,” said Fitzpatrick, according to the email.

A person anonymously provided the email Monday, Aug. 22 to the Kent Reporter.

“On Friday, Aug. 12, an employee of the Police Department requested their personal W-2 and payroll information from 2020,” Fitzpatrick said in the email. “Later that day, a staff member inadvertently disclosed to the employee a file containing the 2020 W-2 Wage and Tax Statement information for all city employees.

“Believing the email and attachments received at their city email address were in response to their request, and without opening the attachment, the PD employee forwarded the information to a personal email account they share with their significant other. Once the employee opened the email attachment from their personal email account, they recognized they were provided information they should not have been provided and quickly notified the city to report the matter.

“The PD employee was contacted the following day and directed to delete the email from their personal email account. In follow-up communications, the PD employee confirmed that the email and W-2 information was not shared and was deleted from their personal email account, including their inbox and their deleted emails. IT also removed the email from the sender’s and recipient’s sent, received and deleted email files.”

Fitzpatrick explained what information was disclosed

“Information that was disclosed includes full names, addresses, Social Security numbers, salary information, and other related information found on a W-2 Wage and Tax Statement for those employed in 2020,” Fitzpatrick said in the email. “This inadvertent disclosure was discovered quickly, remedial action was taken promptly, and no personal identifiable information of any employee was recorded, retained, or otherwise used.”

Fitzpatrick said what steps city staff will take.

“While we are satisfied the disclosure did not occur as a result of nefarious actions and was not and will not be used for nefarious reasons, we are investigating the root cause of the inadvertent disclosure and will take appropriate steps to ensure, to the best of our ability, that this does not occur again,” Fitzpatrick said.

The city had about 734 employees in 2020, according to city budget documents.

Second email to employees

Fitzpatrick sent a second email to employees Monday, Aug. 22, which the Kent Reporter obtained through a public records request.

Fitzpatrick said that when city emails are sent to private emails – the emails are automatically encrypted while in transmission.

“For this reason, when it was sent outside of the city, it was not at risk of being accessed by someone that did not have direct access to the receiving employee’s personal email account,” Fitzpatrick said. “The receiving employee recognized the problem, notified the city as soon as the attachment was discovered, and did not share the attachment or its contents. Further, IT will remove (or has removed) the email from the city’s system and the employee will be signing a legal declaration that it was not shared with others.”

Fitzpatrick said through the city’s insurer, it has a law firm on retainer for these type of incidents.

“We have access to attorneys who are former federal prosecutors and national experts in the fields of cyber security and data breach, and they have on hand technical IT experts that assist them,” Fitzpatrick said. “The city also has a very knowledgeable IT group dedicated to cyber security. The risk of outside access was extremely low, all of the information available points to there being no outside access, and this incident did not meet the threshold of legal notice requirements.”

Fitzpatrick concluded the email with the following statement.

“I know this is unnerving and disappointing, and we are taking steps to ensure this does not happen again,” he said. “As an aside, I have a meeting with IT and the mayor (Dana Ralph) already scheduled on the topic of security and encryption for next week.”

Employee notice

In an Aug. 22 email to the Kent Reporter, Fitzpatrick said under state law, this accidental disclosure, which was reported within hours of its occurrence, did not trigger a legally required notification to affected employees.

“Notice was not required because the accidental disclosure here was not a qualifying breach under state law or made to a malicious actor,” he said. “Had the disclosure required notification, the city would have had 30 days within which to provide notice, as the law recognizes the need for a reasonable amount of time to determine what happened before issuing notice.”

Despite no required notification, the city let employees know about the incident.

“While notice was not legally required, administration determined that voluntary notification to the city of Kent family was appropriate,” Fitzpatrick said.

Fitzpatrick explained the reasons the city didn’t sent out notice right away but waited about a week.

“When the incident was discovered on a Friday evening, the city’s immediate and primary focus was to prevent further dissemination of the information,” he said. “Once that was accomplished, the city took steps to remove the information from computer servers. The effort then shifted to learning what happened and why. This was to ensure the city could provide accurate information to employees in order to prevent confusion and avoid unanswered questions. Once the specifics were determined, notice was provided to employees.”


Talk to us

Please share your story tips by emailing editor@kentreporter.com.

To share your opinion for publication, submit a letter through our website https://www.kentreporter.com/submit-letter/. Include your name, address and daytime phone number. (We’ll only publish your name and hometown.) Please keep letters to 300 words or less.

More in News

Courtesy Photo, City of Kent
Kent City Council approves B&O tax increases to hire more police

Additional revenue will pay for four police department positions

t
King County executive will nominate replacements for Upthegrove

District 5, which includes parts of Kent, will get new representative on County Council in January

t
SeaTac man, 21, fatally shot in vehicle in Kent on West Hill

Someone ran up and fired multiple shots into vehicle Nov. 21 at Veterans Drive and Military Road

Kentwood High School, 25800 164th Ave. SE, in Covington, remained without power Thursday morning, Nov. 21, according to Puget Sound Energy. COURTESY PHOTO, Kent School District
Kent schools remain closed due to windstorm damage, power outages

Second consecutive day of closures Thursday, Nov. 21 across the Kent School District

t
Kent-based Puget Sound Fire calls windstorm ‘one for the ages’

Agency responds to 308 calls in 12-hour period, including 245 for storm-related issues

Crews clear trees from State Route 18, which the Washington State Patrol closed in both directions Wednesday, Nov. 20, from Issaquah Hobart to I-90 over Tiger Mountain because of fallen trees during a windstorm. COURTESY PHOTO, Washington State Patrol
Windstorm closes Kent schools, roads due to fallen trees

Many without power in areas of Kent and beyond

t
“Prolific” vehicular theft suspect arrested in Renton

Kent man holds 13 prior convictions and 41 arrests.

tt
Green Kent volunteer program wraps up season at city park

Volunteers remove invasive species, plant native trees and shrubs at Mill Creek Canyon Earthworks Park

t
Copper-wire thieves damage Kent Senior Center roof refrigeration unit

Facility temporarily loses commercial kitchen refrigerator but staff, community keep meals going

t
16-year-old girl dies in Covington single-car crash

Teen was driving when car crashed into a tree Nov. 15 along SE 256th Street just east of Kent

t
Kent Police Blotter: Oct. 24-Nov. 7

Incidents include carjacking, juvenile fight, stolen vehicle pursuit