I'd be interested in the take of others in the field (and outside, for that matter).
For those who haven't heard the sordid story of our former governor and his email woes:

http://www.wweek.com/portland/article-24792-the_whistleblower.html


Full disclosure: I also work in IT for the State of Oregon. I know Michael, although I've never worked directly with him. He's a good guy, makes a mean salsa. I want to be sympathetic to him, and I'm more than willing to give him the benefit of the doubt.

That said- this leaves a very, very bad taste in my mouth. Information security is something we take very seriously. We all go through mandatory retraining on our IT security policies and procedures at least once a year. This is not a subject that's an afterthought, or something that gets lip service.

Improper deletion of data is a serious offense, but no more serious than a data breach. I have no doubt that I would share Michael's concerns about the possibility that the emails would, in fact, be deleted. I strongly suspect that he's not the only one who made an extra copy after seeing that request. While the deletion was, in fact, never carried out, we'll never know whether the leak itself changed that. Given that the request was almost certainly illegal, and given the fact that the Feds had already begun their own investigation, the prudent thing would seem to be to sit on the copy until there was actually a legal framework to disclose them. Turning them over to a reporter before it's even clear that the deletion request will end up being carried out? Unconscionable.

A data breach does not 'cure' improper data deletion, and it's not as if those were the only two options. If the deletion had actually been executed, and if all of the various investigations had petered out, that would present a different scenario- with no possible legal framework left, what he did would become something most professionals in a similar position would at least consider, myself included.

I don't care whether it's someone's email at the top or the bottom of the food chain, mental health records, financial data, criminal records, etc., etc., we have clear and established standards for handling data. Sadly, when politics are involved confirmation bias rules. I think Michael was under a colossal amount of stress and made a mistake, a big one. As someone who knows him, I'm relieved that the new gov has said that she'd prefer he not see prosecution. As a professional? I dunno.

I don't understand leaking the emails. I would have backed up the data and hidden it and waited for any actual attempt to delete the data. At that point you go to the feds. Leaking it was simply wrong even if it did get rid of a corrupt governor more quickly than it would have happened without the leaks.

That's precisely my take. While it's a bit of a grey area, taking steps to circumvent a potentially improper deletion is absolutely something that I would consider under the circumstances (and in this instance, I wouldn't be at all surprised if there were other copies stashed on a few servers and thumbdrives by other staff facing the same dilemma). Actually committing a data breach yourself, before giving the legal process a chance to play out? A complete violation of professional standards.

What's tougher is that I know that he wasn't acting out of any political motivation. I can only assume that he was well-intentioned, under a boatload of pressure, and got caught up in events. I was shocked when he was revealed as the source. I know he's trying to save his job (and career), but who could hire someone for any IT position who was responsible for a deliberate breach?

This has the makings of a Tom Clancy book. Too bad he can't write it.

I knew it wasn't going to end well when the story said that he was responsible for Hawaiian Shirt Day.


https://www.youtube.com/watch?v=8p8Ni1sXBLk

I agree with you 100%. It's almost certain that Oregon has policies and procedures for these circumstances. Once you are certain that you've preserved the records there's absolutely no excuse for not letting the system play out. If the system doesn't play out correctly you simply document that and then the web of improper conduct becomes that much larger. He never took it to the point of being asked to do something illegal but if he had it would have been proper for him to refuse.

Moreover, I think the way he handled the email from the outset was probably improper. Depending on State policy it's probably not proper for him to go sifting through the emails looking for impropriety. He already has cause to refuse to delete them based on state law.

We've seen this jump straight to leaking to the press in a number of cases and I really wonder if it's just because people are more comfortable with doing that because they feel the can justify it as "right" and it avoids going through some of the very uncomfortable discussions that are necessary in an internal whistle blower situation.

I would assume that Oregon's Data Practices Act (or whatever they call it) is similar to Minnesota's. We get a refresher on the MN Data Practices Act every year or so at work. Leaking the actual emails would be a clear violation in the same way that knowingly deleting data would be a violation. My feeling would be that requesting to delete the data would be ethically wrong, but until the data is eliminated it likely wouldn't be a criminal offense. What this guy should have done was save the email requesting deletion and then refuse the order. The truth regarding the governor was going to get out and the IT Manager would be safe. I would assume he was represented by a union, whether he was a member or not, and that is who he should have contacted when this happened along with legal counsel. He did the right thing by not deleting the data, but the wrong thing by leaking it.

It's official, no charges filed.

http://www.statesmanjournal.com/story/news/politics/2015/06/03/kitzhaber-email-leaker-wont-face-charges/28444821/


I honestly think this is largely political. No one (understandably) wants to appear to take the side of the former Gov.
He'd would have faced Official Misconduct in the 2nd degree, which is a class C misdemeanor and carries a $1200 fine- pretty much symbolic, but it would have a significant impact on any future career.