ORCA user data disclosure incident
In 2016, Sound Transit, the regional transit agency serving the Seattle metropolitan area, accidentally shared the personal information of 173,000 users of the ORCA fare payment card with Mass Transit Now, the political committee supporting Sound Transit 3, a tax measure to fund expanding the transit agency's services. The personal information of ORCA card users is protected under state law and not subject to public disclosure laws. The disclosure generated political controversy and has spawned multiple investigations.
The data was released after Mass Transit Now filed a public disclosure request for e-mails gathered by Sound Transit, to campaign for Sound Transit 3 to those individuals. Along with the email contact lists Sound Transit was required to disclose, agency staff unknowingly included a list of email addresses associated with the ORCA card program.
The incident[edit]
Washington State open government laws require government agencies like Sound Transit to release their data upon request, but the personal information of users of the ORCA fare payment card is exempt from public disclosure.[Note 1]
Sound Transit licenses a system called GovDelivery to send digital communications to subscribers, allowing a large number of emails to be sent at one time and not have them marked as spam.[2] At the time of the incident the Central Puget Sound Regional Fare Coordination System, the group that manages the ORCA card, did not have a license for GovDelivery, and had from time to time used Sound Transit's GovDelivery system to send communications to users.
In February 2016, the email addresses of 173,000 ORCA card users were uploaded to Sound Transit's GovDelivery system to send an update to cardholders reminding them of an upcoming fare change on transit services.[2][3] In the past, after a message like this was sent, the data was deleted from GovDelivery, but in this case, it was not.
On March 28, 2016, Abigail Doerr, the campaign manager of Mass Transit Now filed a public disclosure request asking that Sound Transit provide a list of all of the agency's email subscribers[4]. When staff for the transit agency and staff with GovDelivery assembled that list, they appear to have unknowingly included a list of email addresses used to send out the February communication with users of the ORCA card program.[2] The list of email addresses was provided to Mass Transit Now on April 11, 2016.
On August 16, 2016, Mass Transit Now sent out an email regarding the Sound Transit 3 ballot initiative to expand Sound Transit to people on its campaign electronic mailing list. That list was built using the information provided by Sound Transit that included the email addresses of ORCA card users. The disclosure was discovered by an ORCA cardholder who received the campaign email at an email address that he only uses for messages from the ORCA system. He contacted the Seattle Times to report that his email address had been shared with the campaign when he did not give permission to Sound Transit to share that information.[3]
The story prompted conservative political operative, Conner Edwards, to file a citizen action notice with the offices of the Washington Attorney General and the King County Prosecuting Attorney, alleging that Sound Transit had violated the law.[Note 2][6]
Aftermath[edit]
Sound Transit CEO Peter Rogoff response[edit]
On discovery of the error, Sound Transit issued a written request to Mass Transit Now to delete the e-mail addresses and also deleted the offending e-mail addresses from the Sound Transit publicly disclosable GovDelivery database. The goal of Sound Transit's response was to ensure, as per Sound Transit CEO Peter Rogoff's testimony to the Sound Transit Board, "The incident could not be repeated."[7]
Public Disclosure Commission investigation[edit]
On August 20, 2016, political operative Conner Edwards filed a complaint with the Public Disclosure Commission[8] alleging the leak of this data was, "Sound Transit influencing the outcome of the election with public resources". Although the staff report recommended referral to the State Attorney General's Office; the Washington State Public Disclosure Commission on September 21, 2016 declined to take further action. PDC Commission Chair Anne Levinson observed that “Public agencies are required to comply with the public disclosure laws … and mistakes are made during the regular course of business.”[9]
Washington Attorney General investigation[edit]
The Washington Attorney General's office conducted an investigation into the disclosure and determined that the evidence indicates that the email addresses were inadvertently released. It did not find any evidence that Sound Transit staff took action intended to promote Mass Transit Now or the Sound Transit 3 ballot initiative. As a result, the Attorney General's office took no further action.[10]
Washington State Senate investigation[edit]
State Senators Steve O'Ban and Dino Rossi at the prompting of constituents and conservative talk radio hosts requested the State Senate Law and Justice Committee to investigate various elements of Sound Transit 3 including the email disclosure, claiming, "Sound Transit illegally provided the email addresses of ORCA cardholders to a political campaign in favor of Prop. 1."[11] The request for the hearings was granted and State Senator O'Ban & an Everett Herald columnist has said the disclosure of emails will feature in those hearings.[12][13][14]
Notes[edit]
- ↑ The exemption is per Revised Code of Washington 42.56.330(5):[1] The personally identifying information of persons who acquire and use transit passes or other fare payment media including, but not limited to, stored value smart cards and magnetic strip cards, except that an agency may disclose personally identifying information to a person, employer, educational institution, or other entity that is responsible, in whole or in part, for payment of the cost of acquiring or using a transit pass or other fare payment media for the purpose of preventing fraud. As used in this subsection, "personally identifying information" includes acquisition or use information pertaining to a specific, individual transit pass or fare payment media.
- ↑ Specifically, he alleged that Sound Transit had violated Revised Code of Washington 42.17A.555.[5]
References[edit]
- ↑ "RCW 42.56.330". State of Washington.
- ↑ 2.0 2.1 2.2 Allen, Penny L.; Crummer, Chad (October 12, 2016). "Report of Investigation - Sound Transit Citizen Action Letter" (PDF). Attorney General of Washington. Retrieved July 10, 2017.
- ↑ 3.0 3.1 Kamb, Lewis (August 19, 2016). "Sound Transit improperly sent 173,000 ORCA card users' info to political campaign". The Seattle Times. Retrieved May 27, 2017.
- ↑ Abigail Doerr E-mail to Sound Transit, March 6, 2016, retrieved October 1, 2017
- ↑ "RCW 42.17A.555". State of Washington.
- ↑ "Conner Edwards' Complaint to Washington State Public Disclosure Commission" (PDF). We the Governed. Retrieved May 27, 2017.
- ↑ "YouTube of "Sound Transit CEO Peter Rogoff on ORCAleak"". Retrieved July 7, 2017.
- ↑ "Washington State Public PDC" (PDF). Washington State PDC. Retrieved May 27, 2017.
- ↑ Kamb, Lewis (September 22, 2016). "Campaign watchdog decides Sound Transit did not break laws in release of ORCA emails". The Seattle Times. Retrieved May 28, 2017.
- ↑ Dalton, Linda A. (October 19, 2016). "Citizen Action Notice against Sound Transit" (PDF). Attorney General of Washington. Retrieved July 10, 2017.
- ↑ "State Senators O'Ban & Rossi Letter Requesting Hearings" (PDF). Washington State Senate. Retrieved May 27, 2017.
- ↑ "State Senator O'Ban Explaining Why Hearings Into Sound Transit". Washington State Senate Republicans. Retrieved May 27, 2017.
- ↑ Todd E Herman (September 27, 2017). "The Todd Herman Show Sept 27, 2017 - Hour 1" (Podcast). KTTH. Event occurs at 6:06. Retrieved Oct 1, 2017.
- ↑ Cornfield, Jerry (October 3, 2017). "Everett hearing to air Sound Transit election accusations, The agency improperly handed over email addresses to political forces conducting the pro-ST3 campaign". Everett Herald. Retrieved October 3, 2017.
This article "ORCA user data disclosure incident" is from Wikipedia. The list of its authors can be seen in its historical. Articles copied from Draft Namespace on Wikipedia could be seen on the Draft Namespace of Wikipedia and not main one.