ORCA user data disclosure incident

From Infogalactic: the planetary knowledge core
Jump to: navigation, search

In 2016, Sound Transit, the regional transit agency serving the Seattle metropolitan area, accidentally shared the personal information of 173,000 users of the ORCA fare payment card with Mass Transit Now, the political committee supporting Sound Transit 3, a tax measure to fund expanding the transit agency's services. The personal information of ORCA card users is protected under state law and not subject to public disclosure laws. The disclosure generated political controversy and has spawned multiple investigations.

The data was released after Mass Transit Now filed a public disclosure request for e-mails gathered by Sound Transit, to campaign for Sound Transit 3 to those individuals. Along with the email contact lists Sound Transit was required to disclose, agency staff unknowingly included a list of email addresses associated with the ORCA card program.

The incident

Washington State open government laws require government agencies like Sound Transit to release their data upon request, but the personal information of users of the ORCA fare payment card is exempt from public disclosure.[Note 1]

Sound Transit licenses a system called GovDelivery to send digital communications to subscribers, allowing a large number of emails to be sent at one time and not have them marked as spam.[2] At the time of the incident the Central Puget Sound Regional Fare Coordination System, the group that manages the ORCA card, did not have a license for GovDelivery, and had from time to time used Sound Transit's GovDelivery system to send communications to users.

In February 2016, the email addresses of 173,000 ORCA card users were uploaded to Sound Transit's GovDelivery system to send an update to cardholders reminding them of an upcoming fare change on transit services.[2][3] In the past, after a message like this was sent, the data was deleted from GovDelivery, but in this case, it was not.

On March 28, 2016, Abigail Doerr, the campaign manager of Mass Transit Now filed a public disclosure request asking that Sound Transit provide a list of all of the agency's email subscribers[4]. When staff for the transit agency and staff with GovDelivery assembled that list, they appear to have unknowingly included a list of email addresses used to send out the February communication with users of the ORCA card program.[2] The list of email addresses was provided to Mass Transit Now on April 11, 2016.

On August 16, 2016, Mass Transit Now sent out an email regarding the Sound Transit 3 ballot initiative to expand Sound Transit to people on its campaign electronic mailing list. That list was built using the information provided by Sound Transit that included the email addresses of ORCA card users. The disclosure was discovered by an ORCA cardholder who received the campaign email at an email address that he only uses for messages from the ORCA system. He contacted the Seattle Times to report that his email address had been shared with the campaign when he did not give permission to Sound Transit to share that information.[3]

The story prompted conservative political operative, Conner Edwards, to file a citizen action notice with the offices of the Washington Attorney General and the King County Prosecuting Attorney, alleging that Sound Transit had violated the law.[Note 2][6]

Aftermath

Sound Transit CEO Peter Rogoff response

On discovery of the error, Sound Transit issued a written request to Mass Transit Now to delete the e-mail addresses and also deleted the offending e-mail addresses from the Sound Transit publicly disclosable GovDelivery database. The goal of Sound Transit's response was to ensure, as per Sound Transit CEO Peter Rogoff's testimony to the Sound Transit Board, "The incident could not be repeated."[7]

Public Disclosure Commission investigation

On August 20, 2016, political operative Conner Edwards filed a complaint with the Public Disclosure Commission[8] alleging the leak of this data was, "Sound Transit influencing the outcome of the election with public resources". Although the staff report recommended referral to the State Attorney General's Office; the Washington State Public Disclosure Commission on September 21, 2016 declined to take further action. PDC Commission Chair Anne Levinson observed that “Public agencies are required to comply with the public disclosure laws … and mistakes are made during the regular course of business.”[9]

Washington Attorney General investigation

The Washington Attorney General's office conducted an investigation into the disclosure and determined that the evidence indicates that the email addresses were inadvertently released. It did not find any evidence that Sound Transit staff took action intended to promote Mass Transit Now or the Sound Transit 3 ballot initiative. As a result, the Attorney General's office took no further action.[10]

Washington State Senate investigation

State Senators Steve O'Ban and Dino Rossi at the prompting of constituents and conservative talk radio hosts requested the State Senate Law and Justice Committee to investigate various elements of Sound Transit 3 including the email disclosure, claiming, "Sound Transit illegally provided the email addresses of ORCA cardholders to a political campaign in favor of Prop. 1."[11] The request for the hearings was granted and State Senator O'Ban & an Everett Herald columnist has said the disclosure of emails will feature in those hearings.[12][13][14]

Notes

  1. The exemption is per Revised Code of Washington 42.56.330(5):[1] The personally identifying information of persons who acquire and use transit passes or other fare payment media including, but not limited to, stored value smart cards and magnetic strip cards, except that an agency may disclose personally identifying information to a person, employer, educational institution, or other entity that is responsible, in whole or in part, for payment of the cost of acquiring or using a transit pass or other fare payment media for the purpose of preventing fraud. As used in this subsection, "personally identifying information" includes acquisition or use information pertaining to a specific, individual transit pass or fare payment media.
  2. Specifically, he alleged that Sound Transit had violated Revised Code of Washington 42.17A.555.[5]

References

  1. Lua error in package.lua at line 80: module 'strict' not found.
  2. 2.0 2.1 2.2 Lua error in package.lua at line 80: module 'strict' not found.
  3. 3.0 3.1 Lua error in package.lua at line 80: module 'strict' not found.
  4. Lua error in package.lua at line 80: module 'strict' not found.
  5. Lua error in package.lua at line 80: module 'strict' not found.
  6. Lua error in package.lua at line 80: module 'strict' not found.
  7. Lua error in package.lua at line 80: module 'strict' not found.
  8. Lua error in package.lua at line 80: module 'strict' not found.
  9. Lua error in package.lua at line 80: module 'strict' not found.
  10. Lua error in package.lua at line 80: module 'strict' not found.
  11. Lua error in package.lua at line 80: module 'strict' not found.
  12. Lua error in package.lua at line 80: module 'strict' not found.
  13. Lua error in package.lua at line 80: module 'strict' not found.
  14. Lua error in package.lua at line 80: module 'strict' not found.
Retrieved from "https://infogalactic.com/w/index.php?title=ORCA_user_data_disclosure_incident&oldid=725305928"