City Seeks Restraining Order and Return of Documents Obtained Through Unauthorized Access
FULLERTON, California (October 24, 2019) – The City of Fullerton filed a complaint in Orange County Superior Court against the Friends for Fullerton’s Future (“Blog”) and individuals associated with the Blog for violation of the Comprehensive Computer Data Access and Fraud Act, the Computer Fraud and Abuse Act, and violation of California Government Code § 6204 et. seq. among other violations. The complaint arises from alleged illegal and unauthorized access to a City shared file account in which the defendants repeatedly accessed, downloaded, and published without permission documents and files related to various topics, including but not limited to privileged or otherwise protected communications and documents relating to City of Fullerton internal personnel investigations and actions. The actions of the Blog have placed the City in a position to defend against claims of breach of confidentiality and have potentially put at risk the security of protected information of both employees and members of the public.
“The City was forced into taking legal action to protect the privacy of current and former employees and the public, and to ensure compliance with applicable law to include the California Public Records Act,” stated Fullerton City Manager, Ken Domer. “We are working aggressively on behalf of those affected and took immediate actions to put in place a more secure information technology environment. These actions support our philosophy of transparent access to information while protecting confidential information from the unethical and illegal actions of a few.”
In early June of 2019, the City was alerted to the presence of confidential and legally protected information posted by the defendants on the Blog. This information contained documents related to discipline proceedings protected by the Public Safety Officers Procedural Bill of Rights Act, exemptions under the California Public Records Act, as well as attorney-client privileged communication. The City immediately began an investigation, initiating a comprehensive forensic audit and review of our Information Technology processes. While the internal investigation was being investigated, additional protected material was posted on the Blog and it became clear that the unauthorized and illegally accessed material was more comprehensive than initially known. The City Attorney’s Office issued a Cease and Desist letter to the Blog, but the Blog did not comply.
Based on evidence uncovered in our internal investigation and direction from the City Council, the City Attorney’s Office has now filed a complaint in Superior Court seeking a temporary restraining order against the involved Blog and its contributors. The requested restraining order is limited in scope to protect the 1st Amendment rights of the Blog and seeks only to stop the disclosure of legally protected documents and for all such documents to be returned to the City. It does not seek to quell the Blog’s existence or ability to publish 1st Amendment protected content nor opinion posts.
The City processes information requests under the California Public Records Act (CPRA) as required by law and the Blog and its defendants actively and repeatedly utilize the CPRA process. Generally, when requests involve information from the City’s email system, the information is gathered by Information Technology (IT) Division staff for review by the City Attorney’s Office to determine responsive records per the CPRA. In this case, in January of 2019, a contributor to the Blog requested information based on keywords within emails and the resulting search yielded over 11,000 emails, not including attachments. This batch of emails was placed on the City’s shared file account for review by the City Attorney’s Office. Due to the extensive volume of documents, the defendant was notified to narrow the scope of the search request to make it possible for an attorney to review the responsive records, make required redactions, and to authorize release. The defendant acknowledged this fact, informed the City he would consult with his legal counsel, but shortly thereafter started posting items on the Blog from the privileged batch of emails collected for attorney review. It is now known that the defendants had already downloaded the emails from the City’s shared file account prior to being asked to narrow the scope by using various masking techniques in an attempt to anonymize and hide their origination and identity. As part of the filed complaint, the City submitted a cyber security expert’s declaration in support of the City’s request for a temporary restraining order detailing the forensic evidence supporting the allegations. The evidence includes tracing defendants’ actions through their internet path, including using anonymizing virtual private networks of European Internet Service Providers, based on prior access to the City’s shared file account using their home or business Internet Protocol (IP) address which established a traceable reference point. This expert has been able to determine that the defendants have been making unauthorized access into and downloading files from the shared file account since at least December 2017.
The City filed the complaint to protect the public and our employees, both current and former, from unauthorized access to protected information. The City, through its cyber experts, has identified a limited number of persons, including employees and members of the public, whose protected information may have been included in the documents and is in the process of contacting them to offer credit monitoring services. The City views this unauthorized and illegal access of protected information as a serious breach and will take all actions to prevent further releases and future breaches.
The City’s IT Division, currently reporting to the Chief of Police, is undergoing a comprehensive audit and recently completed and implemented the results of a vulnerability review. The City is under contract with a new IT consulting firm for staff augmentation and will further contract with them to develop a comprehensive information technology plan to further enhance the City’s IT Division and infrastructure.
Documents related to the filing can be found at: https://docs.cityoffullerton.com/weblink/1/fol/751807/Row1.aspx