Cybersecurity and ethics questions surround computer files found in Lancaster County office | Local News

Dozens of personal files belonging to Lancaster County’s top lawyer – including documents related to local Republican Party committees – were discovered on a county government computer network earlier this year, raising questions about whether she performed campaign or other outside work using taxpayer time or resources.

The files belong to Jacqulyn E. Pfursich, the former clerk of courts who last year was appointed county solicitor. Pfursich said she accidentally transferred the files onto the county’s computer network when she used a personal thumb drive in July 2021 to transfer some work-related files as she transitioned into her new role as solicitor.

LNP | LancasterOnline obtained copies of the 85 or so files in question. They include 55 documents related to Pfursich’s political work with the county and Hempfield Republican committees, at least 13 files related to outside legal work Pfursich conducted during years she was serving as clerk of courts, and 11 files that were personal in nature, like her children’s report cards. The nature of a few other files — such as a notice for a winter donation drive — is unclear.

At the same time she served as clerk of courts, Pfursich represented private legal clients on the side. She’s also been a longtime leader in the local Republican Party, serving as chair of the Hempfield Area Republican Committee since 2016.

The clerk of courts is an elected position. Elected officials like the clerk are permitted to hold outside jobs while serving in office. But Pennsylvania’s Public Officials and Employees Ethics Act bars elected officials from using their office for “personal financial gain.” And the Pennsylvania State Ethics Commission, which investigates ethics complaints, has found conducting campaign work and personal work with county resources, such as a computer or telephone, to qualify as a type of financial gain.

The commission also has to find that the activity was more than a small gain. It found in 2017 that a Beaver County commissioner, Joe Spanik, had violated the Ethics Act by directing his secretary at the county to do campaign work for his re-election. She used county office equipment and time she was on the clock to do it.

The commission calculated she spent about 17 hours doing the work, valued at a minimum of $415, based on her pay rate. He also used notary services from the county valued at $180. Spanik accepted an agreement with the commission to pay $1,000, most of which went to Beaver County.

Files reported

The political and personal files belonging to Pfursich were first discussed in public at a June board of commissioners meeting when Ron Harper, Jr., a Rapho Township man, claimed he had unearthed evidence that Pfursich had misused her office as clerk of courts. Harper has worked both independently and with Pennsylvania Republicans as an opposition researcher and investigator of political officials.

Internally, the presence of personal and political documents on the clerk of courts network was first reported to human resources director Michelle Gallo and Democratic county Commissioner John Trescot in a March 31 memo written by Pfursich’s successor, Mary Anater. Trescot was notified, Anater said, because he is her office’s designated chief point of contact with the overall county board of commissioners.

Anater said employees in the office were aware of the files but did not immediately alert her to them until several months into her tenure, in March. “When staff concerns were finally raised with me, I reviewed the files, determined they were against county policy” and reported them, she said.

Pfursich said she was unaware during that period that the files, some which contained confidential information of legal clients, were accessible in a shared county computer network.

“In hindsight, I should have used a fresh, new thumb drive to avoid any accidental transfer of files,” Pfursich said. “However, I have never used county computers or county resources for political purposes.”

Pfursich provided LNP | LancasterOnline with an internal memo from the county IT director, Steven Clement, that shows he found it likely her transfer of personal files to the county’s network was accidental.

“The data in question was easily identifiable as being personal in nature, likely the result of an accidental thumb drive imprint, and not automatically deleted during the standard wiping of data upon prior employees’ transition from the position,” Clement said in an April 1 memo to the county’s top administrator, chief clerk Lawrence George who oversees the county’s various departments, including IT and human resources.

Per George’s direction, IT staff removed the files from the shared drive and forwarded them to the chief clerk for storage on a county drive tied to his office, he told LNP | LancasterOnline. Storing the files on a hard drive prevented anyone with access to the county network drive from accessing them.

But he took no additional steps to look further into the matter or refer it to someone else – whether an outside attorney or other investigative body – and George said he didn’t consider whether the existence of the files called for further inquiry.

“The first objective was to remove all the information that was believed accessible to someone it should not have been accessible to, and my initial thought wasn’t really, ‘Oh, is that going to taint any kind of investigation that may need to follow?’” George said.

Ethical considerations

Pfursich’s account of how the files wound up in the county network and the subsequent response by George and others raises questions about the county’s cybersecurity policies and protocols, as well as how it handles potential ethics matters involving elected officials.

Pat Christmas, policy director at the Philadelphia-based good government group Committee of Seventy, said it’s unclear, based on a description of the situation, whether the matter has ethics implications or indicates some kind of breakdown in the county’s HR protocols.

If this was simply a mistake by Pfursich, Christmas said, county officials may want to review the onboarding process for county employees.

“Maybe it needs to be sharpened up to avoid this sort of thing happening in the future, perhaps training around this, as well as for the folks who would administer such a policy,” he said.

The matter deserves further inquiry, Christmas said. The public deserves assurance its elected officials are staying above board, he said, especially in an era when faith and trust in government are at all-time lows.

“Even relatively minor infractions or potential violations can dent that trust, so that’s why, substantively, and with regard to perception, I think these issues matter,” Christmas said.

George called the situation over Pfursich’s files “unprecedented.”

“Thankfully, this does not come up very often. In fact, I’m not aware of any instance certainly in my career,” George said. But he acknowledged the county should have clearer procedures for similar situations.

In an email, Trescot, the Democratic commissioner, said he would support having a better defined trigger for reviewing potential ethics matters and making recommendations for action.

Republican commissioners Josh Parsons and Ray D’Agostino, who have political ties to Pfursich and voted for her appointment to solicitor in July 2021 over objections from the Democratic commissioner at the time, Craig Lehman, did not respond to the same questions.

Before being first elected as clerk of courts in 2015, Pfursich worked as assistant county solicitor.

Existing policy

Through an open records request, LNP | LancasterOnline obtained a copy of Lancaster County’s IT security policy. Last updated in June 2021, it does not expressly forbid users of the county system from using outside thumb drives or putting county documents onto a personal device, as Pfursich explained was her intention.

It does say that users “should store work documents and data on cloud-base storage, rather than on device hard drives or USB storage devices, as cloud-based storage provides better security than the alternatives.” They also need to ensure those storage devices are scanned for viruses before being used.

LNP | LancasterOnline obtained Lancaster County’s IT security policy through an open records request.

Other language in the policy appears to exempt elected officials from the policies hired employees have to follow. The policy language expressly states that it applies to “all persons with granted authorized access,” but an asterisked note says elected officials using the system “are responsible for their own actions.”

Trescot said the policy regarding elected officials relates to the fact that they’re not county employees. “The county government does not hire or fire elected officials,” he said.

Using official resources for campaign work can run afoul of Pennsylvania’s “theft of services” statute. But a prosecution under that statute would likely require proof of a persistent pattern of using county resources for non-official business.

George told LNP | LancasterOnline that his response followed county procedures, but it produced an unintended consequence of losing file data that could’ve been part of a deeper inquiry.

Clement, the county IT director, did not respond to a call or email regarding that policy and whether deleting the files from a shared drive eliminated the ability to do a deeper forensic analysis of how and when the personal files wound up on the county network.

An inability to review the history of computer activity by county officials would indicate major system deficiencies, said Daniel Castro of the Information Technology and Innovation Foundation, a Washington, D.C., think tank that focuses on cybersecurity and privacy issues.

IT systems have come to rely on “audit logs” to combat viruses and ransomware attacks, Castro said. The logs keep track of who accessed what file or program and when, and what they did with it, Castro said.

And to allow users to copy or transfer county documents to a device outside the IT system, or at all, was also questionable, Castro said.

“These are officials for whom chain of custody really matters – for documents, who has access to things, you want strong audit logs. This all just kind of suggests poor IT in general and IT security,” Castro said. “That is kind of troubling.”

Staff writer Carter Walker contributed to this story.

Displaced Motel 6 residents find lodging as emergency shelter closes

‘Like a nightmare:’ Ex-wife, former co-worker detail shock after arrest of David V. Sinopoli in Lindy Sue Biechler case

Locals hauling uncovered trash to LCSWMA facilities could face financial penalty

Next Post

Software grab bag: Six post-processing apps that can help you now

Sun Jul 24 , 2022
What are some software post-processing apps that can help you now? I’ll list a few of the ones I find the most useful. Hopefully they can help you too! Perspective Efex Perspective Efex in action, straightening a church. DxO’s Perspective Efex is part of the fantastic Nik Collection. The collection […]
Software grab bag: Six post-processing apps that can help you now

You May Like