The Fort Worth City Council was briefed on allegations of sweeping problems with IT security but did not make the information public, according to a council member.
Former IT manger William Birchett alleged in a lawsuit filed Wednesday that he was fired in February in retaliation for reporting to officials that the city’s cybersecurity had been severely compromised, including that more than $500,000 was stolen from the city and city employees’ medical and personal information was left accessible to anyone with internet access.
The lawsuit alleges Mayor Betsy Price and the City Council were aware of at least some of the breaches, but did not act publicly on them or inform individuals who were affected.
Councilman Dennis Shingleton, the mayor pro tem, said the council had been briefed on the allegations during executive session, which is not open to the public. He said he didn’t know why the matter wasn’t made public, but it’s not the practice of the council to discuss executive session matters publicly until the city legal staff clears it.
“If it’s discussed in executive session it’s meant for executive session until it can become public,” he said. “It wasn’t a surreptitious plan.”
Shingleton didn’t specify how many times the council was briefed or when.
Council members said Thursday that the city attorneys office told them to direct reporters’ questions to a statement released by the city. The statement said that the city took data security seriously and was prepared to defend itself against the allegations.
The lawsuit states Birchett reported his findings and a proposal to fix the issues to Kevin Gunn, the city’s acting chief financial officer, and Roger Wright, the city’s acting chief technology officer, but to no avail.
“Gunn and Wright rejected Birchett’s remediation proposal in part because the expense would have required approval from the City Council and would entail public disclosure of the deficiencies, bad public relations, and accountability questions as to how and why the City’s cybersecurity was 90% non-compliant,” the lawsuit alleges.
The lawsuit mentions the council and mayor saying the elected officials were “aware of the breaches and made the decision not to notify individuals affected by the breaches.” It also cites a Texas health and security code and a business code that require the city to “notify and disclose cybersecurity violations to all individuals whose data was actually or potentially compromised.”
Councilman Carlos Flores and councilwoman Ann Zadeh deferred questions to the city attorney’s office. Councilman Brian Byrd also said he was unaware of the lawsuit’s allegations. Council members Cary Moon, Jungus Jordan and Kelly Allen Gray did not immediately return messages. Councilwoman Gyna Bivens said she wouldn’t comment on matters involving litigation.
Mayor Price also did not return a call as of 1:30 p.m. but a city spokeswoman referred a reporter to a city statement.
City Attorney Sarah Fullenwider said the city had not yet been served with the lawsuit, but it was looking into the matter.
In 2017 the city was a victim of fraud when a vendor payment was redirected to a “bad actor,” the city’s statement said. An arrest has been made and more safeguards were put in place. The statement also said the city addressed employee concerns about the data system and an audit of the city’s FBI compliance was successful.