Board denies data security inquiry
Software in question has no evidence of breach
Concerns raised by a trustee regarding the security of township data and a call for an independent investigation were denied by the Macomb Township Board of Trustees on June 24.
Trustee Timothy Bussineau asked that an item be added to the agenda of the electronically held meeting. He requested a discus- sion and vote to hire an independent IT consulting firm to perform an audit of a computer program installed on the workstation of Clerk Kristi Pozzi.
Bussineau said that the reason for his request of the agenda item originated in concerns raised during the April 29 Loudermill hearing of HR Director/General Counsel Thomas Esordi.
Esordi was terminated from his job with the township by the majority vote of the board on Feb. 19. On April 29, a Loudermill hearing was held permitting Esordi to speak to his side of the employment termination matter. The board was evenly divided on whether or not to reinstate Es
ordi, which temporary legal counsel said meant he had the right to return to work.
Esordi has filed a state whistleblower lawsuit in Macomb County Circuit Court on April 21, naming not only the township but Supervisor Janet Dunn and Pozzi as defendants. Dunn and Pozzi publicly denied claims listed in the lawsuit at the board’s April 22 meeting. On May 27, the board approved hiring outside legal counsel for employee matters, including but not limited to the whistleblower lawsuit.
Bussineau said that through emails and speaking with the township’s technical support services, BPI Information Systems, he understood that a software package called Auvik was installed on the clerk’s computer in 2018. He said that although he understood the program was not a virus or malware, he was concerned that the computer program allowed access to the township network, scanned ports seeking access, collected data and sent it to a company in Ontario, Canada and could have allowed sensitive information to be compromised.
“If that program, even if it had access to a port that had citizens credit card numbers on it, there is a report that has to be done under federal guidelines, that we are supposed to report that, that breach,” Bussineau said.
Bussineau said that BPI was informed that software was installed through the Fore-IT company. He said that a Google search indicated the company had an address of a Marysville, Mich. restaurant.
“There has been some inconsistent statements that I had to point out by BPI, but one thing that has been very consistent since October of 2018 is the inability to really actually pinpoint how this got installed on a workstation in our township,” Bussineau said.
Trustee Nancy Nevers spoke in favor of an investigation, and said that she was concerned the issue could be one of cybersecurity. Beth Case, the president of BPI, read portions of another email into the meeting record.
“As the township’s network
administrator, we needed to know how the software was being used, who was using it and how it was installed,” Case said. “Although the software is not malicious, it required privileged township credentials to install. BPI does not work with Auvik. We did not install the software. Ultimately our investigation determined that the software did not create a threat.”
A representative of Fore-It also spoke during the meeting, and said that the software installed was noninvasive, adding its purpose was to do a discovery and understand the health of the IT and technology infrastructure in the township, but that no data ever came back.
Case said that Auvik is a network monitoring tool used to gather information about a network’s health and performance. Case confirmed there was no reason for concern regarding cybersecurity, no data breach and no jeopardization of credit card information.
“The Auvik software does not interact with corporate data. It only communicates with network devices. The original incident report from October of 2018 is attached for your review. Again, based on the initial investigation and the incident report, there was no reasonable concern that the network or its data were compromised,” Case said.
Pozzi said that she put the software on her computer, stating the BPI contract was up in 2018, and she had heard repeatedly that the company was “overcharging and underserving,” so she contacted someone in the IT industry who suggested the Auvik software.
“The software was suggested, it was suggested that it would allow me to verify the network’s health and performance, which is a large part of the contract. I did further research to ensure no data would be compromised and no breach of information,” Pozzi said. “I was doing my due diligence and researching if our IT company was performing the necessary maintenance per the contract prior to voting to extend a $189,000 contract. The software would suggest if there were improvements that needed to be made, if in fact IT was performing the maintenance required.”
Pozzi also said that the
software did not work, due to BPI protection. Pozzi further said she was the employee who requested a ticket to have her computer checked, and that in 2018 Case had looked into the matter and found nothing alarming.
“So I’m pretty sure if I was maliciously putting something on my computer, I would not have been the employee that asked for IT to come and fix my computer with it on there,” Pozzi said.
In addition, Pozzi said nothing regarding voter information can be jeopardized as that software is maintained by the state.
Case confirmed that in 2018 she had met with Dunn and Esordi regarding the incident report and provided information to an independent cybersecurity company for evaluation. No different information was received from this company, Case confirmed.
Bussineau said that information provided by Case was “inconsistent from emails that she sent in 2018.” Case went on to say she disagreed and had assured him during a recent discussion that “things worked the way they were supposed to, that there was no danger of any voter registration information.” Bussineau said that this was due to state security software shutting the program down, which Pozzi said was incorrect. Case said that there could have been several reasons. Dunn made the motion to deny Bussineau’s request for an investigation, which was seconded by Trustee Charles Oliver. Dunn, Oliver, Pozzi and Trustee Kathy Smith voted for the motion, while Bussineau, Nevers and Treasurer Karen Goodhue voted no.
“It happened two years ago and nothing has been corrupted in that two years. Number two, the three top officials run the day-to-day operations and trustees oversee it, but not two years later. Number three, it is an unneeded expense, and I don’t even know what it’s going to cost,” Dunn said.
Also on June 24, the board:
• Approved awarding the master plan update planning services contract to Carlisle Wortman and Associates of Ann Arbor in the amount of $118,050.
• Approved a change order for the township’s new public safety building in the amount of $17,155.45.