According to documents from a city employee and his lawyer, he told supervisors last spring that San Diego was not adequately protecting its confidential data and had no way to track or disable a lost device.
(TNS) — A systems analyst for the city of San Diego says he is being discriminated against by his employer after he raised questions about how the city manages security for thousands of laptops, smartphones and other mobile devices, documents filed with the city show.
Wendell Richardson, an information technology analyst, said this week in an interview the continuing discrimination is threatening his recovery from multiple sclerosis.
City officials dispute his security warnings and declined to comment on his employment service.
According to documents Richardson and his lawyer sent to city officials, Richardson reported what he said are potential IT security threats last spring, telling supervisors that the city was not adequately protecting its confidential data and had no way to track — or disable — a lost device.
“This is a security breach,” he said in an interview. “Anything that has access to city data needs to be able to be tracked or disabled. That’s just common sense.”
City officials issued a statement Tuesday defending the way they safeguard confidential data.
“The city of San Diego takes the security of employee information very seriously and has many security measures in place to protect data,” it said. “The city has investigated Mr. Richardson’s data-protection claims and found no breach of employee data or privacy.”
Complicating the dispute over the city’s cybersecurity practices is Richardson’s employment status after a recent medical diagnosis.
Richardson, who was hired three years ago and was named Environmental Services department employee of the quarter in July, was diagnosed with multiple sclerosis last summer, according to the city’s reasonable accommodation medical documentation form.
He and his supervisors reached what’s called a reasonable accommodations agreement in September. Their mutually agreed upon plan spelled out terms for how Richardson would continue working for the city while managing his treatment, largely by working at home when he needed to, according to the form, which was signed in September.
Since then, Richardson said, his supervisors have not followed the agreement. In letters his attorney wrote the city in December and January, Richardson said his supervisors are not allowing him to work from home as needed and had added new duties to his job description, such as the requirement that he be able to lift up to 50 pounds.
He said the city stopped paying him last month, and now he worries about losing his health insurance.
City officials declined to discuss Richardson’s employment status, but they asserted in correspondence to him that Richardson failed to provide all of the medical records requested by the city, did not work as many four-hour shifts at City Hall as he agreed to and missed meetings, among other things.
Richardson, who is 36, said he disputes this and notes that the city’s response followed his reporting the alleged failure to comply with city regulations governing mobile devices.
Under Administrative Regulation 90.66, the city’s six-page mobile device security policy, devices that access the city email system or the internal network should have “remote wipe functionality” in case they are lost or stolen, among other protections.
The same policy requires users to immediately notify the IT service desk if a device is lost or stolen.
“This ensures that connectivity between the device and the city network can be terminated in a timely manner and that the device can be wiped remotely,” the policy states.
In an email obtained by The San Diego Union-Tribune, the city’s chief information security officer addresses those concerns in an email earlier this week, after he received a report that a city employee had lost a smartphone earlier this year.
“In this case, the lost device that you were concerned about was not immediately reported to the security team,” Darren Bennett wrote to Richardson.
“However, once the security team was made aware of the lost device, the team reviewed access attempts to the city network and determined there had been no access attempt since two days prior to the device being lost,” Bennett added. “The security team also locked the user account. There is no reason to believe that any data breach occurred.”
The chief cybersecurity officer told Richardson that the city “uses a variety of means to protect data, including following industry best practices and utilizing a layered security approach” to safeguarding data.
“Thank you for bringing your concerns to the city’s attention,” Bennett concluded. “We always welcome suggestions to improve and are constantly evolving the security of the city as threats change.”
Bennett declined to answer questions about city compliance with its mobile device security rules. City spokeswoman Katie Keach also declined to explain whether the city is capable of tracking lost smartphones or remotely disabling or wiping the devices, as called for in the regulations.
“The city follows best practices but we don’t disclose details of our security strategy and tools,” she wrote in a brief statement.
Keach said she was unable to respond to Richardson’s claim that his supervisors were not meeting terms of the reasonable-accommodations agreement due to employee confidentiality rules.
“In regard to Mr. Richardson’s other allegations, the city does not comment on personnel matters,” she wrote.
Richardson was placed on involuntary medical leave last month after supervisors said he did not appear at work or meet other terms of the agreement.
©2019 The San Diego Union-Tribune. Distributed by Tribune Content Agency, LLC.