After nearly a year of investigations, the resignation of a city manager and firing of an Information Technology director, no criminal charges are expected to be filed in Sarasota's email spying and deleting case.
"They're taking no criminal action," said Sylint's cyber security expert John Jorgensen about state law enforcement.
However, it doesn't mean there wasn't any wrongdoing—it just might not be worth it to file charges. After meeting with the state attorney's office and Florida Department of Law Enforcement, it appeared that the damages threshold and time and money spent to prosecute proved to be too much, Jorgensen said Monday during the City Commission meeting.
"One must understand in today's fiscal and financial climate that law enforcement has to pick and choose the cases they go after," Jorgensen said.
He'll leave it to law enforcement to address where they are at now. Jorgensen is not aware of the Federal Bureau of Investigations findings or desire to file charges.
In its newest report, Sylint revealed that fake accounts were created to access emails from the Sarasota Police Department, which was the basis of asking the city commission to have the FDLE and FBI to look into the matter.
A fake name with someone not in the IT Department was being used to perform searches, said Jorgensen. Managers are suppose to know who's searching for what and when given the sensitive files involved, he said.
"If you're using accounts that don't exist on people that don't exist in the IT Department, there's no way to trace that," he said.
The access wasn't into the network of the police systems itself, Jorgensen said, but instead just spying on email accounts.
The revelations started in December when cyber security firm Sylint revealed that there was unauthorized access to City of Sarasota emails that contained sensitive and personal information that is not open to public records and that the city's email, database and archive system had gone years without updates or upgrades, setting up a system for vulnerability to attacks and a way for emails to be permanently deleted.
Given that the Information Technology Department was under the direction of former City Manager Robert Bartolotta, the commission felt justified to ask for his resignation after a failed attempt to fire him in January. Just days later Chance Craig, director of the IT Department, was suspended and then fired in March.
The open-ended searches for sensitive information was ran by "certain members of the IT department" and were looking in high-level posts of the auditor and clerk's office, city attorney's office, people involved with a federal Department of Housing and Urban Development investigation plus two commissioners.
Commissioners Shannon Snyder and Paul Caragiulo's emails were also searched, Jorgensen added.
"I don't use it, so I got no idea what in the hell they were looking at," Snyder said.
The searches spying on Pamela Nadalini, city auditor and clerk, were not accidental, Jorgensen said.
"They were directed searches," he said.
Early on, Sylint found more than 100 emails on Barlotta's computer that were deleted from the Microsoft Outlook Exchange system that couldn't be found on the archive system and led Sylint to find the broken system that would have contributed to deleted emails from not being able to recovered.
Sylint was unable to prove Bartolotta did anything intentionally wrong and didn't interview him, and it's unknown whether state or federal investigators interviewed him, but no charges have been filed against anyone in this case.
One worker on personal leave and not tied to the investigation, Sandra Coleman, was found to have traces of the exempt emails that were irreversibly deleted and Sylint recommended to the city that Coleman and other employees sign a sworn statement they did not make copies of these files prior to the deletion of the emails.
The good news is that the city's email, data storage and back-up systems are functional, secure and working, according to Jorgensen, and a knowledgable IT director is in place. The bad news is that $1.3 million to $3 million of software upgrades were not used during a three to four year period and the city lost out on much of that money and contracted work, Jorgensen said.
A written report will be issued at the end of October, Jorgensen. Some of that information would have to be redacted for public view because of sensitive security information contained, he said.
Email Investigation Coverage:
- Sylint: City's IT Security Vulnerable To Attack
- City Fires IT Director During Investigation
- City OKs More Money to Investigate Systems
- What's Going on At City Hall?
- Did Briefing Violate Sunshine Law?
- Sarasota City Manager Resigns
- Vote to Oust City Manager Fails