Loading...
HomeMy WebLinkAbout1594 Maley In Re: Robert L. Maley, : File Docket: 10-020 Respondent : X-ref: Order No. 1594 : Date Decided: 9/27/11 : Date Mailed: 10/12/11 Before: Louis W. Fryman, Chair John J. Bolger, Vice Chair Donald M. McCurdy Raquel K. Bergen Nicholas A. Colafella Mark Volk This is a final adjudication of the State Ethics Commission. Procedurally, the Investigative Division of the State Ethics Commission conducted an investigation regarding possible violation(s) of the Public Official and Employee Ethics Act (“Ethics Act”), 65 Pa.C.S. § 1101 et seq., by the above-named Respondent. At the commencement of its investigation, the Investigative Division served upon Respondent written notice of the specific allegation(s). Upon completion of its investigation, the Investigative Division issued and served upon Respondent a Findings Report identified as an “Investigative Complaint.” An Answer was not filed and a hearing was deemed waived. A Stipulation of Findings and a Consent Agreement were subsequently submitted by the parties to the Commission for consideration. The Stipulated Findings are set forth as the Findings in this Order. The Consent Agreement has been approved. I.ALLEGATIONS: That Robert L. Maley, a public official/public employee in his capacity as the Chief Information Security Officer for the Office for Information Technology, Office of Administration, violated Sections 1103(a) and 1105(b) of the State Ethics Act (Act 93 of 1998), 65 Pa.C.S. §§ 1103(a) and 1105(b), when he accepted gifts and payments for expenses for transportation, lodging and/or hospitality from vendors he recommended and/or approved for contracts with the Commonwealth; when he utilized Commonwealth of Pennsylvania computers for his personal use; when he failed to file a Statement of Financial Interests for the 2006, 2009 and 2010 calendar years; when he failed to disclose on Statements of Financial Interests filed for the 2008 calendar year, name and address and sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; when he failed to disclose on Statements of Financial Interests filed for the 2007 and 2008 calendar years, his office, directorship or employment in Susquehanna Digital Forensics, a company in which he is listed as owner and when he failed to disclose creditors in excess of $6,500; and when he failed to disclose his financial interest in Susquehanna Digital Forensics on Statements of Financial Interests filed for the 2007 and 2008 calendar years; and when after being terminated by the Commonwealth he received payments from a Commonwealth vendor, that he in his public position had recommended to receive State contracts, to promote that same vendor’s product(s). Maley, 10-020 Page 2 II.FINDINGS: 1. Robert Maley was employed by the Commonwealth of Pennsylvania as the Chief Information Security Officer (“CISO”) with the Office of Administration (“OA”) for the Office of Information Technology (“OIT”) from November 2005 until March 8, 2010. a. Maley was removed as the CISO effective the start of business on March 8, 2010. b. When Maley was appointed as the CISO in November 2005, it was a newly created position. 2. As the CISO, Maley’s duties included, but were not limited to: a. Managing aspects of IT Security planning, policies and standards creation/enforcement including the implementation of event monitoring to ensure compliancy of acceptable use policies for all enterprise, domain, network, applications and system administrators including contractors. b. Developing Business Intelligence Security Reports with recommendations to keep senior level managers informed. c. Reviewing all draft standards and policies to make sure that all security requirements are met. d. Leading selected Enterprise Architecture Standards Committee work groups as assigned by the Enterprise Architect and report recommendations. e. Developing and documenting security standards, objectives, policies, process and procedures, and roles and responsibilities to support the enterprise infrastructure. f. Establishing performance measurement standards and evaluating the performance of subordinate employees. g. Supervising staff and delegating/monitoring work assigned to subordinates. h. Planning and managing project budgets. 3. As the CISO, Maley was responsible for setting the security strategies for the Commonwealth of Pennsylvania. a. The strategies included risk assessment, compliance, enforcing compliance, security planning and governance, selecting product standards and controlling risks. 4. Maley managed the information technology budget that included the integrated enterprise system. 5. Maley participated in a process of OIT known as the Enterprise Information Standard Selection Process. a. Maley evaluated and scored vendors’ software packages. b. The vendor whose software scored the highest would be identified as a standard and it was to be used by other state agencies. Maley, 10-020 Page 3 6. Maley, as the CISO, identified and recommended products and software from vendors that would be used by the Commonwealth of Pennsylvania. 7. Purchases of computer software with estimated costs of less than $50,000 were made based on Maley’s authorization and/or recommendation. a. No formal selection process was utilized. b. The Pennsylvania Procurement Code and the Master Information Technology Services Invitation to Quality (“ITQ”) Contract authorized purchases be made from this contract for items less than $50,000 without seeking competitive bids. 8. During Maley’s tenure as the CISO, he developed close relationships with vendors doing business with the Commonwealth of Pennsylvania. a. Vendors Maley developed personal relationships with included Core Security Technologies, BitArmor, McAfee, Inc. and Guidance Software, Inc. b. Maley formed these relationships as a result of his public position as CISO, which included meeting with vendors to review proposals and evaluate products. 9. Maley authorized purchases from vendors he developed relationships with through ASAP Software Express. a. In or around 2003, the Commonwealth of Pennsylvania acting through the Department of General Services entered into an agreement with ASAP Software Express, Inc., part of Dell Marketing LP, for the procurement of software and maintenance and other support services. 1. The agreement provided that all Commonwealth agencies as defined by Section 103 of the Commonwealth Procurement Code could use the agreement. b. Commonwealth agencies issued purchase orders against the agreement and it was ASAP’s responsibility to insure delivery of the product. c. Change orders and updates were made to the agreement through June 30, 2010. 10. In or about 2003, the Commonwealth also established Enterprise Architecture, which is responsible for developing information technology standards for the Commonwealth. a. Standards were developed through the Enterprise Information Standards Selection Process (“EISSP”). b. A committee consisting of officials/employees of OIT and officials from various state agencies comprised the team that set standards. c. This team evaluated and scored the software and hardware of vendors being considered for information technology contracts with the Commonwealth. Maley, 10-020 Page 4 1. Vendors’ products scoring the highest would be selected as the standard that was to be used by other Commonwealth agencies when purchasing hardware and software. d. After a vendor is selected for having products set as standard by the EISSP, the Department of General Services (“DGS”) would negotiate costs of products for all state agencies. 11. Maley in his capacity as CISO participated in the EISSP. a. Maley participated in the EISSP and was part of the team that established Core Security Technologies as a standard. 12. Core Security Technologies is a Boston, Massachusetts, based company specializing in software for security consulting and training regarding security issues. a. Core Security has been in business since about 1996. b. Core Security markets software known as Core Impact that provides continuous, on-demand automated security testing solutions. c. The software can pinpoint exploitable web applications, networks, endpoints and end users and offer solution[s] of where and how security attacks can access most important information. 13. Maley first became acquainted with Core Security and [its] products while attending a RSA Conference in San Jose, California, in or around 2006. a. Maley attended the conference in his official capacity. 14. As part of the Commonwealth of Pennsylvania’s agreement with ASAP, Maley, as the CISO, directed ASAP to make purchases of software from Core Security Technologies. a. The software Maley was purchasing from Core Security was Core Impact. b. The purchases Maley authorized from Core Security were not competitively bid. 1. Maley participated in actions as a member of EISSP, which established Core Security as the standard. 15. Maley, as the CISO, first began purchasing Core Impact from Core Security on April 7, 2006. a. Maley renewed Core Impact software annually through 2009. 16. Beginning in or about October 2008 while Maley was purchasing software from Core Security for the Commonwealth, Core Security invited him to attend an all- expense-paid conference. a. Core Security officials invited Maley to appear at the conference and speak on behalf of Core Security’s Core Impact software. 17. Between October 20, 2008, and November 6, 2008, Maley engaged in a series of emails with Melissa England, Core Security Marketing Specialist, regarding Maley Maley, 10-020 Page 5 appearing as a speaker on behalf of Core Security. The text of the emails reflects the following: a. October 20, 2008, 2:04 p.m. England to Maley: Hello Bob, I hope all is well. My colleague, Selena Proctor, mentioned that she spoke with you at the CyberSec Conferences in PA last week. I understand you saved a large amount of money using Core and had great things to say about our product. I’m currently working on submissions for the 2009 RSA Conference April 20- 24. I am putting together a Panel discussion for submission, War Stories – Lessons Learned track. Of course if the submission is selected, Core would pay for all expenses/travel in exchange for your singing our praises during a panel discussion. ? Please let me know when you get a chance. Thanks, Melissa b. October 20, 20008, 2:48 p.m. Maley to England: I would love to sit on a panel like that. I have tons of war stories. c. October 27, 2008, 10:19 a.m. England to Maley: Hi Bob, I hope you had a great weekend. Could you send over a Bio no more than 800 characters that I could submit to RSA? Much appreciated, Melissa d. October 27, 2008, 10:38 a.m. Maley to England: No commentary. Biography of Maley sent as an attachment. e. October 31, 2008, 4:31 p.m. England to Maley: Hi Bob, Happy Halloween! I’m looking into getting you some speaking opportunities for 2009. I will be sending over your Bio and information relative to the recent RSA Submission we did. However, I have been asked for a webcast (or something comparable) in order for some to hear your speaking capabilities. Not that they could be anything short of amazing. ? If you have anything of that sort that I would be able to share, I would really appreciate it. Thanks again and talk to you soon. Best Regards, Maley, 10-020 Page 6 Melissa f. November 4, 2008, at 11:42 a.m. England to Maley: Hello again Bob, I hope all is well. Sorry if it seems that I have been clogging your inbox recently. We are tampering with the idea of becoming a Gold Sponsor at CSO magazine’s Application Security Series in 2009. There are two shows…one in NYC on 1/29 and another on 2/25 in San Francisco. Along with the Gold Sponsorship, an Executive Briefing is given by a customer of our choice. An abstract (similar to one we submitted for RSA) will be advertised and featured in their agenda and CSOs will have the opportunity to join in and listen to your story. Our participation isn’t definite at this point, but I wanted to gauge your interest of participation. Of course, the trip is all expenses paid on us. Look forward to hearing from you, Melissa g. November 6, 2008, 3:39 p.m. Maley to England: I actually did a keynote for the Virtual NAC Conference in April, but it’s no longer online. Your PR folks set it up. h. November 6, 2008, 4:12 p.m. Maley to England: Found it. http://informationweek.veplatform.com/ You have to register, then on demand content. i. All of the above emails were either sent from or received at Maley’s Commonwealth email address. 18. At the time in 2008 when Maley agreed to be a speaker on behalf of Core Security, then Governor Edward Rendell imposed a ban on out-of-state travel for state employees under the Governor’s jurisdiction. a. Any out-of-state travel required the approval of the employee’s supervisors. b. Maley’s supervisors included Brenda Orth, Deputy Secretary for OIT and Tony Encinias, Chief Technology Officer. 19. In January 2009, Maley attended a Corporate Security Officer (“CSO”) Conference in New York City. a. All of Maley’s expenses were paid by Core Security. b. Maley utilized vacation leave for his travel. 20. Expenses paid on Maley’s behalf by Core Security included the following: Date Item Description Amount 12/17/2008 Airfare Continental Airlines $579.00 1/30/2009 Lodging Roosevelt Hotel $274.29 1/28/2009 Taxi to Hotel Expenses for Speaking $60.00 Maley, 10-020 Page 7 1/28/2009 Tolls Expenses for Speaking $14.00 1/29/2009 Taxi to Airport Expenses for Speaking $90.00 $1,017.29 a. Maley’s expenses for airfare and hotel were charged to the corporate credit card of Melissa England, Core Security Marketing Specialist. 21. Maley did not seek or obtain authorization from the Commonwealth to appear as a speaker. a. Maley did not discuss his attendance at the conference with either Encinias or Orth, his immediate supervisors. b. Maley spoke as the CISO regarding his office’s experiences with Core Impact. 22. In April 2009, Core Security invoiced the Commonwealth for Core Impact software in the amount of $25,935.00. The invoice directed to the attention of Bob Maley included the following: DateInvoice #DescriptionAmount 4/20/2009 0409-1024 Core Impact 1 Machine $25,935.00 License for 1 Year License dates 4/23/09 – 4/23/10 a. Purchase Order #914609 was prepared by the Commonwealth of Pennsylvania on April 20, 2009, in the amount of $25,935.00. b. Commonwealth check #1018422 was issued to Core Security on May 29, 2009, in the amount of $25,935.00. 23. In April 2009, at or about the time Core Security was billing the Commonwealth of Pennsylvania for Core Impact based on the recommendation of Robert Maley, Core Security also paid for Maley’s expenses to attend the RSA Conference in San Francisco, California. 24. Maley never advised his superiors he was attending the conference or that his expenses to attend the conference were being paid by a Commonwealth vendor. a. Maley utilized annual leave to attend the Conference. 25. In preparation for the 2009 RSA Conference, Core Security issued a press release identifying Maley as a presenter, which contained the following: Boston, MA, April 13, 2009 --- Core Security Technologies, provider of the Core Impact, Family of comprehensive enterprise security testing solutions, today announced that customer Robert Maley, Chief Information Security Officer, Commonwealth of Pennsylvania, will present at RSA 2009 on the topic of “Lessons Learned: Defending Citizen Data: Proactively preventing Government breaches” with David Stender, associate chief information security officer for cyber security, CISO, Internal Revenue Service. Maley will also participate in a panel discussion on “Lessons Learned: The Front Lines: Achieving Greater Cyber Security in the states.” What: “Lessons Learned: Defending Citizen Data: Proactively Preventing Government Breaches.” a. Maley never requested any approval from OA to be a presenter on behalf of Core Security or to attend the conference in his capacity as the CISO. Maley, 10-020 Page 8 b. Maley used annual leave to attend this conference because it was not an approved Commonwealth travel event. 26. Core Security paid the following expenses for Maley’s travel to appear as a speaker at the 2009 RSA Conference: Date Description Amount 4/03/2009 Airfare $358.40 4/21/2009 Extra Baggage fee $15.00 4/21/2009 Extra Baggage fee $15.00 4/22/2009 Cab Charges $38.00 4/24/2009 Hotel fees - JW Marriott $1,035.76 4/24/2009 Cab Charges $14.00 4/24/2009 Cab Charges $45.00 Total $1,521.16* * [Cf., Fact Finding 70 b.] a. Maley’s airfare was prepaid by Core Security via the corporate credit card of Melissa England. 27. Core Security only paid for Maley’s expenses to attend the conference because he was a customer and user of [its] product, Core Impact, and was promoting Core Impact. a. Maley was only able to comment about Core Impact because of his position as the CISO for the Commonwealth of Pennsylvania. 28. In 2009 Core Security also paid expenses for Maley to attend a technical security conference, the “Black Hat Technical Security Conference,” held in Las Vegas, Nevada, from July 28, 2009, through July 31, 2009. a. Maley’s expenses were paid by Core Security because he was speaking on behalf of Core Impact software. 29. Maley engaged in a series of emails with Core Security employees from June 25, 2009, to July 13, 2009, regarding his attendance at the Black Hat Conference. June 25, 2009, 3:56 p.m. Maley to Selena Proctor, cc: Mike Yaffe: Window seats if available, aisle seats ok. (Airline schedule attached.) June 25, 2009, 4:27 p.m. Yaffe to Maley, Proctor: Selena is all over this… June 25, 2009, 4:29 p.m. Proctor to Maley and Yaffe: Yep, I got it. You will get the confirmation shortly. July 13, 2009, 2:23 p.m. Maley to Yaffe: Maley, 10-020 Page 9 Do I get a hotel confirmation? And, thought you might be interested in this: http://mag1.olivesoftware.com/ActiveMagazine/welcome/SCM/007_ESET_SC_0709 .asp July 13, 2009, 2:27 p.m. Yaffe to Maley: AAAHHHH!!!! Fantastic!!!!! ;-) As for confirmation, selena, got one…? July 13, 2009, 2:30 p.m. Proctor to Maley and Yaffe: Hello Bob, Sure: Confirmation number: 3VRZF Thanks, Selena July 13, 2009, 2:41 p.m. Maley to Proctor: The reservation has an arrival time of 6 PM. I was going to get in there at 10:30 AM so I can make the Core meeting. Can you make sure a room will be ready? Bob July 13, 2009, 2:42 p.m. Proctor to Maley: Hey Bob, Spoke to Caesars about that already They told me that you should have no ? problem checking in at 10:30 AM & that there was a note in the system to have your room ready. I will also call the day before to confirm. Thanks, Selena July 13, 2009, 2:42 p.m. Maley to Proctor: Outstanding!!!!! Thank you! (All of the emails were either sent from or received at Maley’s Commonwealth email address.) 30. The following expenses incurred by Maley to attend the “Black Hat Security Conference” were paid for by Core Security as shown below: Date Description Amount 6/23/2009 Airfare/Delta Airlines $595.90 7/28/2009 Taxi $20.00 7/30/2009 Taxi $10.00 7/30/2009 Lunch $2.95 Maley, 10-020 Page 10 7/31/2009 Lunch $8.04 7/31/2009 Dinner $4.51 7/31/2009 Baggage Fee $15.00 7/31/2009 Taxi $20.00 Transportation Home/Canceled 7/31/2009 Flight $166.00 7/31/2009 Hotel - Caesars Palace $592.80 Total $1,435.20* * [Cf., Fact Finding 70 b.] a. Maley checked in to Caesars Palace on July 28, 2009, and checked out on July 31, 2009. 1. A balance of $419.20 due at checkout included a deposit of $173.60 made by Core Security on July 28, 2009. 2. The total hotel bill was $592.80. b. Maley emailed a listing of expenses to Melissa England at Core Security on August 10, 2009. c. Maley’s airfare was charged to the corporate credit card of Melissa England. 31. In or about September 2009, Core Security nominated Maley for the Information Security Executive (“ISE”) of the Year Award. a. An event to present the award was scheduled for October 27, 2009, in Washington, D.C. b. The event was held at the Gaylord National Resort. c. Maley was the winner for the Government Category, Safeguarding Citizen Data. 32. Maley’s expenses for attending the event were paid by Core Security. 33. On October 15, 2009, at 9:42 a.m. Selena Proctor, Core Security Marketing, authored an email to Maley at his Commonwealth email address regarding Maley’s travel and hotel arrangements. a. Hey Bob, I just spoke w/Mike about the ISE awards & he mentioned booking the hotel for you. What nights are you staying in DC for? b. The email was sent to Maley’s Commonwealth email address. c. Maley responded on October 16, 2009, at 11:32 a.m. as follows: You guys are coming in Tues AM and staying Tues night? Think I will do the same. 34. Maley submitted his ISE expenses to Selena Proctor via his Commonwealth email address on November 10, 2009. Maley, 10-020 Page 11 a. In addition to hotel expenses, Maley noted that he drove 256 miles in relation to the event. 35. Core Security paid the following expenses for Maley’s attendance at the ISE Awards Dinner: Date Description Amount 10/27/2009 Resort Fee $15.90 10/27/2009 Valet parking $28.00 10/27/2009 Room Charge - Gaylord National $279.00 10/27/2009 Tax $44.64 Credit ($0.01) Total $367.53 a. Mileage was not included as part of this expense reimbursement. b. Maley believes he utilized vacation leave to attend, however, Commonwealth leave records are inconsistent with his assertion. 36. Maley never advised his supervisors at the Office of Administration that Core Security nominated him for an award or that he would be traveling to Washington, D.C. to accept the award. 37. In or about October 2009, Maley entered into a Mutual Non-Disclosure Agreement with Core Security. a. The NDA became an issue in October 2009 due to Maley’s scheduled participation in a November 5, 2009, conference call with Core Security when a new product would be discussed. 38. Maley’s lack of a NDA with Core Security was the subject of an October 15, 2009, email from Kim Legelis, V.P. Marketing, Core Security to Maley: Hi Bob, It’s occurred to me that in all our work together, we don’t have an NDA on file. Milan would like to give you a sneak-peek into the Enterprise product on the Nov 5 CAB call, but we need an NDA executed beforehand. I attached it for your convenience. Could you sign it so we can have it on file? Thanks. 39. Maley signed a Non-Disclosure Agreement (NDA) with Core Security on October 15, 2009. a. The agreement was between Core Security and Robert Maley identified as “Company” and/or the “Undersigned.” b. The NDA also provided as follows: In order for CORE and Company and/or Undersigned to evaluate or enter into a contemplated business relationship, each party (a “Disclosure”) may disclose to the other party (a “Recipient”) certain Confidential Information (as defined below). Maley, 10-020 Page 12 40. On October 30, 2009, Tony Encinias, Chief Technology Officer, became aware that Maley had attended the ISE Awards Dinner on October 27, 2009. a. Encinias was Maley’s immediate supervisor. b. Encinias discussed Maley’s travel to accept the award with Brenda Orth. 41. Based on communications between Encinias and Brenda Orth, Encinias sent the following email to Maley on October 30, 2009, 2:00 p.m. that provided as follows: Bob, No more conferences, speaking engagements, personal award submissions, etc. until further notice. Tony 42. Maley continued as a speaker at conferences on behalf of Core Security, ignoring the directive from Encinias. 43. Maley attended the 2010 RSA Conference in San Francisco from February 28, 2010, through March 5, 2010. a. Maley was invited to attend the conference by Core Security officials/employees. b. Maley was invited to speak at the conference on behalf of Core Security products. stth c. Maley utilized vacation leave from March 1 through and including March 5, in regards to his travel. 44. All of Maley’s travel plans were arranged by Core Security staff. a. Maley and Core Security communicated via email between January 8, 2010, and February 16, 2010, regarding reservations for airfare, hotel and conference registration. b. Maley’s expenses in regard to this event were to be paid by Core Security. 45. Emails regarding Maley’s travel plans document the following: January 8, 2010, 4:30 p.m. Mike Yaffe to Selena Proctor, Alyssa Furnari: Ladies, Would you be able to make plane and hotel reservations at RSA for bob? Mike January 8, 2010, 4:31 p.m. Selena Proctor to Maley: Hey Bob, Hope you are well ? What’s the date of your talk? Or, better yet, when do you want to fly in and out? Maley, 10-020 Page 13 Thanks, Selena January 11, 2010, 10:12 a.m. Maley to Proctor: Morning! You around for a phone call? January 12, 2010, 2:11 p.m. Maley to Proctor: You around this afternoon? I need your number. January 13, 2010, 1:28 p.m. Maley to Proctor: Subject: Requested flights Flight schedules for 2/28/2010 flying from Harrisburg to San Francisco and 3/05/2010 return trip from San Francisco to Harrisburg attached. January 14, 2010, 9:14 a.m. Proctor to Maley: Ok I’ll see what I can do. ? Hopefully we will have this all wrapped up next Tuesday. January 20, 2010, 11:43 a.m. Maley to Proctor: How are we doing on the travel? January 20, 2010, 11:45 a.m. Proctor to Maley: Hey Bob, I do have an answer Most of our events will be on Wednesday, so your flights will ? be perfect. I’ll book them now. Thanks, Selena January 20, 2010, 11:56 a.m. Proctor to Maley: Yep, Sunday – Friday January 20, 2010, 12:22 p.m. Proctor to Maley: Hey Bob, Below is your conformation (sic) for flights ? Let me know if you have any questions. Thanks, Selena Maley, 10-020 Page 14 February 16, 2010, 10:38 a.m. Maley to Proctor: Selena, Do you have the hotel reservation confirmation yet? Bob February 16, 2010, 10:41 a.m. Proctor to Maley: Sure do ? Below. Thanks, Selena (Reservations for Westin San Francisco Market Street attached) (All of the emails either emanated from or were sent to Maley’s Commonwealth email address.) 46. In addition to making hotel and airfare reservations for Maley, Core Security made and paid for conference reservation for Maley. a. On February 11, 2010, 4:05 p.m. Proctor notified Maley by email that his conference registration for 2010 SC Awards U.S. was made and the fee of $395.00 was paid on his behalf. 47. On Saturday, February 27, 2010, less than twelve hours prior to departing for San Francisco, Maley sent an email to Encinias stating that he would be taking vacation during the upcoming week. a. The email did not state that Maley was traveling to San Francisco to appear as a speaker at a conference on behalf of Core Security. 48. Maley’s Saturday, February 27, 2010, at 7:51 p.m. email to Encinias included the following: Tony, I will be on vacation this coming week. Bob 49. Maley never sought Encinias’ approval nor did he advise him that he was traveling to the RSA Conference in his capacity as the CISO. 50. Maley attended the 2010 RSA Conference in San Francisco from February 28, 2010, through March 5, 2010. a. Maley was a speaker at the conference and was identified as the CISO from the Commonwealth of Pennsylvania. b. Maley promoted Core Impact to other potential customers for Core Security. 51. Core Security paid the following expenses for Maley’s attendance at the 2010 RSA Conference: Maley, 10-020 Page 15 a. Maley forwarded his expenses via email to Selena Proctor on March 11, 2010. Date Description Amount 2/28/2010 Hotel Expenses - Westin $1,875.90 2/28/2010 Air Fare - United Air Lines $340.80 3/2/2010 Registration - Conference $395.00 2/28/2010 Cab Fare $45.00 3/1/2010 Dinner - Westin $12.00 3/1/2010 Dinner - Westin $12.00 3/2/2010 SC Awards - Westin $11.00 3/2/2010 SC Awards - Westin $11.00 3/3/2010 CSO Dinner - Westin $16.00 CSO Dinner - McAfee 3/3/2010 Party $16.00 3/3/2010 McAfee Party - Westin $5.00 3/4/2010 Lunch - Westin $16.00 3/4/2010 Lunch - Moscone $16.00 3/5/2010 Cab Fare $37.00 2/28/2010 Misc. food $3.66 3/2/2010 Misc. food $8.50 3/5/2010 Misc. food $3.66 Hotel Internet/Room 3/5/2010 Service $182.86 2/28/2010 Baggage fee $25.00 3/5/2010 Baggage fee $25.00 Total $3,057.38 52. Core Security paid Maley’s expenses to attend the RSA Conference as a result of Maley agreeing to speak at the conference about the benefits of using Core Impact. 53. At or about the time that Maley’s expenses were being paid by Core Security to attend the RSA Conference, Maley was recommending and requesting that OA purchase another Core Impact license for the Commonwealth of Pennsylvania. a. Maley was involved with Mike Hurley, Customer Account Manager and Mike Yaffe between February 10, 2010, and February 11, 2010, to arrange for the purchase of an additional Core Impact license. b. No individuals from OIT other than Maley requested that another license be purchased from Core Security. 54. The following reflects the email exchanges between Maley and Hurley, which were copied to Yaffe: February 10, 2010, 12:13 p.m. Hurley to Maley: Hi Bob, Hope all is well. While I haven’t had any luck getting a hold of you these past few months, I see you have been updating version 10 which is great news. That said, I’m attaching a Maley, 10-020 Page 16 rd renewal quote for your review. With your current license due to expire April 23, this should give you plenty of time for any approvals and processing. Also, I included a line item for advance onsite training. This is obviously optional but a great way to ensure your team is taking full advantage of IMPACT’s full functionality. When you get a chance, please let me know your intentions moving forward. Best Regards, Mike Michael J. Hurley Customer Account Manager February 11, 2010, 12:46 p.m. Maley to Hurley with cc to Yaffe: Mike, nd Can you get me a quote for a 2 license of Core Impact? February 11, 2010, 1:25 p.m. Hurley to Maley: Bob, That’s great news! As requested, please find attached a revised quote for a 2 machine license. Let me know if you have any questions. Otherwise, I’ll let Mr. Yaffe handle any extracurricular activities. Best Regards, Mike February 11. 2010, 1:26 p.m. Maley to Hurley with cc to Yaffe: Mike, We need the renewals to come through ASAP, as we did the original purchase. Bob 55. Maley subsequently authorized the purchase from Core Security for (2) Core Impact licenses and training. 56. Core Security invoiced the Commonwealth on or about March 3, 2010, for the order placed by Maley. a. Invoice # 0310-1004 dated March 3, 2010, identified the additional Core Impact License shipped to the Commonwealth of Pennsylvania to the attention of Bob Maley: Description Amount Core Impact: 1 Machine License for 1 year License Dates: 4/23/10 - 4/23/11 $25,935.00 Core Impact: 1 Machine License for 1 year License Dates: 4/23/10 - 4/23/11 $20,748.00 Training Classes: Dates TBD $6,500.00 Total $53,183.00 Maley, 10-020 Page 17 57. In or about March 6, 2010, Maley’s supervisors subsequently became aware of Maley’s attendance at and participation in the 2010 RSA Conference. a. Maley’s attendance at conferences without authorization and his presentations on behalf of Core Security without review and approval by the Chief Technology Officer and Chief of Staff for the Secretary of Administration became the subject of review and disciplinary action by the Commonwealth. 58. On March 8, 2010, Maley was officially notified by David Seitz, Director of Human Resources for Naomi Wyatt, Secretary of Administration that Maley was being removed from his position as CISO. a. Maley’s dismissal was based in part on his use of leave in violation of established Commonwealth procedures. 59. After Maley was terminated as the CISO on March 8, 2010, OIT did not complete the purchase from Core Security to Invoice # 0310-1004. a. OIT Officials believed it was unnecessary to purchase a second license from Core Security. (The following findings relate to Maley’s receipt of payments from Core Security for appearing on behalf of Core Security at conferences following his termination from Commonwealth employment.) 60. After Maley was terminated from his position as CISO for the Commonwealth of Pennsylvania, he was paid by Core Security to be a speaker on [its] behalf at technology conferences. a. The payments were in addition to travel expenses and meals. 61. Maley was paid as a speaker by Core Security to promote Core Impact based on his use of the product as the CISO for the Commonwealth of Pennsylvania. a. Maley’s knowledge and experience with Core Impact was solely through his position as CISO for the Commonwealth of Pennsylvania. 62. Maley received payments totaling $5,000 for speaking at conferences on behalf of Core Security and Core Impact. a. Maley appeared at conferences in April 2010, approximately one month after his termination as CISO, and again in June 2010. 1. Maley spoke at the CSO Perspectives Conference in Santa Clara, California, from April 5, 2010, to April 7, 2010. 63. Maley was first solicited by a Core Security marketing manager to speak at the April 5-7, 2010, CSO Perspectives Conference while he was still employed as CISO. a. Selena Proctor, Core Security Marketing Programs Manager, forwarded an email to Maley on February 22, 2010, at 3:43 p.m., which provided as follows: Hey Bob, Maley, 10-020 Page 18 Hope you are gearing up for next week’s trip ? I have another event coming up in California that we would love to have you speak at if you are available. The event is the CSO Perspectives event (you attended last year), but this year it is in Santa Clara, CA. We have the opportunity to have an executive on a panel discussion. This panel would th be Wednesday, April 7 at 9:15 AM. We also have a half hour speaking slot on Tuesday afternoon at 2:45 PM. Here is a link to the event. http://www.csoperspectives.com/ehome/index.php?eventid=8109&discountc ode=website As always, I’d be happy to cover your event costs for your travel and stay. Would you like to attend & speak? Thanks, Selena Proctor Marketing Programs Manager Core Security Technologies 41 Farnsworth St. Boston, MA 02210 b. Ten days prior to this solicitation, Maley, as CISO, solicited a quote from Core Security for a second Core Impact license. c. Proctor sent a second email to Maley on February 23, 2010, at 4:21 p.m. regarding the CSO event: Hey Bob, Below is a reminder/details about the awards dinner. Also, regarding my earlier email about the CSO event, Mike can answer any questions you have about it next week in San Fran. Hope you have a good trip. Thanks, Selena 64. The CSO conference agenda identified Maley as CISO (former) Commonwealth of Pennsylvania. a. Maley’s topic was Changing the Culture of Application Security. b. It was noted in the agenda that Maley was sponsored by Core Security Technologies. 65. Maley’s presentation focused on the following: Commonwealth of PA Profile – Key aspects and facts Office for Information Security role Commonwealth’s responsibilities The Past state in the Enterprise Maley, 10-020 Page 19 Outline of problems we had to tackle Project description Project goals Key components of the Project How we solved the problems Challenges we faced Project Results – Qualitative/Quantitative Lessons learned Recap 66. Examples used in Maley’s presentation were security breaches in the Departments of Labor and Industry, Veterans’ Affairs and Transportation. a. Maley had access to security breaches in his capacity as CISO for the Commonwealth. 1. Commonwealth officials did not want the potential security breaches known publicly. b. The examples cited in Maley’s presentation were not available to the public. c. Maley’s topic concluded, in part, the need for penetration testing and a robust software security program. 1. Core Security markets penetration testing through Core Impact software. 67. Maley submitted an invoice via email to Core Security for his presentation at the April 5-7, 2010, CSO conference: Invoice Date Invoice Number Amount April 9, 2010 1000 $2,500 a. Maley also submitted expenses totaling $147.20 to Mike Yaffe of Core Security via email on April 9, 2010. 1. Other expenses for hotel and airfare charged to Yaffe’s corporate credit card totaled $1,361.76. 68. Maley also appeared as a speaker on behalf of Core Security at the Gartner Security Risk Management Summit 2010 held in Washington, D.C. from June 21, 2010, to June 23, 2010. a. Maley served on a panel discussing penetration testing. 1. Maley spoke on his experiences as the CISO for the Commonwealth and used examples of security breaches in state agencies. b. Maley spoke on the same subjects as he did at the April 2010 conference. 69. On June 24, 2010, Maley invoiced Core Security in the amount of $2,500 for his appearance at the Washington, D.C. summit on behalf of Core Security. a. In addition, Maley had expenses totaling $1,707.99 for his airfare and hotel that were charged to Yaffe’s corporate credit card. Maley, 10-020 Page 20 70. Maley received expense payments from Core Security totaling $7,481.52 in 2009 and 2010 for his appearances as CISO at conferences to promote Core Security products. a. Maley received these payments at or about times he recommended or authorized purchases by the Commonwealth of Core Security products. b. Expense payments made to or on behalf of Maley by Core Security: 2009 CSO Conference – New York City $1,017.29 2009 RSA Conference – San Francisco $1,512.16 2009 Black Hat Conference – Las Vegas $1,527.16 2009 ISE Awards – Washington, D.C. $ 367.53 * 2010 CSO Conference – San Francisco $3,057.38 Total $7,481.52 * [sic]. [This relates to the 2010 RSA Conference in San Francisco (Fact Findings 43-52).] 71. Maley also received two payments totaling $5,000 from Core Security between April and June 2010 to appear as a speaker on behalf of Core Security. a. Maley received these payments based on his use of Core Impact software in his capacity as CISO for the Commonwealth. 72. Total payments made to or on behalf of Maley by Core Security were $12,481.52. 73. Payments made by Core Security to Robert Maley for expenses and speaking engagements totaling $7,960.30 were deposited into Maley’s checking account at the PA State Employees Credit Union as indicated below: Date of Check Check Number Amount Reason for Payment 3/10/2009 1587 $ 164.00 Expenses 5/04/2009 1758 $1,162.76 Expenses 8/18/2009 2086 $ 665.50 Expenses 11/13/2009 2378 $ 367.53 Expenses 3/17/2010 2986 $ 453.31 Expenses 4/20/2010 2770 $2,647.20 Compensation & Expenses 7/06/2010 2962 $2,500.00 Compensation Total $7,960.30 (The following findings relate to Maley’s receipt of gifts from Commonwealth vendor BitArmor.) 74. On or around August 2007, Maley became acquainted with and established contact with Commonwealth vendor BitArmor Systems, Inc. 75. BitArmor was based out of Pittsburgh, Pennsylvania, and sold Data Security Software. a. BitArmor operated from 2003 until 2010, but was bought out by Chicago- based software vendor, Trustwave. 76. Based on the recommendation of Maley, the Bureau of Information Technology for the Pennsylvania State Police (“PSP”) entered into a contract with BitArmor on March 27, 2009. Maley, 10-020 Page 21 a. PSP purchased software from BitArmor to be used for Microsoft Word in order to prevent file encryption. 77. The software the PSP purchased from BitArmor included the following: Part # Quantity Description Unit Price Amount 2504787 250 PA Control $70.56 $17,640.00 Agent End Point License 2504791 250 PA Control $44.10 $11,025.00 Server Client Access License 2504792 250 PA disk $8.82 $2,205.00 Encryption Add on License 2504793 1 PA BitArmor $2,041.34 $2,041.34 Data Control Maint & Support 1 Year Total $32,911.34 a. The contract between PSP and BitArmor was signed by Michael C. Shevlin, Chief Information Officer, Bureau of Information for the Pennsylvania State Police and J. Patrick McGregor, Chief Executive Officer, BitArmor Systems, Inc. 78. Approximately three weeks after the contract between BitArmor and the PSP, Maley received tickets from BitArmor to attend a major league baseball game in San Francisco. a. Maley was to be in San Francisco attending the 2009 RSA Conference at that time. 79. Missy Palma, Executive Assistant to J. Patrick McGregor, sent the following email to Maley on April 17, 2009, at 4:43 p.m. regarding the baseball game: Hi Bob, I am Patrick’s executive assistant and he asked that I contact you regarding the st Giants/Padres game next Tuesday the 21. The game starts at 7:15 PM so Patrick was thinking you could meet at 6:45 pm outside of the main gate (which is hopefully obvious). Please let me know if this works for you. Patrick’s cell phone is xxx-xxx- xxxx in case you should need to get hold of him while in San Francisco. Can you please send me your mobile number as well? Thank you, Missy Palma Executive Assistant BitArmor The email was sent to Maley’s Commonwealth email address. 80. Maley responded by email using his Commonwealth address on April 20, 2009, at 2:49 p.m. as follows: Sounds like a Plan. My cell is xxx-xxx-xxxx. Maley, 10-020 Page 22 81. McGregor purchased a total of six (6) tickets through StubHub on April 14, 2009, for the baseball game on April 21, 2009, at 7:15 p.m. between the San Diego Padres vs. San Francisco Giants at AT & T Park in San Francisco, California. a. The cost of each ticket was $49.99 and with taxes the total amount was $334.90. 82. Maley attended the game as a guest of McGregor. a. Of the six tickets used, Maley was the only individual who attended the game who was not an employee of BitArmor. b. Maley did not pay for the ticket. 83. McGregor bought the ticket for Maley as a way of networking and doing business in an effort to generate additional contracts from the Commonwealth of Pennsylvania. (The following findings relate to Maley’s receipt of transportation, lodging and hospitality from Commonwealth vendor McAfee, Inc.) 84. McAfee, Inc. is a vendor of the Commonwealth specializing in anti-virus software. a. McAfee has been providing anti-virus software to the Commonwealth of Pennsylvania since prior to 2009. 85. In or around the early part of 2009, Maley as the CISO began negotiating a new contract with Chris Gomolak of McAfee. a. Gomolak was an Account Manager for McAfee. 86. Maley was the only Commonwealth official Gomolak dealt with in negotiations for potential contracts with the Commonwealth. 87. On March 27, 2009, Maley attended a business meal at Damon’s Grill in Harrisburg hosted by Gomolak. a. Those present included Maley, Gomolak, Mark Rutledge, CEO for McAfee, and Dave Marcus, a technician for McAfee. 1. The total cost of the meal was $60.65. b. The dinner discussion focused on desktop security software that McAfee could provide to the Commonwealth of Pennsylvania. 88. On May 18, 2009, a Master License and Services Agreement was entered into between McAfee, Inc. and the Commonwealth of Pennsylvania through OA. a. The Agreement was signed by Mike Carpenter, Senior Vice-President for McAfee, on May 20, 2009, and Naomi Wyatt, Secretary of Administration, on May 26, 2009. b. The points of contact listed on the Agreement included Robert Maley for the Commonwealth of Pennsylvania and Mark Hauptman and Dave Ackley from McAfee. Maley, 10-020 Page 23 c. The services to be rendered included the deployment assistance of the McAfee Host Intrusion Prevention (“HIPS”) Service for up to five thousand (5,000) Server Host IPS Agents in Prevention Mode Readiness and up to five hundred (500) Workstations Host IPS Agents in Protection Mode as time permits. d. The compensation to be paid to McAfee by the Commonwealth of Pennsylvania included agreeing to purchase 10 Stock Keeping Unit (“SKU”) and acceptance of a Scope of Work (“SOW”). 1. Within six (6) months after McAfee’s receipt of the Commonwealth of Pennsylvania signed version of the SOW, McAfee and the Commonwealth of Pennsylvania must mutually agree to a start date for the commencement of services. e. Maley participated in discussions regarding the agreement. 89. While Maley and Gomolak were discussing the SOW McAfee was going to perform for the Commonwealth of Pennsylvania, Gomolak offered to purchase playoff baseball tickets for Maley. a. While involved in negotiations with Maley, Gomolak became aware that Maley was a baseball fan. 1. Gomolak was going to purchase tickets to the Philadelphia Phillies and Los Angeles Dodgers playoff games scheduled in Philadelphia for October 2009. 90. Prior to buying the tickets, Gomolak inquired of Maley if he was permitted to accept the ticket while they were in negotiations for a state contract. a. Maley informed Gomolak that it was not a problem and that Maley could accept the tickets. 91. Maley never advised his supervisors at OIT that he had been offered tickets by Gomolak. 92. On Monday, October 19, 2009, at 12:45 a.m. Maley sent the following email to his boss, Tony Encinias, and copied Erik Avakian (his assistant). The subject matter of the email was Vacation Day: Tony, An old friend got tickets to the playoff game in Philly Monday night, and invited me and my son. We want to head down early and enjoy the atmosphere, so I would like to take a vacation day today. No meetings are scheduled. Bob a. Maley never advised Encinias that the old friend was Chris Gomolak, Account Manager McAfee, with whom Maley was negotiating a state contract. 93. The following email exchanges were made between Maley and Gomolak leading up to the game: Maley, 10-020 Page 24 From: Maley, Robert To: Gomolak, Chris Sent: Fri Oct 16, 2009, 10:19 a.m. 2 seats, right? From: Gomolak, Chris To: Maley, Robert Sent: Fri Oct 16 09:25:15 2009 Yes two seats. Assuming you are bringing your son? From: Maley, Robert To: Gomolak, Chris Sent: Mon Oct 19, 2009, 2:00 p.m. Just checking in to make sure everything is still a go! From: Gomolak, Chris To: Maley, Robert Sent: Mon Oct 19 13:04:42 2009 Yes! We are on. Happy to see the Sun out there. Have tickets. See you shortly Chris 94. Gomolak purchased the baseball tickets for Maley and his son from Jamin International Sports Marketing located in Rockaway Beach, New York. 95. The following information was reflected on the invoice for the tickets Gomolak purchased for Maley: Date Description Ordered Unit Price Extended Price 10/15/09 Phillies vs. Dodgers 2 $380.00 $760.00 10/19/09 NLCS 132 Row 17 96. On October 20, 2009, the day after the baseball game, Maley sent Gomolak an email containing the following: From: Maley, Robert To: Gomolak, Chris Sent: Tues Oct 20 12:25:55 2009 Great picture! It was a great game. Thanks again for taking us. My son said he will never forget the experience. I hope your trip home was good. 97. Gomolak filed Expense Report ER283731 on December 21, 2009, to McAfee related to his sales activities on 10/19/09, which included the cost of tickets purchased on behalf of Maley. a. The expense report listed an amount of $760.00 and the description of expenses was entertainment expense. b. The attendees listed included Robert Maley, Chief Security Officer, Commonwealth of PA and Chris Gomolak, AM, McAfee. c. In the comments section of the report justifying the expenses, Gomolak noted that Robert Maley and Commonwealth of PA represent largest customer in Territory. Maley, 10-020 Page 25 98. On December 1, 2009, Maley was a guest of Gomolak for a lunch at Damon’s Grill, Harrisburg, PA. a. Also in attendance were Brian Gumbel and Jose Martinez of McAfee. b. The total cost of the meal was $55.23. 99. As a result of the negotiations between Maley and officials from McAfee, Purchase Order 4300214068 was approved on March 15, 2010, authorizing the purchase of software from McAfee totaling $1,962,293.00. 100. During the time period in 2009 that he was participating as CISO in discussions and negotiations resulting in the Commonwealth entering into a contract with McAfee, Maley received baseball tickets for himself and his son valued at $760.00. (The following findings relate to Maley’s receipt of transportation, lodging and hospitality from Guidance Software, Inc.) 101. Guidance Software, Inc. is a computer software company with headquarters in Pasadena, California, that is recognized as a leader in E-discovery and EnCase technology. 102. In his capacity as the CISO, Maley had meetings and discussions regarding contracts with Guidance Software representatives. a. Maley asserts that EISSP held ultimate authority over product selection and approval. 103. On April 25, 2007, Maley submitted a Chief Information Officer (“CIO”)/Chief Technology Officer (“CTO”) Procurement Form to the Department of General Services to obtain EnCase software. a. The procurement form was needed to secure the software pursuant to a Department of General Services contract. 104. Maley’s justification for the purchase was outlined in the procurement form as follows: This request involves purchasing an enterprise incident response suite, EnCase Enterprise, to provide automated incident response capabilities to agencies under the Governor’s jurisdiction. This suite will be used to carry out the technical part of incident response needed to identify and mitigate damage and risk incurred during actual breaches of security. The business value includes being able to rapidly respond to incidents as soon as they occur to quickly qualify, contain, remediate the incident without taking systems down nor disrupting end users. In addition, all work performed during the technical response can be seamlessly handed off to law enforcement and/or used to present admissible evidentiary findings in legal proceedings when necessary. a. The procurement dollar value for the software Maley was requesting was $1,073,304.00. b. Maley identified the date the item was needed as 12/31/07. 105. As a result of the procurement request made by Maley, a Software License and Service Agreement was made between Guidance Software and the Commonwealth of Pennsylvania on December 31, 2007. Maley, 10-020 Page 26 a. The licensed software that was purchased was EnCase Enterprise products. 106. The descriptions of the services the Commonwealth of Pennsylvania purchased from Guidance Software included the following: Description of Services Amount License Fees Payment Amount $687,080.00 Software Maintenance Service (3 Years) $329,798.40 Implementation $45,000.00 Total $1,061,878.40 107. Maley authorized additional EnCase Software purchases from Guidance Software for the Commonwealth of Pennsylvania on September 4 and 8, 2008. a. September 4, 2008 Products Amount EnCase Data Audit & Policy $124,496.00 Enforcement (5,000 – 9,999 Nodes) (2 Examiners, 14 Concurrent Connections, 2 Pro Suites) License Term- - Perpetual Perpetual License – Standard Three (3) Years Maintenance Agreement $ 59,758.08 Training – 2 – EnCase Enterprise Phase II 4-Day $ 4,996.00 Total $189,250.08 b. September 8, 2008 Products Amount EnCase Bit 9 Analyzer Perpetual $65,000.00 License Term – Perpetual Maintenance Agreement Three (3) Years $31,488.00 Total $96,488.00 108. In or about the time that Maley was participating in decisions to purchase software from Guidance Software, he was asked to be a speaker at Guidance Software’s annual conference identified as the Computer Enterprise and Investigations Conference (“CEIC”). a. The CEIC is held on an annual basis, and Guidance Software is the major sponsor of the conference. b. Guidance Software requests that users of its product participate at the CEIC and speak of the benefits of using EnCase Software. 109. On September 26, 2008, at 5:35 p.m., Maley received an email from Kimberly Peterson, Event Manager for Guidance Software, confirming Maley’s appearance as a speaker on behalf of EnCase at the CEIC Conference: Bob, Maley, 10-020 Page 27 We are excited to have you join CEIC as a speaker. I will be working with you to coordinate your travel, speaking arrangements and conference pass. If at any time you have questions regarding CEIC, please don’t hesitate to ask me. For your reference, the link to the conference website is: www.ceicconference.com We are currently in the process of putting together the agenda for CEIC2009. Do you have a presentation topic in mind? Larry mentioned the project which resulted in your nomination for the NASCIO award. Our attendees continually let us know that they prefer actual studies and real life incidents, and your subject would be a perfect fit. If you prefer, we can provide some additional speaking topics. For examples of last year’s sessions please visit: http://www.ceicconference.com/agenda.aspx Also, I will arrange for your hotel stay and airfare. I have been authorized to cover 2 nights stay and airfare up to $500. Do you know your travel schedule at this time? If not, I will set up a reminder in my calendar to reach out to you in a few months to confirm travel dates. I look forward to working with you. 110. Maley attended the 2009 CEIC held in Orlando, Florida, from May 17, 2009, through May 19, 2009. a. Maley’s expenses to attend the conference were paid by Guidance Software. 111. The following expenses incurred by Maley at the 2009 CEIC totaling $1,663.20 were paid by Guidance Software: Date Description of Expense Amount 5/17/2009 Air Fare – Air Tran Airways $181.20 5/19/2009 Hotel – Royal Pacific Resort $459.00 5/17/2009 VIP Pass CEIC $128.00 5/17/2009 Admissions/Full Price $895.00 Total $1,663.20 112. Guidance Software agreed to pay Maley’s expenses for the CEIC Conference because he was appearing as a speaker to promote software products of Guidance to other potential customers. a. Maley asserts that the CEIC Conference’s focus was to educate Guidance Software customers, and not to promote Guidance Software products. 113. Maley never obtained approval and never advised his supervisors of his attendance at the CEIC Conference to speak on behalf of the EnCase software. (The following findings relate to the allegation that Maley utilized Commonwealth computers for his personal benefit.) 114. As a Commonwealth employee, Maley was subject to Commonwealth policies and procedures regarding internet and email user agreements. 115. Maley signed a standard Commonwealth internet/email user agreement included with Management Directive 205.34 on November 30, 2005. a. The general terms of this directive state that any electronic communications on Commonwealth Internet/Email systems may be tracked, monitored, and read by all authorized Commonwealth staff and that there is no expectation of privacy in any Internet/Email Commonwealth systems. Any such Maley, 10-020 Page 28 communications are the property of the Commonwealth and are to be used for carrying out Commonwealth business activities. b. By executing the user agreement, Maley agreed to the security policies of the Commonwealth and its agencies, and to the nondiscrimination policies of the Commonwealth. 116. Maley, in his capacity as the CISO, was assigned a Commonwealth desktop and laptop computer for official business. a. Maley did not share use of these computers with other employees. 117. During his tenure as CISO from November 2005 until March 2010, Maley used his Commonwealth-assigned computers for other than official Commonwealth business. 118. The State Ethics Commission conducted a forensic examination on the hard drives removed from the computers issued to Maley. a. The forensic examination revealed that Maley utilized the computers for purposes which did not relate to his duties as the CISO. b. Internet artifacts found in the cache folders of the Internet Explorer and Firefox web browsers found that Maley was using his work computer to surf the web for non-Commonwealth purposes. 119. Maley saved a job resume on his computer and occasionally used the state email system to send out his resume for potential job offers. a. On January 12, 2010, at 1:50 p.m. Maley used his state email address to send his resume for a position as Vice-President of Information Security in San Francisco. b. On March 3, 2010, at 12:56 a.m. Maley sent his resume to Liesyl Franz of techamerica.org 120. Between September 2009 and February 2010 Maley utilized his Commonwealth computer to occupy no less than 71.21 hours of his stated work hours for non- Commonwealth related purposes. a. Total wages paid to Maley during the relevant time period were $3,303.43 (71.21 hours @ $46.39/hr.). The following findings relate to Allegations that Maley failed to file Statements of Financial Interests (SFI) for Calendar Years 2006, 2009 and 2010; when he failed to disclose on his SFI for the 2008 calendar year, name and address and sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; when he failed to disclose on SFI filed for the 2007 and 2008 calendar years, his office, directorship or employment in Susquehanna Digital Forensics, a company in which he is listed as owner; and when he failed to disclose his financial interest in Susquehanna Digital Forensics on his SFI filed for the 2007 and 2008 calendar years; and when he failed to disclose creditors in excess of $6,500 on his SFI for calendar years 2007 and 2008. 121. Maley in his official capacity as the Chief Information Security Officer (“CISO”) for the Office of Information Technology (“OIT”), Office of Administration (“OA”), was Maley, 10-020 Page 29 st annually required to file a Statement of Financial Interests (“SFI”) form by May 1 containing information for the prior calendar year. 122. Maley was required to file SFI for calendar years 2006, 2007, 2008, 2009 and 2010 in his official capacity as the CISO. 123. Maley was annually provided with blank SFI forms to complete by OA’s Human Resources Department. a. Filing reminders were transmitted to employees through the Commonwealth’s email system. 124. After Maley left employment with the Commonwealth of Pennsylvania on March 8, 2010, he was notified by US mail on April 11, 2011, of his requirement to file by May 1, 2011, for the 2010 calendar year. 125. Maley failed to file SFIs for calendar years 2006, 2009 and 2010, even after being reminded to do so. 126. Maley filed SFIs for calendar years 2007 and 2008 with OA’s Human Resources Department with the following disclosures: a. Calendar Year: 2007 Filed: 5/12/08 on SEC-1 REV 01/08 Public Position: Chief Information Security Officer Chairman Political Subdivision: Executive Offices Susquehanna Township Recreation Occupation: CISO Creditors: PSECU Direct or Indirect Sources of Income: Executive Offices, Harrisburg, PA Gifts: None Transportation, Lodging, Hospitality: None Office, Directorship or Employment In Any Business: None Financial Interest in Any Legal Entity In Business For Profit: None b. Calendar Year: 2008 Filed: 2/24/09 on SEC-1 REV 01/09 Public Position: Chief Information Security Officer Chairman Political Subdivision: Executive Offices Susquehanna Township Recreation Occupation: CISO Creditors: PSECU Direct or Indirect Sources of Income: Executive Offices, Harrisburg, PA Gifts: None Transportation, Lodging, Hospitality: None Office, Directorship or Employment In Any Business: None 127. Susquehanna Digital Forensics is a computer consulting company established by Maley in or about 2004. Maley, 10-020 Page 30 a. The website established for the company is www.susquehannadigitalforensics.com. b. The website cites the following mission: Provide clients with the critical tools to discover the extent of security breaches, diagnose and stop further potential damage, and to avoid legal penalties and exposure. c. The company is not incorporated in the Commonwealth of Pennsylvania. d. Although Susquehanna Digital Forensics maintains an active website, Maley asserts that he discontinued business efforts in 2005 after being hired by the Commonwealth. 128. Maley’s SFI for the 2007 and 2008 calendar years did not disclose his ownership and financial interest in the business Susquehanna Digital Forensics. a. The business was registered to Maley’s home address. 129. Maley’s SFI for the 2007 and 2008 calendar years did not disclose creditors in excess of $6,500.00. a. In both 2007 and 2008 Maley’s creditors in excess of $6,500 were Chase Bank and MBNA credit card. 130. Maley did not disclose on SFIs for 2007 or 2008 the receipt of transportation, lodging or hospitality. 131. Maley realized a private pecuniary benefit when he accepted gifts and transportation, lodging and/or hospitality from vendors he was recommending and/or approved contracts with the Commonwealth and when he utilized Commonwealth of Pennsylvania computers for non-Commonwealth purposes. III.DISCUSSION: As the Chief Information Security Officer (“CISO”) for the Office for Information Technology (“OIT”) within the Commonwealth of Pennsylvania’s Office of Administration (“OA”) from November 2005 until March 8, 2010, Respondent Robert L. Maley, hereinafter also referred to as “Respondent,” “Respondent Maley,” and “Maley,” was a public employee subject to the provisions of the Public Official and Employee Ethics Act (“Ethics Act”), 65 Pa.C.S. § 1101 et seq. The allegations are that Maley violated Sections 1103(a) and 1105(b) of the Ethics Act: (1) when he accepted gifts and payments for expenses for transportation, lodging and/or hospitality from vendors he recommended and/or approved for contracts with the Commonwealth; (2) when he utilized Commonwealth of Pennsylvania computers for his personal use; (3) when he failed to file Statements of Financial Interests (“SFIs”)for the 2006, 2009 and 2010 calendar years; (4) when he failed to disclose on SFIs filed for the 2008 calendar year, the names and addresses of sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; (5) when he failed to disclose on SFIs filed for the 2007 and 2008 calendar years his office, directorship or employment in Susquehanna Digital Forensics, a company in which he is listed as owner, and when he failed to disclose creditors in excess of $6,500; (6) when he failed to disclose his financial interest in Susquehanna Digital Forensics on SFIs filed for the 2007 and 2008 calendar years; and (7) when, after being terminated by the Commonwealth, he received payments from a Maley, 10-020 Page 31 Commonwealth vendor that he, in his public position, had recommended to receive State contracts, to promote that same vendor’s product(s). Pursuant to Section 1103(a) of the Ethics Act, a public official/public employee is prohibited from engaging in conduct that constitutes a conflict of interest: § 1103. Restricted activities (a)Conflict of interest.— No public official or public employee shall engage in conduct that constitutes a conflict of interest. 65 Pa.C.S. § 1103(a). The term "conflict" or "conflict of interest" is defined in the Ethics Act as follows: § 1102. Definitions "Conflict" or "conflict of interest." Use by a public official or public employee of the authority of his office or employment or any confidential information received through his holding public office or employment for the private pecuniary benefit of himself, a member of his immediate family or a business with which he or a member of his immediate family is associated. The term does not include an action having a de minimis economic impact or which affects to the same degree a class consisting of the general public or a subclass consisting of an industry, occupation or other group which includes the public official or public employee, a member of his immediate family or a business with which he or a member of his immediate family is associated. 65 Pa.C.S. § 1102. Section 1103(a) of the Ethics Act prohibits a public official/public employee from using the authority of public office/employment or confidential information received by holding such a public position for the private pecuniary benefit of the public official/public employee himself, any member of his immediate family, or a business with which he or a member of his immediate family is associated. Section 1105(b) of the Ethics Act and its subsections detail the financial disclosure that a person required to file the Statement of Financial Interests form must provide. Subject to certain statutory exceptions not applicable to this matter, Section 1105(b)(4) of the Ethics Act requires the filer to disclose on the SFI the name and address of each creditor to whom is owed in excess of $6,500 and the interest rate thereon. Subject to certain statutory exceptions not applicable to this matter, Section 1105(b)(7) of the Ethics Act requires the filer to disclose on the SFI the name and address of the source and the amount of any payment for or reimbursement of actual expenses for transportation and lodging or hospitality received in connection with public office or employment where such actual expenses exceed $650 in an aggregate amount per year. Section 1105(b)(8) of the Ethics Act requires the filer to disclose on the SFI any office, directorship or employment in any business entity. Maley, 10-020 Page 32 Section 1105(b)(9) of the Ethics Act requires the filer to disclose on the SFI any financial interest in any legal entity engaged in business for profit. The term “financial interest” is defined in the Ethics Act as “[a]ny financial interest in a legal entity engaged in business for profit which comprises more than 5% of the equity of the business or more than 5% of the assets of the economic interest in indebtedness.” 65 Pa.C.S. § 1102. As noted above, the parties have submitted a Consent Agreement and Stipulation of Findings. The parties' Stipulated Findings are set forth above as the Findings of this Commission. We shall now summarize the relevant facts as contained therein. Background: In or around 2003, the Commonwealth of Pennsylvania through the Department of General Services (“DGS”) entered into an agreement with ASAP Software Express, Inc. (“ASAP”) for the procurement of software and maintenance and other support services. In or about 2003, the Commonwealth also established “Enterprise Architecture” for developing information technology standards for the Commonwealth. Standards were developed through the Enterprise Information Standards Selection Process (“EISSP”). A committee consisting of officials/employees of OIT and officials from various state agencies comprised the team that set standards. This team evaluated and scored the software and hardware of vendors being considered for information technology contracts with the Commonwealth. Vendors’ products scoring the highest would be selected as the standard to be used by other Commonwealth agencies when purchasing hardware and software. DGS would then negotiate costs of products for all state agencies. Respondent Maley was employed as the CISO for the OIT from November 2005 until March 8, 2010. Maley was removed as the CISO effective the start of business on March 8, 2010. As the CISO, Maley was responsible for setting the security strategies for the Commonwealth of Pennsylvania. The strategies included risk assessment, compliance, enforcing compliance, security planning and governance, selecting product standards and controlling risks. Maley managed the information technology budget that included the integrated enterprise system. Maley participated in the EISSP and evaluated and scored vendors’ software packages. Maley identified and recommended products and software from vendors that would be used by the Commonwealth of Pennsylvania. Purchases of computer software with estimated costs of less than $50,000 were made based on Maley’s authorization and/or recommendation. During Maley’s tenure as the CISO, he developed relationships with the following vendors doing business with the Commonwealth of Pennsylvania: Core Security Technologies (“Core Security”); BitArmor Systems, Inc. (“BitArmor”); McAfee, Inc. (“McAfee”); and Guidance Software, Inc. (“Guidance Software”). Maley formed these relationships as a result of his public position as CISO, which included meeting with vendors to review proposals and evaluate products. Maley’s receipt of compensation and paid expenses from Commonwealth vendor Core Security: Commonwealth vendor Core Security markets software known as “Core Impact,” which provides continuous, on-demand automated security testing solutions. In his capacity as CISO, Maley participated in the EISSP and was part of the team that established Core Security as a standard. Maley, as the CISO, directed ASAP to make purchases of software from Core Security. Maley first began purchasing Core Impact from Maley, 10-020 Page 33 Core Security on April 7, 2006. Maley renewed Core Impact software annually through 2009. Beginning in or about October 2008, while Maley was purchasing software from Core Security for the Commonwealth, Core Security invited Maley to attend an all- expense-paid conference and to speak on behalf of Core Security’s Core Impact software. That speaking engagement as well as subsequent speaking engagements by Maley at the request of Core Security were arranged using Maley’s Commonwealth email address. At the time in 2008 when Maley agreed to be a speaker on behalf of Core Security, then Governor Edward Rendell imposed a ban on out-of-state travel for state employees under the Governor’s jurisdiction. Any out-of-state travel required the approval of the employee’s supervisors. Maley’s supervisors included Brenda Orth (“Orth”), Deputy Secretary for OIT, and Tony Encinias (“Encinias”), Chief Technology Officer. In 2009 and 2010, Maley received expense payments from Core Security totaling $7,481.52 for his appearances as CISO at conferences to promote Core Security products. Maley received these payments at or about times he recommended or authorized purchases by the Commonwealth of Core Security products. In January 2009, Maley attended a Corporate Security Officer (“CSO”) Conference in New York City. Core Security paid Maley’s expenses to attend the conference, which expenses totaled $1,017.29. (Fact Finding 70 b). Maley did not seek or obtain authorization from the Commonwealth to appear as a speaker at the aforesaid conference. Maley did not discuss his attendance at the conference with either Encinias or Orth. At the conference, Maley spoke as the CISO regarding his office’s experiences with Core Impact. In April 2009, Core Security invoiced the Commonwealth for Core Impact software in the amount of $25,935.00. The invoice was directed to the attention of Maley. A purchase order was prepared by the Commonwealth in the amount of $25,935.00. Commonwealth check number 1018422 was issued to Core Security on May 29, 2009, in the amount of $25,935.00. In April 2009, at or about the time Core Security was billing the Commonwealth of Pennsylvania for Core Impact based upon Maley’s recommendation, Core Security paid Maley’s expenses to attend the 2009 RSA Conference in San Francisco, California, which expenses totaled $1,512.16. (Fact Finding 70 b). Core Security only paid for Maley’s expenses to attend the conference because he was a customer and user of its product, Core Impact, and was promoting Core Impact. Maley was only able to comment about Core Impact because of his position as the CISO for the Commonwealth of Pennsylvania. In preparation for the 2009 RSA Conference, Core Security issued a press release identifying Maley as the CISO from the Commonwealth of Pennsylvania and indicating that Maley would address “lessons learned” with regard to defending citizen data, preventing government breaches, and achieving greater cyber security in the states. Maley never requested approval from OA to be a presenter on behalf of Core Security or to attend the conference in his capacity as the CISO. Maley never advised his superiors he was attending the RSA conference or that his expenses to attend the conference were being paid by a Commonwealth vendor. Maley utilized annual leave to attend the RSA Conference. From June 25, 2009, to July 13, 2009, Maley engaged in a series of emails with Core Security employees regarding his attendance at the “Black Hat Technical Security Conference” that was to be held in Las Vegas, Nevada, from July 28, 2009, through July 31, 2009. All of the emails were either sent from or received at Maley’s Commonwealth email address. Core Security paid Maley’s expenses to attend the conference, which Maley, 10-020 Page 34 totaled $1,527.16. (Fact Finding 70 b). Maley’s expenses were paid by Core Security because he was speaking on behalf of Core Impact software. In or about September 2009, Core Security nominated Maley for the Information Security Executive (“ISE”) of the Year Award. Maley was the winner for the Government Category, Safeguarding Citizen Data. An event to present the award was scheduled for October 27, 2009, in Washington, D.C. Core Security paid Maley’s expenses for attending the event, which totaled $367.53. (Fact Finding 70 b). Maley never advised his supervisors at OA that Core Security nominated him for an award or that he would be traveling to Washington, D.C. to accept the award. On October 30, 2009, Encinias became aware that Maley had attended the ISE Awards Dinner on October 27, 2009. After discussing the matter with Orth, Encinias sent an email to Maley on October 30, 2009, which stated as follows: “Bob, No more conferences, speaking engagements, personal award submissions, etc. until further notice. Tony.” Maley ignored the aforesaid directive from Encinias and continued to serve as a speaker at conferences on behalf of Core Security. Maley was invited by Core Security officials/employees to attend the 2010 RSA Conference in San Francisco to speak at the conference on behalf of Core Security products. All of Maley’s travel plans were arranged by Core Security staff. Between January 8, 2010, and February 16, 2010, Maley and Core Security staff communicated via email regarding Maley’s travel arrangements and conference registration using Maley’s Commonwealth email address. On Saturday, February 27, 2010--the day before the conference was to begin-- Maley sent an email to Encinias stating that he would be taking vacation during the upcoming week. The email did not state that Maley was traveling to San Francisco to appear as a speaker at a conference on behalf of Core Security. Maley never sought Encinias’ approval nor did he advise him that he was traveling to the RSA Conference in his capacity as the CISO. Maley attended the 2010 RSA Conference from February 28, 2010, through March 5, 2010. Maley was a speaker at the conference and was identified as the CISO from the Commonwealth of Pennsylvania. Maley promoted Core Impact to other potential customers for Core Security. Core Security paid Maley’s expenses for attending the conference, which totaled $3,057.38. (Fact Finding 70 b). Core Security paid Maley’s expenses to attend the RSA Conference as a result of Maley agreeing to speak at the conference about the benefits of using Core Impact. At or about the time Core Security was paying Maley’s expenses to attend the 2010 RSA Conference, Maley was recommending and requesting that OA purchase another Core Impact license for the Commonwealth of Pennsylvania. No individuals from OIT other than Maley requested that another license be purchased from Core Security. Between February 10, 2010, and February 11, 2010, Maley exchanged emails with a Core Security representative to arrange for the purchase of an additional Core Impact license. Maley subsequently authorized the purchase from Core Security for two Core Impact licenses and training. On or about March 3, 2010, Core Security submitted to the Commonwealth Invoice number 0310-1004 in the total amount of $53,183.00 for the aforesaid order placed by Maley. Meanwhile, on February 22, 2010, while Maley was still employed as the CISO with OIT, Maley was solicited by Core Security staff to speak at the April 5-7, 2010, CSO Perspectives Conference. On or about March 6, 2010, Maley’s supervisors became aware of Maley’s attendance at and participation in the 2010 RSA Conference. On March 8, 2010, Maley’s Maley, 10-020 Page 35 employment as CISO was officially terminated. OIT did not complete the purchase from Core Security under Invoice number 0310-1004. OIT Officials believed it was unnecessary to purchase a second license from Core Security. After being terminated from his position as CISO for the Commonwealth of Pennsylvania, Maley received two payments totaling $5,000 from Core Security between April and June 2010 to appear as a speaker on behalf of Core Security. Maley received these payments based upon his use of Core Impact software in his capacity as CISO for the Commonwealth. Maley spoke on behalf of Core Security at the CSO Perspectives Conference in Santa Clara, California, from April 5, 2010, to April 7, 2010. The conference agenda identified Maley as the former CISO for the Commonwealth of Pennsylvania. It was noted in the agenda that Maley was sponsored by Core Security. Maley’s presentation focused on the following: Commonwealth of PA Profile – Key aspects and facts; Office for Information Security role; Commonwealth’s responsibilities; the past state in the Enterprise; outline of problems “we” had to tackle; Project description; Project goals; key components of the Project; how “we” solved the problems; challenges “we” faced; Project results – qualitative/quantitative; lessons learned; and recap. Examples used in Maley’s presentation were security breaches in the Pennsylvania Departments of Labor and Industry, Veterans’ Affairs and Transportation. Maley had access to security breaches in his capacity as CISO for the Commonwealth. Commonwealth officials did not want the potential security breaches to be known publicly. The examples cited in Maley’s presentation were not available to the public. Core Security paid Maley $2,500 for speaking at the CSO Perspectives Conference. In addition, Core Security paid Maley’s expenses totaling $1,508.96 for attending the conference. Maley also appeared as a speaker on behalf of Core Security at the Gartner Security Risk Management Summit 2010 held in Washington, D.C. from June 21, 2010, to June 23, 2010. Maley served on a panel discussing penetration testing. Maley spoke on his experiences as the CISO for the Commonwealth and used examples of security breaches in state agencies. Maley spoke on the same subjects as he did at the April 2010 conference. Core Security paid Maley $2,500 for his appearance at the Washington, D.C. summit on behalf of Core Security. In addition, Core Security paid Maley’s expenses for his airfare and hotel totaling $1,707.99. Per Fact Finding 72, total payments made to or on behalf of Maley by Core Security were $12,481.52. Maley’s receipt of a baseball ticket from Commonwealth vendor BitArmor: On March 27, 2009, based upon the recommendation of Maley, the Bureau of Information Technology for the Pennsylvania State Police (“PSP”) entered into a contract with Commonwealth vendor BitArmor to purchase software totaling $32,911.34. The contract between PSP and BitArmor was signed by BitArmor’s Chief Executive Officer, J. Patrick McGregor (“McGregor”), on behalf of BitArmor. On April 21, 2009--approximately three weeks after BitArmor and the PSP entered into the aforesaid contract--Maley attended a major league baseball game between the San Diego Padres and the San Francisco Giants in San Francisco, California, as a guest of McGregor. Maley was in San Francisco attending the 2009 RSA Conference at that time. The cost of Maley’s baseball ticket was $49.99. Maley, 10-020 Page 36 McGregor’s Executive Assistant and Maley communicated by email, using Maley’s Commonwealth email address, regarding arrangements for Maley to meet McGregor at the game. McGregor bought the ticket for Maley as a way of networking and doing business in an effort to generate additional contracts from the Commonwealth of Pennsylvania. Maley’s receipt of baseball tickets from Commonwealth vendor McAfee: McAfee has been providing anti-virus software to the Commonwealth of Pennsylvania since prior to 2009. In or around the early part of 2009, Maley as the CISO began negotiating a new contract with Chris Gomolak (“Gomolak”), an Account Manager for McAfee. Maley was the only Commonwealth official Gomolak dealt with in negotiations for potential contracts with the Commonwealth. On March 27, 2009, Maley attended a business meal at Damon’s Grill in Harrisburg, hosted by Gomolak, which included Maley, Gomolak, McAfee CEO Mark Rutledge, and Dave Marcus, a technician for McAfee. The total cost of the meal was $60.65. The dinner discussion focused on desktop security software that McAfee could provide to the Commonwealth of Pennsylvania. In May 2009, a Master License and Services Agreement was entered into between McAfee and the Commonwealth of Pennsylvania through OA. The points of contact listed on the Agreement included Maley for the Commonwealth of Pennsylvania and Mark Hauptman and Dave Ackley from McAfee. Maley participated in discussions regarding the aforesaid agreement. While Maley and Gomolak were discussing the Scope of Work McAfee was going to perform for the Commonwealth of Pennsylvania, Gomolak offered to purchase tickets for Maley for a Philadelphia Phillies and Los Angeles Dodgers playoff game scheduled in Philadelphia for October 2009. Prior to buying the tickets for the game, Gomolak inquired of Maley if he was permitted to accept the tickets while they were in negotiations for a state contract. Maley informed Gomolak that it was not a problem and that Maley could accept the tickets. Maley never advised his supervisors at OIT that he had been offered tickets by Gomolak. Maley and Gomolak exchanged emails on October 16, 2009, and October 19, 2009, regarding Maley receiving two tickets for the game. Gomolak purchased two tickets for Maley and Maley’s son to attend the Phillies vs. Dodgers playoff game on October 19, 2009. The tickets were purchased from Jamin International Sports Marketing located in Rockaway Beach, New York, and cost $380.00 each, for a total cost of $760.00. On Monday, October 19, 2009, at 12:45 a.m., Maley sent an email to Encinias stating that he would like to take a vacation day that day because “an old friend” got tickets to the playoff game in Philadelphia and invited Maley and Maley’s son. Maley never advised Encinias that the “old friend” was Gomolak, Account Manager for McAfee, with whom Maley was negotiating a state contract. Maley and his son attended the game. On December 21, 2009, Gomolak filed an Expense Report with McAfee related to his sales activities on October 19, 2009, which included the cost of tickets purchased on behalf of Maley. The expense report listed an amount of $760.00 for entertainment expense. The attendees listed included Robert Maley, Chief Security Officer, Maley, 10-020 Page 37 Commonwealth of PA and Chris Gomolak, AM, McAfee. In the comments section of the report justifying the expenses, Gomolak noted that Maley and the Commonwealth of Pennsylvania represented the largest customer in the Territory. On December 1, 2009, Maley was a guest of Gomolak for a lunch at Damon’s Grill in Harrisburg, Pennsylvania. Also in attendance were Brian Gumbel and Jose Martinez of McAfee. The total cost of the meal was $55.23. As a result of the negotiations between Maley and officials from McAfee, Purchase Order 4300214068 was approved on March 15, 2010, authorizing the purchase of software from McAfee totaling $1,962,293.00. Maley’s receipt of transportation, lodging and hospitality from Commonwealth vendor Guidance Software: Guidance Software is a computer software company that is recognized as a leader in E-discovery and EnCase technology. In his capacity as the CISO, Maley had meetings and discussions regarding contracts with Guidance Software representatives. On April 25, 2007, Maley submitted a Chief Information Officer/Chief Technology Officer Procurement Form to DGS to obtain EnCase software. The procurement form was needed to secure the software pursuant to a DGS contract. The procurement dollar value for the software Maley was requesting was $1,073,304.00. Maley identified the date the item was needed as 12/31/07. As a result of the procurement request made by Maley, a Software License and Service Agreement was made between Guidance Software and the Commonwealth of Pennsylvania on December 31, 2007. The licensed software that was purchased was EnCase Enterprise products. The total cost of the services purchased from Guidance Software at that time was $1,061,878.40. On September 4, 2008, and September 8, 2008, Maley authorized additional EnCase Software purchases from Guidance Software for the Commonwealth of Pennsylvania. The cost of such purchases on September 4, 2008, totaled $189,250.08. The cost of such purchases on September 8, 2008, totaled $96,488.00. In or about the time that Maley was participating in decisions to purchase software from Guidance Software, he was asked to be a speaker at Guidance Software’s annual conference identified as the “Computer Enterprise and Investigations Conference” (“CEIC”). Guidance Software requests that users of its product participate at the CEIC and speak of the benefits of using EnCase Software. On September 26, 2008, Maley received an email from Kimberly Peterson, Event Manager for Guidance Software, confirming Maley’s appearance as a speaker on behalf of EnCase at the CEIC. Maley attended the 2009 CEIC held in Orlando, Florida, from May 17, 2009, through May 19, 2009. Maley’s expenses to attend the conference totaled $1,663.20 and were paid by Guidance Software. Guidance Software agreed to pay Maley’s expenses for the CEIC because Maley was appearing as a speaker to promote software products of Guidance Software to other potential customers. Maley never obtained approval and never advised his supervisors of his attendance at the CEIC to speak on behalf of the EnCase software. Maley’s use of his Commonwealth computer during Commonwealth working hours for personal purposes: Maley, 10-020 Page 38 As a Commonwealth employee, Maley was subject to Commonwealth policies and procedures regarding internet and email use. On November 30, 2005, Maley signed a standard Commonwealth internet/email user agreement included with Management Directive 205.34. The general terms of this directive state that any electronic communications on Commonwealth internet/email systems may be tracked, monitored, and read by all authorized Commonwealth staff and that there is no expectation of privacy in any internet/email Commonwealth systems. Any such communications are the property of the Commonwealth and are to be used for carrying out Commonwealth business activities. By executing the user agreement, Maley agreed to the security policies of the Commonwealth and its agencies. Maley, in his capacity as the CISO, was assigned a Commonwealth desktop and laptop computer for official business. Maley did not share use of these computers with other employees. A forensic examination of the hard drives removed from the computers issued to Maley revealed that Maley utilized the computers for purposes which did not relate to his duties as the CISO. Between September 2009 and February 2010 Maley utilized his Commonwealth computer to occupy no less than 71.21 hours of his stated work hours for non-Commonwealth related purposes. Total wages paid to Maley during the relevant time period were $3,303.43 (71.21 hours @ $46.39/hr.). Private Pecuniary Benefit to Maley: The parties have stipulated that Maley realized a private pecuniary benefit when he accepted gifts and transportation, lodging and/or hospitality from vendors he was recommending and/or approved contracts with the Commonwealth and when he utilized Commonwealth of Pennsylvania computers for non-Commonwealth purposes. Statements of Financial Interests: As the CISO for OIT, Maley was required to file SFIs for calendar years 2006, 2007, 2008, 2009 and 2010. Maley failed to file SFIs for calendar years 2006, 2009 and 2010, even after being reminded to do so. Maley filed SFIs for calendar years 2007 and 2008 with OA’s Human Resources Department. Susquehanna Digital Forensics is a computer consulting company established by Maley in or about 2004. The business was registered to Maley’s home address. Maley’s SFIs for the 2007 and 2008 calendar years did not disclose his ownership and financial interest in the business Susquehanna Digital Forensics. Although Susquehanna Digital Forensics maintains an active website, Maley asserts that he discontinued business efforts in 2005 after being hired by the Commonwealth. Maley’s SFIs for the 2007 and 2008 calendar years did not disclose creditors owed in excess of $6,500. In both 2007 and 2008, Maley’s creditors owed in excess of $6,500 were Chase Bank and MBNA credit card. Maley did not disclose on SFIs for 2007 or 2008 the receipt of transportation, lodging or hospitality. Having highlighted the Stipulated Findings and issues before us, we shall now apply the Ethics Act to determine the proper disposition of this case. The parties' Consent Agreement sets forth a proposed resolution of the allegations as follows: Maley, 10-020 Page 39 3. The Investigative Division will recommend the following in relation to the above allegations: a. That a violation of Section 1103(a) of the Public Official and Employee Ethics Act, 65 Pa.C.S. §1103(a), occurred in relation to Maley’s acceptance of gifts and payments for expenses from vendors he recommended and/or approved for contracts with the Commonwealth; b. That a violation of Section 1103(a) of the Public Official and Employee Ethics Act, 65 Pa.C.S. §1103(a), occurred when Maley used Commonwealth of Pennsylvania computers for non-official purposes; c. That a violation of Section 1103(a) of the Public Official and Employee Ethics Act, 65 Pa.C.S. §1103(a), occurred in relation to Maley’s receipt of payments for promoting a vendor’s product(s) following Maley’s public employment, when – while employed by the Commonwealth - Maley recommended that the same vendor receive State contracts; d. That a violation of Section 1105(b) of the Public Official and Employee Ethics Act, 65 Pa.C.S. § 1105(b), occurred when Maley failed to file a Statement of Financial Interests for the 2006, 2009 and 2010 calendar years; when he failed to disclose on Statements of Financial Interests filed for the 2008 calendar year, payments or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; and when he failed to disclose on Statements of Financial Interests filed for the 2007 and 2008 calendar years, his interest in Susquehanna Digital Forensics and creditors in excess of $6,500. 4. Maley agrees to make payment in the amount of $10,000.00 in settlement of this matter payable to the Commonwealth of Pennsylvania and forwarded to the Pennsylvania State Ethics Commission within thirty (30) days of the issuance of the final adjudication in this matter. 5. Maley agrees to file Statements of Financial Interests for calendar years 2006, 2009 and 2010; file amended Statements of Financial Interests for calendar years 2007 and 2008 disclosing all information regarding name and address and sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; his office, directorship or employment in Susquehanna Digital Forensics; creditors in excess of $6,500; his financial interest in Susquehanna Digital Forensics on Statements of Financial Interests, if such has not already been done, within thirty (30) days of the date of the issuance of the final adjudication of the matter. Copies of such forms must also be forwarded to the State Ethics Commission. Maley, 10-020 Page 40 6. Maley agrees to not accept any reimbursement, compensation or other payment from the Commonwealth of Pennsylvania representing a full or partial reimbursement of the amount paid in settlement of this matter. 7. The Investigative Division will recommend that the State Ethics Commission take no further action in this matter; and make no specific recommendations to any law enforcement or other authority to take action in this matter. Such, however, does not prohibit the Commission from initiating appropriate enforcement actions in the event of Respondent's failure to comply with this agreement or the Commission's order or cooperating with any other authority who may so choose to review this matter further. Consent Agreement, at 2-3. In considering the Consent Agreement, we accept the recommendation of the parties for a finding that a violation of Section 1103(a) of the Ethics Act occurred in relation to Maley’s acceptance of gifts and payments for expenses from vendors he recommended and/or approved for contracts with the Commonwealth. Gifts, transportation, lodging or hospitality received from a vendor may form the basis for a violation of Section 1103(a) of the Ethics Act when the public official/public employee uses the authority of his public position as to the vendor. See, e.g., Munford, Order 1390; Espenshade, Order 1387; Helsel, Order 801; cf., Haldeman, Order 1443 (involving tickets to sporting events and clothing items received from grant applicants). In 2008, at or about the time that Maley was participating in decisions to purchase software from Guidance Software, Maley was asked to be a speaker at Guidance Software’s annual conference. Maley’s expenses to attend the 2009 conference held in Orlando, Florida, totaled $1,663.20 and were paid by Guidance Software. In 2009 and 2010, Maley received expense payments from Core Security totaling $7,481.52 for his appearances as CISO at conferences to promote Core Security products. Maley received these payments at or about times he recommended or authorized purchases by the Commonwealth of Core Security products. Maley’s attendance at the aforesaid conferences to speak on behalf of, and at the expense of, Commonwealth vendors with whom he had official dealings was unauthorized. As for the baseball tickets that Maley received, the cost of the ticket provided by BitArmor was only $49.99. However, the cost of the playoff tickets provided to Maley by McAfee was $760.00. A McAfee Account Manager offered to purchase the playoff tickets for Maley at or about the time the McAfee Account Manager and Maley were involved in discussions regarding the Scope of Work to be performed by McAfee for the Commonwealth. Based upon the Stipulated Findings and Consent Agreement, we hold that a violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in relation to Maley’s acceptance of gifts and payments for expenses from vendors he recommended and/or approved for contracts with the Commonwealth. We agree with the parties that a violation of Section 1103(a) of the Ethics Act occurred when Maley used Commonwealth computers for non-official purposes. Maley, 10-020 Page 41 It is axiomatic that Section 1103(a) of the Ethics Act prohibits the use of governmental facilities, equipment, time, and the like for private purposes. See, e.g., Sindiri, Order 1572; Debias, Order 1539; Neff, Order 1498; Morton, Order 1491; Rembold, Order 1417; Cobb, Order 1354; Confidential Opinion, 05-001. Maley, in his capacity as the CISO, was assigned a Commonwealth desktop and laptop computer for official business. Between September 2009 and February 2010 Maley utilized his Commonwealth computer to occupy no less than 71.21 hours of his stated work hours for non-Commonwealth related purposes. Total wages paid to Maley during the relevant time period were $3,303.43 (71.21 hours @ $46.39/hr.). With each element of the recommended violation of Section 1103(a) established, we hold that a violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred when Maley used Commonwealth of Pennsylvania computers for non-official purposes. We shall now address the parties’ recommendation for a finding of a third violation of Section 1103(a). After being terminated from his position as CISO for the Commonwealth of Pennsylvania, Maley received two payments totaling $5,000 from Core Security between April and June 2010 to appear as a speaker at two conferences on behalf of Core Security. Maley was solicited by Core Security staff to speak at the April 2010 conference while he was still employed as CISO for OIT. Maley received the aforesaid payments based upon his use of Core Impact software in his capacity as CISO for the Commonwealth. Maley’s presentations included examples of security breaches in certain Pennsylvania agencies. The examples cited in Maley’s presentations were not available to the public. Maley had access to security breaches in his capacity as CISO for the Commonwealth. We accept the parties’ recommended disposition and hold that a violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in relation to Maley’s receipt of payments for promoting a vendor’s product(s) following Maley’s public employment, when-- while employed by the Commonwealth--Maley recommended that the same vendor receive State contracts. Turning to the allegations involving Maley’s SFIs, the parties have recommended the finding of a violation of Section 1105(b) of the Ethics Act with respect to Maley’s delinquent SFIs for calendar years 2006, 2009, and 2010, and deficient SFIs for calendar years 2007 and 2008. While a violation for failure to file is generally based on Section 1104(a) of the Ethics Act, such a failure to file would necessarily include a failure to disclose the required information pursuant to Section 1105(b). Therefore, we accept the parties recommended disposition and hold that a violation of Section 1105(b) of the Ethics Act, 65 Pa.C.S. § 1105(b), occurred when Maley failed to file SFIs for the 2006, 2009 and 2010 calendar years; when he failed to disclose on SFI(s) filed for the 2008 calendar year, payments or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; and when he failed to disclose on SFIs filed for the 2007 and 2008 calendar years, his interest in Susquehanna Digital Forensics and creditors in excess of $6,500. As part of the Consent Agreement, Maley has agreed to make payment in the amount of $10,000 in settlement of this matter payable to the Commonwealth of Pennsylvania and forwarded to this Commission within thirty (30) days of the issuance of the final adjudication in this matter. Maley, 10-020 Page 42 Maley has agreed to not accept any reimbursement, compensation or other payment from the Commonwealth of Pennsylvania representing a full or partial reimbursement of the amount paid in settlement of this matter. Maley has further agreed to file: (1) SFIs for calendar years 2006, 2009 and 2010; and (2) amended SFIs for calendar years 2007 and 2008 disclosing all information regarding name and address and sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; his office, directorship or employment in Susquehanna Digital Forensics; creditors in excess of $6,500; and his financial interest in Susquehanna Digital Forensics, if such has not already been done, within thirty (30) days of the date of the issuance of the final adjudication of this matter, and to forward copies of all such forms to this Commission. We determine that the Consent Agreement submitted by the parties sets forth a proper disposition for this case, based upon our review as reflected in the above analysis and the totality of the facts and circumstances. Accordingly, per the Consent Agreement of the parties, Maley is directed to make payment in the amount of $10,000 payable to the Commonwealth of Pennsylvania and th forwarded to this Commission by no later than the thirtieth (30) day after the mailing date of this adjudication and Order. Per the Consent Agreement of the parties, Maley is further directed to not accept any reimbursement, compensation or other payment from the Commonwealth of Pennsylvania representing a full or partial reimbursement of the amount paid in settlement of this matter. To the extent he has not already done so, Maley is directed to file: (1) SFIs for calendar years 2006, 2009 and 2010; and (2) amended SFIs for calendar years 2007 and 2008 disclosing all information regarding name and address and sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; his office, directorship or employment in Susquehanna Digital Forensics; creditors in excess of $6,500; and his financial interest in th Susquehanna Digital Forensics, by no later than the thirtieth (30) day after the mailing date of this adjudication and Order, and to forward copies of all such forms to this Commission. Compliance with the foregoing will result in the closing of this case with no further action by this Commission. Noncompliance will result in the institution of an order enforcement action. IV.CONCLUSIONS OF LAW: 1. As the Chief Information Security Officer for the Office for Information Technology within the Commonwealth of Pennsylvania’s Office of Administration from November 2005 until March 8, 2010, Respondent Robert L. Maley (“Maley”) was a public employee subject to the provisions of the Public Official and Employee Ethics Act (“Ethics Act”), 65 Pa.C.S. § 1101 et seq. 2. Maley violated Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), in relation to his acceptance of gifts and payments for expenses from vendors he recommended and/or approved for contracts with the Commonwealth. 3. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred when Maley used Commonwealth of Pennsylvania computers for non-official purposes. Maley, 10-020 Page 43 4. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in relation to Maley’s receipt of payments for promoting a vendor’s product(s) following Maley’s public employment, when--while employed by the Commonwealth--Maley recommended that the same vendor receive State contracts. 5. A violation of Section 1105(b) of the Ethics Act, 65 Pa.C.S. § 1105(b), occurred when Maley failed to file Statements of Financial Interests for the 2006, 2009 and 2010 calendar years; when he failed to disclose on Statement(s) of Financial Interests filed for the 2008 calendar year, payments or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; and when he failed to disclose on Statements of Financial Interests filed for the 2007 and 2008 calendar years, his interest in Susquehanna Digital Forensics and creditors in excess of $6,500. In Re: Robert L. Maley, : File Docket: 10-020 Respondent : Date Decided: 9/27/11 : Date Mailed: 10/12/11 ORDER NO. 1594 1. As the Chief Information Security Officer for the Office for Information Technology within the Commonwealth of Pennsylvania’s Office of Administration, Robert L. Maley (“Maley”) violated Section 1103(a) of the Public Official and Employee Ethics Act (“Ethics Act”), 65 Pa.C.S. § 1103(a), in relation to his acceptance of gifts and payments for expenses from vendors he recommended and/or approved for contracts with the Commonwealth. 2. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred when Maley used Commonwealth of Pennsylvania computers for non-official purposes. 3. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in relation to Maley’s receipt of payments for promoting a vendor’s product(s) following Maley’s public employment, when--while employed by the Commonwealth--Maley recommended that the same vendor receive State contracts. 4. A violation of Section 1105(b) of the Ethics Act, 65 Pa.C.S. § 1105(b), occurred when Maley failed to file Statements of Financial Interests for the 2006, 2009 and 2010 calendar years; when he failed to disclose on Statement(s) of Financial Interests filed for the 2008 calendar year, payments or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; and when he failed to disclose on Statements of Financial Interests filed for the 2007 and 2008 calendar years, his interest in Susquehanna Digital Forensics and creditors in excess of $6,500. 5. Per the Consent Agreement of the parties, Maley is directed to make payment in the amount of $10,000 payable to the Commonwealth of Pennsylvania and forwarded to th the Pennsylvania State Ethics Commission by no later than the thirtieth (30) day after the mailing date of this Order. 6. Per the Consent Agreement of the parties, Maley is further directed to not accept any reimbursement, compensation or other payment from the Commonwealth of Pennsylvania representing a full or partial reimbursement of the amount paid in settlement of this matter. 7. To the extent he has not already done so, Maley is directed to file: (1) Statements of Financial Interests for calendar years 2006, 2009 and 2010; and (2) amended Statements of Financial Interests for calendar years 2007 and 2008 disclosing all information regarding name and address and sources and amounts of payments for or reimbursement of expenses of transportation, lodging and/or hospitality received in connection with his public position; his office, directorship or employment in Susquehanna Digital Forensics; creditors in excess of $6,500; and his financial th interest in Susquehanna Digital Forensics, by no later than the thirtieth (30) day after the mailing date of this Order, and to forward copies of all such forms to the Pennsylvania State Ethics Commission. Maley, 10-020 Page 45 8. Compliance with Paragraphs 5, 6, and 7 of this Order will result in the closing of this case with no further action by this Commission. a. Non-compliance will result in the institution of an order enforcement action. BY THE COMMISSION, ___________________________ Louis W. Fryman, Chair