HomeMy WebLinkAbout1594 Maley
In Re: Robert L. Maley, : File Docket: 10-020
Respondent : X-ref: Order No. 1594
: Date Decided: 9/27/11
: Date Mailed: 10/12/11
Before: Louis W. Fryman, Chair
John J. Bolger, Vice Chair
Donald M. McCurdy
Raquel K. Bergen
Nicholas A. Colafella
Mark Volk
This is a final adjudication of the State Ethics Commission.
Procedurally, the Investigative Division of the State Ethics Commission conducted
an investigation regarding possible violation(s) of the Public Official and Employee Ethics
Act (“Ethics Act”), 65 Pa.C.S. § 1101 et seq., by the above-named Respondent. At the
commencement of its investigation, the Investigative Division served upon Respondent
written notice of the specific allegation(s). Upon completion of its investigation, the
Investigative Division issued and served upon Respondent a Findings Report identified as
an “Investigative Complaint.” An Answer was not filed and a hearing was deemed waived.
A Stipulation of Findings and a Consent Agreement were subsequently submitted by the
parties to the Commission for consideration. The Stipulated Findings are set forth as the
Findings in this Order. The Consent Agreement has been approved.
I.ALLEGATIONS:
That Robert L. Maley, a public official/public employee in his capacity as the Chief
Information Security Officer for the Office for Information Technology, Office of
Administration, violated Sections 1103(a) and 1105(b) of the State Ethics Act (Act 93 of
1998), 65 Pa.C.S. §§ 1103(a) and 1105(b), when he accepted gifts and payments for
expenses for transportation, lodging and/or hospitality from vendors he recommended
and/or approved for contracts with the Commonwealth; when he utilized Commonwealth of
Pennsylvania computers for his personal use; when he failed to file a Statement of
Financial Interests for the 2006, 2009 and 2010 calendar years; when he failed to disclose
on Statements of Financial Interests filed for the 2008 calendar year, name and address
and sources and amounts of payments for or reimbursement of expenses of transportation,
lodging and/or hospitality received in connection with his public position; when he failed to
disclose on Statements of Financial Interests filed for the 2007 and 2008 calendar years,
his office, directorship or employment in Susquehanna Digital Forensics, a company in
which he is listed as owner and when he failed to disclose creditors in excess of $6,500;
and when he failed to disclose his financial interest in Susquehanna Digital Forensics on
Statements of Financial Interests filed for the 2007 and 2008 calendar years; and when
after being terminated by the Commonwealth he received payments from a Commonwealth
vendor, that he in his public position had recommended to receive State contracts, to
promote that same vendor’s product(s).
Maley, 10-020
Page 2
II.FINDINGS:
1. Robert Maley was employed by the Commonwealth of Pennsylvania as the Chief
Information Security Officer (“CISO”) with the Office of Administration (“OA”) for the
Office of Information Technology (“OIT”) from November 2005 until March 8, 2010.
a. Maley was removed as the CISO effective the start of business on March 8,
2010.
b. When Maley was appointed as the CISO in November 2005, it was a newly
created position.
2. As the CISO, Maley’s duties included, but were not limited to:
a. Managing aspects of IT Security planning, policies and standards
creation/enforcement including the implementation of event monitoring to
ensure compliancy of acceptable use policies for all enterprise, domain,
network, applications and system administrators including contractors.
b. Developing Business Intelligence Security Reports with recommendations to
keep senior level managers informed.
c. Reviewing all draft standards and policies to make sure that all security
requirements are met.
d. Leading selected Enterprise Architecture Standards Committee work groups
as assigned by the Enterprise Architect and report recommendations.
e. Developing and documenting security standards, objectives, policies,
process and procedures, and roles and responsibilities to support the
enterprise infrastructure.
f. Establishing performance measurement standards and evaluating the
performance of subordinate employees.
g. Supervising staff and delegating/monitoring work assigned to subordinates.
h. Planning and managing project budgets.
3. As the CISO, Maley was responsible for setting the security strategies for the
Commonwealth of Pennsylvania.
a. The strategies included risk assessment, compliance, enforcing compliance,
security planning and governance, selecting product standards and
controlling risks.
4. Maley managed the information technology budget that included the integrated
enterprise system.
5. Maley participated in a process of OIT known as the Enterprise Information
Standard Selection Process.
a. Maley evaluated and scored vendors’ software packages.
b. The vendor whose software scored the highest would be identified as a
standard and it was to be used by other state agencies.
Maley, 10-020
Page 3
6. Maley, as the CISO, identified and recommended products and software from
vendors that would be used by the Commonwealth of Pennsylvania.
7. Purchases of computer software with estimated costs of less than $50,000 were
made based on Maley’s authorization and/or recommendation.
a. No formal selection process was utilized.
b. The Pennsylvania Procurement Code and the Master Information
Technology Services Invitation to Quality (“ITQ”) Contract authorized
purchases be made from this contract for items less than $50,000 without
seeking competitive bids.
8. During Maley’s tenure as the CISO, he developed close relationships with vendors
doing business with the Commonwealth of Pennsylvania.
a. Vendors Maley developed personal relationships with included Core Security
Technologies, BitArmor, McAfee, Inc. and Guidance Software, Inc.
b. Maley formed these relationships as a result of his public position as CISO,
which included meeting with vendors to review proposals and evaluate
products.
9. Maley authorized purchases from vendors he developed relationships with through
ASAP Software Express.
a. In or around 2003, the Commonwealth of Pennsylvania acting through the
Department of General Services entered into an agreement with ASAP
Software Express, Inc., part of Dell Marketing LP, for the procurement of
software and maintenance and other support services.
1. The agreement provided that all Commonwealth agencies as defined
by Section 103 of the Commonwealth Procurement Code could use
the agreement.
b. Commonwealth agencies issued purchase orders against the agreement and
it was ASAP’s responsibility to insure delivery of the product.
c. Change orders and updates were made to the agreement through June 30,
2010.
10. In or about 2003, the Commonwealth also established Enterprise Architecture,
which is responsible for developing information technology standards for the
Commonwealth.
a. Standards were developed through the Enterprise Information Standards
Selection Process (“EISSP”).
b. A committee consisting of officials/employees of OIT and officials from
various state agencies comprised the team that set standards.
c. This team evaluated and scored the software and hardware of vendors being
considered for information technology contracts with the Commonwealth.
Maley, 10-020
Page 4
1. Vendors’ products scoring the highest would be selected as the
standard that was to be used by other Commonwealth agencies when
purchasing hardware and software.
d. After a vendor is selected for having products set as standard by the EISSP,
the Department of General Services (“DGS”) would negotiate costs of
products for all state agencies.
11. Maley in his capacity as CISO participated in the EISSP.
a. Maley participated in the EISSP and was part of the team that established
Core Security Technologies as a standard.
12. Core Security Technologies is a Boston, Massachusetts, based company
specializing in software for security consulting and training regarding security
issues.
a. Core Security has been in business since about 1996.
b. Core Security markets software known as Core Impact that provides
continuous, on-demand automated security testing solutions.
c. The software can pinpoint exploitable web applications, networks, endpoints
and end users and offer solution[s] of where and how security attacks can
access most important information.
13. Maley first became acquainted with Core Security and [its] products while attending
a RSA Conference in San Jose, California, in or around 2006.
a. Maley attended the conference in his official capacity.
14. As part of the Commonwealth of Pennsylvania’s agreement with ASAP, Maley, as
the CISO, directed ASAP to make purchases of software from Core Security
Technologies.
a. The software Maley was purchasing from Core Security was Core Impact.
b. The purchases Maley authorized from Core Security were not competitively
bid.
1. Maley participated in actions as a member of EISSP, which
established Core Security as the standard.
15. Maley, as the CISO, first began purchasing Core Impact from Core Security on April
7, 2006.
a. Maley renewed Core Impact software annually through 2009.
16. Beginning in or about October 2008 while Maley was purchasing software from
Core Security for the Commonwealth, Core Security invited him to attend an all-
expense-paid conference.
a. Core Security officials invited Maley to appear at the conference and speak
on behalf of Core Security’s Core Impact software.
17. Between October 20, 2008, and November 6, 2008, Maley engaged in a series of
emails with Melissa England, Core Security Marketing Specialist, regarding Maley
Maley, 10-020
Page 5
appearing as a speaker on behalf of Core Security. The text of the emails reflects
the following:
a. October 20, 2008, 2:04 p.m. England to Maley:
Hello Bob,
I hope all is well. My colleague, Selena Proctor, mentioned that she spoke
with you at the CyberSec Conferences in PA last week. I understand you
saved a large amount of money using Core and had great things to say
about our product.
I’m currently working on submissions for the 2009 RSA Conference April 20-
24. I am putting together a Panel discussion for submission, War Stories –
Lessons Learned track. Of course if the submission is selected, Core would
pay for all expenses/travel in exchange for your singing our praises during a
panel discussion.
?
Please let me know when you get a chance.
Thanks,
Melissa
b. October 20, 20008, 2:48 p.m. Maley to England:
I would love to sit on a panel like that. I have tons of war stories.
c. October 27, 2008, 10:19 a.m. England to Maley:
Hi Bob,
I hope you had a great weekend. Could you send over a Bio no more than
800 characters that I could submit to RSA?
Much appreciated,
Melissa
d. October 27, 2008, 10:38 a.m. Maley to England:
No commentary. Biography of Maley sent as an attachment.
e. October 31, 2008, 4:31 p.m. England to Maley:
Hi Bob,
Happy Halloween! I’m looking into getting you some speaking opportunities
for 2009. I will be sending over your Bio and information relative to the
recent RSA Submission we did. However, I have been asked for a webcast
(or something comparable) in order for some to hear your speaking
capabilities. Not that they could be anything short of amazing.
?
If you have anything of that sort that I would be able to share, I would really
appreciate it.
Thanks again and talk to you soon.
Best Regards,
Maley, 10-020
Page 6
Melissa
f. November 4, 2008, at 11:42 a.m. England to Maley:
Hello again Bob,
I hope all is well. Sorry if it seems that I have been clogging your inbox
recently. We are tampering with the idea of becoming a Gold Sponsor at
CSO magazine’s Application Security Series in 2009. There are two
shows…one in NYC on 1/29 and another on 2/25 in San Francisco. Along
with the Gold Sponsorship, an Executive Briefing is given by a customer of
our choice. An abstract (similar to one we submitted for RSA) will be
advertised and featured in their agenda and CSOs will have the opportunity
to join in and listen to your story.
Our participation isn’t definite at this point, but I wanted to gauge your
interest of participation. Of course, the trip is all expenses paid on us.
Look forward to hearing from you,
Melissa
g. November 6, 2008, 3:39 p.m. Maley to England:
I actually did a keynote for the Virtual NAC Conference in April, but it’s no
longer online. Your PR folks set it up.
h. November 6, 2008, 4:12 p.m. Maley to England:
Found it. http://informationweek.veplatform.com/ You have to register, then
on demand content.
i. All of the above emails were either sent from or received at Maley’s
Commonwealth email address.
18. At the time in 2008 when Maley agreed to be a speaker on behalf of Core Security,
then Governor Edward Rendell imposed a ban on out-of-state travel for state
employees under the Governor’s jurisdiction.
a. Any out-of-state travel required the approval of the employee’s supervisors.
b. Maley’s supervisors included Brenda Orth, Deputy Secretary for OIT and
Tony Encinias, Chief Technology Officer.
19. In January 2009, Maley attended a Corporate Security Officer (“CSO”) Conference
in New York City.
a. All of Maley’s expenses were paid by Core Security.
b. Maley utilized vacation leave for his travel.
20. Expenses paid on Maley’s behalf by Core Security included the following:
Date Item Description Amount
12/17/2008 Airfare Continental Airlines $579.00
1/30/2009 Lodging Roosevelt Hotel $274.29
1/28/2009 Taxi to Hotel Expenses for Speaking $60.00
Maley, 10-020
Page 7
1/28/2009 Tolls Expenses for Speaking $14.00
1/29/2009 Taxi to Airport Expenses for Speaking $90.00
$1,017.29
a. Maley’s expenses for airfare and hotel were charged to the corporate credit
card of Melissa England, Core Security Marketing Specialist.
21. Maley did not seek or obtain authorization from the Commonwealth to appear as a
speaker.
a. Maley did not discuss his attendance at the conference with either Encinias
or Orth, his immediate supervisors.
b. Maley spoke as the CISO regarding his office’s experiences with Core
Impact.
22. In April 2009, Core Security invoiced the Commonwealth for Core Impact software
in the amount of $25,935.00. The invoice directed to the attention of Bob Maley
included the following:
DateInvoice #DescriptionAmount
4/20/2009 0409-1024 Core Impact 1 Machine $25,935.00
License for 1 Year
License dates 4/23/09 – 4/23/10
a. Purchase Order #914609 was prepared by the Commonwealth of
Pennsylvania on April 20, 2009, in the amount of $25,935.00.
b. Commonwealth check #1018422 was issued to Core Security on May 29,
2009, in the amount of $25,935.00.
23. In April 2009, at or about the time Core Security was billing the Commonwealth of
Pennsylvania for Core Impact based on the recommendation of Robert Maley, Core
Security also paid for Maley’s expenses to attend the RSA Conference in San
Francisco, California.
24. Maley never advised his superiors he was attending the conference or that his
expenses to attend the conference were being paid by a Commonwealth vendor.
a. Maley utilized annual leave to attend the Conference.
25. In preparation for the 2009 RSA Conference, Core Security issued a press release
identifying Maley as a presenter, which contained the following:
Boston, MA, April 13, 2009 --- Core Security Technologies, provider of the Core
Impact, Family of comprehensive enterprise security testing solutions, today
announced that customer Robert Maley, Chief Information Security Officer,
Commonwealth of Pennsylvania, will present at RSA 2009 on the topic of “Lessons
Learned: Defending Citizen Data: Proactively preventing Government breaches”
with David Stender, associate chief information security officer for cyber security,
CISO, Internal Revenue Service. Maley will also participate in a panel discussion
on “Lessons Learned: The Front Lines: Achieving Greater Cyber Security in the
states.” What: “Lessons Learned: Defending Citizen Data: Proactively Preventing
Government Breaches.”
a. Maley never requested any approval from OA to be a presenter on behalf of
Core Security or to attend the conference in his capacity as the CISO.
Maley, 10-020
Page 8
b. Maley used annual leave to attend this conference because it was not an
approved Commonwealth travel event.
26. Core Security paid the following expenses for Maley’s travel to appear as a speaker
at the 2009 RSA Conference:
Date Description Amount
4/03/2009 Airfare $358.40
4/21/2009 Extra Baggage fee $15.00
4/21/2009 Extra Baggage fee $15.00
4/22/2009 Cab Charges $38.00
4/24/2009 Hotel fees - JW Marriott $1,035.76
4/24/2009 Cab Charges $14.00
4/24/2009 Cab Charges $45.00
Total $1,521.16*
*
[Cf., Fact Finding 70 b.]
a. Maley’s airfare was prepaid by Core Security via the corporate credit card of
Melissa England.
27. Core Security only paid for Maley’s expenses to attend the conference because he
was a customer and user of [its] product, Core Impact, and was promoting Core
Impact.
a. Maley was only able to comment about Core Impact because of his position
as the CISO for the Commonwealth of Pennsylvania.
28. In 2009 Core Security also paid expenses for Maley to attend a technical security
conference, the “Black Hat Technical Security Conference,” held in Las Vegas,
Nevada, from July 28, 2009, through July 31, 2009.
a. Maley’s expenses were paid by Core Security because he was speaking on
behalf of Core Impact software.
29. Maley engaged in a series of emails with Core Security employees from June 25,
2009, to July 13, 2009, regarding his attendance at the Black Hat Conference.
June 25, 2009, 3:56 p.m. Maley to Selena Proctor, cc: Mike Yaffe:
Window seats if available, aisle seats ok.
(Airline schedule attached.)
June 25, 2009, 4:27 p.m. Yaffe to Maley, Proctor:
Selena is all over this…
June 25, 2009, 4:29 p.m. Proctor to Maley and Yaffe:
Yep, I got it. You will get the confirmation shortly.
July 13, 2009, 2:23 p.m. Maley to Yaffe:
Maley, 10-020
Page 9
Do I get a hotel confirmation?
And, thought you might be interested in this:
http://mag1.olivesoftware.com/ActiveMagazine/welcome/SCM/007_ESET_SC_0709
.asp
July 13, 2009, 2:27 p.m. Yaffe to Maley:
AAAHHHH!!!!
Fantastic!!!!!
;-)
As for confirmation, selena, got one…?
July 13, 2009, 2:30 p.m. Proctor to Maley and Yaffe:
Hello Bob,
Sure: Confirmation number: 3VRZF
Thanks,
Selena
July 13, 2009, 2:41 p.m. Maley to Proctor:
The reservation has an arrival time of 6 PM. I was going to get in there at 10:30 AM
so I can make the Core meeting. Can you make sure a room will be ready?
Bob
July 13, 2009, 2:42 p.m. Proctor to Maley:
Hey Bob,
Spoke to Caesars about that already They told me that you should have no
?
problem checking in at 10:30 AM & that there was a note in the system to have your
room ready. I will also call the day before to confirm.
Thanks,
Selena
July 13, 2009, 2:42 p.m. Maley to Proctor:
Outstanding!!!!! Thank you!
(All of the emails were either sent from or received at Maley’s Commonwealth email
address.)
30. The following expenses incurred by Maley to attend the “Black Hat Security
Conference” were paid for by Core Security as shown below:
Date Description Amount
6/23/2009 Airfare/Delta Airlines $595.90
7/28/2009 Taxi $20.00
7/30/2009 Taxi $10.00
7/30/2009 Lunch $2.95
Maley, 10-020
Page 10
7/31/2009 Lunch $8.04
7/31/2009 Dinner $4.51
7/31/2009 Baggage Fee $15.00
7/31/2009 Taxi $20.00
Transportation Home/Canceled
7/31/2009 Flight $166.00
7/31/2009 Hotel - Caesars Palace $592.80
Total $1,435.20*
*
[Cf., Fact Finding 70 b.]
a. Maley checked in to Caesars Palace on July 28, 2009, and checked out on
July 31, 2009.
1. A balance of $419.20 due at checkout included a deposit of $173.60
made by Core Security on July 28, 2009.
2. The total hotel bill was $592.80.
b. Maley emailed a listing of expenses to Melissa England at Core Security on
August 10, 2009.
c. Maley’s airfare was charged to the corporate credit card of Melissa England.
31. In or about September 2009, Core Security nominated Maley for the Information
Security Executive (“ISE”) of the Year Award.
a. An event to present the award was scheduled for October 27, 2009, in
Washington, D.C.
b. The event was held at the Gaylord National Resort.
c. Maley was the winner for the Government Category, Safeguarding Citizen
Data.
32. Maley’s expenses for attending the event were paid by Core Security.
33. On October 15, 2009, at 9:42 a.m. Selena Proctor, Core Security Marketing,
authored an email to Maley at his Commonwealth email address regarding Maley’s
travel and hotel arrangements.
a. Hey Bob,
I just spoke w/Mike about the ISE awards & he mentioned booking the hotel
for you. What nights are you staying in DC for?
b. The email was sent to Maley’s Commonwealth email address.
c. Maley responded on October 16, 2009, at 11:32 a.m. as follows:
You guys are coming in Tues AM and staying Tues night? Think I will do the
same.
34. Maley submitted his ISE expenses to Selena Proctor via his Commonwealth email
address on November 10, 2009.
Maley, 10-020
Page 11
a. In addition to hotel expenses, Maley noted that he drove 256 miles in
relation to the event.
35. Core Security paid the following expenses for Maley’s attendance at the ISE
Awards Dinner:
Date Description Amount
10/27/2009 Resort Fee $15.90
10/27/2009 Valet parking $28.00
10/27/2009 Room Charge - Gaylord National $279.00
10/27/2009 Tax $44.64
Credit ($0.01)
Total $367.53
a. Mileage was not included as part of this expense reimbursement.
b. Maley believes he utilized vacation leave to attend, however, Commonwealth
leave records are inconsistent with his assertion.
36. Maley never advised his supervisors at the Office of Administration that Core
Security nominated him for an award or that he would be traveling to Washington,
D.C. to accept the award.
37. In or about October 2009, Maley entered into a Mutual Non-Disclosure Agreement
with Core Security.
a. The NDA became an issue in October 2009 due to Maley’s scheduled
participation in a November 5, 2009, conference call with Core Security
when a new product would be discussed.
38. Maley’s lack of a NDA with Core Security was the subject of an October 15, 2009,
email from Kim Legelis, V.P. Marketing, Core Security to Maley:
Hi Bob,
It’s occurred to me that in all our work together, we don’t have an NDA on file.
Milan would like to give you a sneak-peek into the Enterprise product on the Nov 5
CAB call, but we need an NDA executed beforehand. I attached it for your
convenience. Could you sign it so we can have it on file?
Thanks.
39. Maley signed a Non-Disclosure Agreement (NDA) with Core Security on October
15, 2009.
a. The agreement was between Core Security and Robert Maley identified as
“Company” and/or the “Undersigned.”
b. The NDA also provided as follows:
In order for CORE and Company and/or Undersigned to evaluate or enter
into a contemplated business relationship, each party (a “Disclosure”) may
disclose to the other party (a “Recipient”) certain Confidential Information (as
defined below).
Maley, 10-020
Page 12
40. On October 30, 2009, Tony Encinias, Chief Technology Officer, became aware that
Maley had attended the ISE Awards Dinner on October 27, 2009.
a. Encinias was Maley’s immediate supervisor.
b. Encinias discussed Maley’s travel to accept the award with Brenda Orth.
41. Based on communications between Encinias and Brenda Orth, Encinias sent the
following email to Maley on October 30, 2009, 2:00 p.m. that provided as follows:
Bob,
No more conferences, speaking engagements, personal award submissions, etc.
until further notice.
Tony
42. Maley continued as a speaker at conferences on behalf of Core Security, ignoring
the directive from Encinias.
43. Maley attended the 2010 RSA Conference in San Francisco from February 28,
2010, through March 5, 2010.
a. Maley was invited to attend the conference by Core Security
officials/employees.
b. Maley was invited to speak at the conference on behalf of Core Security
products.
stth
c. Maley utilized vacation leave from March 1 through and including March 5,
in regards to his travel.
44. All of Maley’s travel plans were arranged by Core Security staff.
a. Maley and Core Security communicated via email between January 8, 2010,
and February 16, 2010, regarding reservations for airfare, hotel and
conference registration.
b. Maley’s expenses in regard to this event were to be paid by Core Security.
45. Emails regarding Maley’s travel plans document the following:
January 8, 2010, 4:30 p.m. Mike Yaffe to Selena Proctor, Alyssa Furnari:
Ladies,
Would you be able to make plane and hotel reservations at RSA for bob?
Mike
January 8, 2010, 4:31 p.m. Selena Proctor to Maley:
Hey Bob,
Hope you are well
?
What’s the date of your talk? Or, better yet, when do you want to fly in and out?
Maley, 10-020
Page 13
Thanks,
Selena
January 11, 2010, 10:12 a.m. Maley to Proctor:
Morning! You around for a phone call?
January 12, 2010, 2:11 p.m. Maley to Proctor:
You around this afternoon? I need your number.
January 13, 2010, 1:28 p.m. Maley to Proctor:
Subject: Requested flights
Flight schedules for 2/28/2010 flying from Harrisburg to San Francisco and
3/05/2010 return trip from San Francisco to Harrisburg attached.
January 14, 2010, 9:14 a.m. Proctor to Maley:
Ok I’ll see what I can do.
?
Hopefully we will have this all wrapped up next Tuesday.
January 20, 2010, 11:43 a.m. Maley to Proctor:
How are we doing on the travel?
January 20, 2010, 11:45 a.m. Proctor to Maley:
Hey Bob,
I do have an answer Most of our events will be on Wednesday, so your flights will
?
be perfect. I’ll book them now.
Thanks,
Selena
January 20, 2010, 11:56 a.m. Proctor to Maley:
Yep, Sunday – Friday
January 20, 2010, 12:22 p.m. Proctor to Maley:
Hey Bob,
Below is your conformation (sic) for flights
?
Let me know if you have any questions.
Thanks,
Selena
Maley, 10-020
Page 14
February 16, 2010, 10:38 a.m. Maley to Proctor:
Selena,
Do you have the hotel reservation confirmation yet?
Bob
February 16, 2010, 10:41 a.m. Proctor to Maley:
Sure do
?
Below.
Thanks,
Selena (Reservations for Westin San Francisco Market Street attached)
(All of the emails either emanated from or were sent to Maley’s Commonwealth
email address.)
46. In addition to making hotel and airfare reservations for Maley, Core Security made
and paid for conference reservation for Maley.
a. On February 11, 2010, 4:05 p.m. Proctor notified Maley by email that his
conference registration for 2010 SC Awards U.S. was made and the fee of
$395.00 was paid on his behalf.
47. On Saturday, February 27, 2010, less than twelve hours prior to departing for San
Francisco, Maley sent an email to Encinias stating that he would be taking vacation
during the upcoming week.
a. The email did not state that Maley was traveling to San Francisco to appear
as a speaker at a conference on behalf of Core Security.
48. Maley’s Saturday, February 27, 2010, at 7:51 p.m. email to Encinias included the
following:
Tony,
I will be on vacation this coming week.
Bob
49. Maley never sought Encinias’ approval nor did he advise him that he was traveling
to the RSA Conference in his capacity as the CISO.
50. Maley attended the 2010 RSA Conference in San Francisco from February 28,
2010, through March 5, 2010.
a. Maley was a speaker at the conference and was identified as the CISO from
the Commonwealth of Pennsylvania.
b. Maley promoted Core Impact to other potential customers for Core Security.
51. Core Security paid the following expenses for Maley’s attendance at the 2010 RSA
Conference:
Maley, 10-020
Page 15
a. Maley forwarded his expenses via email to Selena Proctor on March 11,
2010.
Date Description Amount
2/28/2010 Hotel Expenses - Westin $1,875.90
2/28/2010 Air Fare - United Air Lines $340.80
3/2/2010 Registration - Conference $395.00
2/28/2010 Cab Fare $45.00
3/1/2010 Dinner - Westin $12.00
3/1/2010 Dinner - Westin $12.00
3/2/2010 SC Awards - Westin $11.00
3/2/2010 SC Awards - Westin $11.00
3/3/2010 CSO Dinner - Westin $16.00
CSO Dinner - McAfee
3/3/2010 Party $16.00
3/3/2010 McAfee Party - Westin $5.00
3/4/2010 Lunch - Westin $16.00
3/4/2010 Lunch - Moscone $16.00
3/5/2010 Cab Fare $37.00
2/28/2010 Misc. food $3.66
3/2/2010 Misc. food $8.50
3/5/2010 Misc. food $3.66
Hotel Internet/Room
3/5/2010 Service $182.86
2/28/2010 Baggage fee $25.00
3/5/2010 Baggage fee $25.00
Total $3,057.38
52. Core Security paid Maley’s expenses to attend the RSA Conference as a result of
Maley agreeing to speak at the conference about the benefits of using Core Impact.
53. At or about the time that Maley’s expenses were being paid by Core Security to
attend the RSA Conference, Maley was recommending and requesting that OA
purchase another Core Impact license for the Commonwealth of Pennsylvania.
a. Maley was involved with Mike Hurley, Customer Account Manager and Mike
Yaffe between February 10, 2010, and February 11, 2010, to arrange for the
purchase of an additional Core Impact license.
b. No individuals from OIT other than Maley requested that another license be
purchased from Core Security.
54. The following reflects the email exchanges between Maley and Hurley, which were
copied to Yaffe:
February 10, 2010, 12:13 p.m. Hurley to Maley:
Hi Bob,
Hope all is well.
While I haven’t had any luck getting a hold of you these past few months, I see you
have been updating version 10 which is great news. That said, I’m attaching a
Maley, 10-020
Page 16
rd
renewal quote for your review. With your current license due to expire April 23,
this should give you plenty of time for any approvals and processing.
Also, I included a line item for advance onsite training. This is obviously optional
but a great way to ensure your team is taking full advantage of IMPACT’s full
functionality. When you get a chance, please let me know your intentions moving
forward.
Best Regards,
Mike
Michael J. Hurley
Customer Account Manager
February 11, 2010, 12:46 p.m. Maley to Hurley with cc to Yaffe:
Mike,
nd
Can you get me a quote for a 2 license of Core Impact?
February 11, 2010, 1:25 p.m. Hurley to Maley:
Bob,
That’s great news! As requested, please find attached a revised quote for a 2
machine license. Let me know if you have any questions. Otherwise, I’ll let Mr.
Yaffe handle any extracurricular activities.
Best Regards,
Mike
February 11. 2010, 1:26 p.m. Maley to Hurley with cc to Yaffe:
Mike,
We need the renewals to come through ASAP, as we did the original purchase.
Bob
55. Maley subsequently authorized the purchase from Core Security for (2) Core Impact
licenses and training.
56. Core Security invoiced the Commonwealth on or about March 3, 2010, for the order
placed by Maley.
a. Invoice # 0310-1004 dated March 3, 2010, identified the additional Core
Impact License shipped to the Commonwealth of Pennsylvania to the
attention of Bob Maley:
Description Amount
Core Impact: 1 Machine License for 1 year
License Dates: 4/23/10 - 4/23/11 $25,935.00
Core Impact: 1 Machine License for 1 year
License Dates: 4/23/10 - 4/23/11 $20,748.00
Training Classes: Dates TBD $6,500.00
Total $53,183.00
Maley, 10-020
Page 17
57. In or about March 6, 2010, Maley’s supervisors subsequently became aware of
Maley’s attendance at and participation in the 2010 RSA Conference.
a. Maley’s attendance at conferences without authorization and his
presentations on behalf of Core Security without review and approval by the
Chief Technology Officer and Chief of Staff for the Secretary of
Administration became the subject of review and disciplinary action by the
Commonwealth.
58. On March 8, 2010, Maley was officially notified by David Seitz, Director of Human
Resources for Naomi Wyatt, Secretary of Administration that Maley was being
removed from his position as CISO.
a. Maley’s dismissal was based in part on his use of leave in violation of
established Commonwealth procedures.
59. After Maley was terminated as the CISO on March 8, 2010, OIT did not complete
the purchase from Core Security to Invoice # 0310-1004.
a. OIT Officials believed it was unnecessary to purchase a second license from
Core Security.
(The following findings relate to Maley’s receipt of payments from Core Security for
appearing on behalf of Core Security at conferences following his termination from
Commonwealth employment.)
60. After Maley was terminated from his position as CISO for the Commonwealth of
Pennsylvania, he was paid by Core Security to be a speaker on [its] behalf at
technology conferences.
a. The payments were in addition to travel expenses and meals.
61. Maley was paid as a speaker by Core Security to promote Core Impact based on
his use of the product as the CISO for the Commonwealth of Pennsylvania.
a. Maley’s knowledge and experience with Core Impact was solely through his
position as CISO for the Commonwealth of Pennsylvania.
62. Maley received payments totaling $5,000 for speaking at conferences on behalf of
Core Security and Core Impact.
a. Maley appeared at conferences in April 2010, approximately one month after
his termination as CISO, and again in June 2010.
1. Maley spoke at the CSO Perspectives Conference in Santa Clara,
California, from April 5, 2010, to April 7, 2010.
63. Maley was first solicited by a Core Security marketing manager to speak at the April
5-7, 2010, CSO Perspectives Conference while he was still employed as CISO.
a. Selena Proctor, Core Security Marketing Programs Manager, forwarded an
email to Maley on February 22, 2010, at 3:43 p.m., which provided as
follows:
Hey Bob,
Maley, 10-020
Page 18
Hope you are gearing up for next week’s trip
?
I have another event coming up in California that we would love to have you
speak at if you are available. The event is the CSO Perspectives event (you
attended last year), but this year it is in Santa Clara, CA. We have the
opportunity to have an executive on a panel discussion. This panel would
th
be Wednesday, April 7 at 9:15 AM. We also have a half hour speaking slot
on Tuesday afternoon at 2:45 PM.
Here is a link to the event.
http://www.csoperspectives.com/ehome/index.php?eventid=8109&discountc
ode=website
As always, I’d be happy to cover your event costs for your travel and stay.
Would you like to attend & speak?
Thanks,
Selena Proctor
Marketing Programs Manager
Core Security Technologies
41 Farnsworth St.
Boston, MA 02210
b. Ten days prior to this solicitation, Maley, as CISO, solicited a quote from
Core Security for a second Core Impact license.
c. Proctor sent a second email to Maley on February 23, 2010, at 4:21 p.m.
regarding the CSO event:
Hey Bob,
Below is a reminder/details about the awards dinner.
Also, regarding my earlier email about the CSO event, Mike can answer any
questions you have about it next week in San Fran.
Hope you have a good trip.
Thanks,
Selena
64. The CSO conference agenda identified Maley as CISO (former) Commonwealth of
Pennsylvania.
a. Maley’s topic was Changing the Culture of Application Security.
b. It was noted in the agenda that Maley was sponsored by Core Security
Technologies.
65. Maley’s presentation focused on the following:
Commonwealth of PA Profile – Key aspects and facts
Office for Information Security role
Commonwealth’s responsibilities
The Past state in the Enterprise
Maley, 10-020
Page 19
Outline of problems we had to tackle
Project description
Project goals
Key components of the Project
How we solved the problems
Challenges we faced
Project Results – Qualitative/Quantitative
Lessons learned
Recap
66. Examples used in Maley’s presentation were security breaches in the Departments
of Labor and Industry, Veterans’ Affairs and Transportation.
a. Maley had access to security breaches in his capacity as CISO for the
Commonwealth.
1. Commonwealth officials did not want the potential security breaches
known publicly.
b. The examples cited in Maley’s presentation were not available to the public.
c. Maley’s topic concluded, in part, the need for penetration testing and a
robust software security program.
1. Core Security markets penetration testing through Core Impact
software.
67. Maley submitted an invoice via email to Core Security for his presentation at the
April 5-7, 2010, CSO conference:
Invoice Date Invoice Number Amount
April 9, 2010 1000 $2,500
a. Maley also submitted expenses totaling $147.20 to Mike Yaffe of Core
Security via email on April 9, 2010.
1. Other expenses for hotel and airfare charged to Yaffe’s corporate
credit card totaled $1,361.76.
68. Maley also appeared as a speaker on behalf of Core Security at the Gartner
Security Risk Management Summit 2010 held in Washington, D.C. from June 21,
2010, to June 23, 2010.
a. Maley served on a panel discussing penetration testing.
1. Maley spoke on his experiences as the CISO for the Commonwealth
and used examples of security breaches in state agencies.
b. Maley spoke on the same subjects as he did at the April 2010 conference.
69. On June 24, 2010, Maley invoiced Core Security in the amount of $2,500 for his
appearance at the Washington, D.C. summit on behalf of Core Security.
a. In addition, Maley had expenses totaling $1,707.99 for his airfare and hotel
that were charged to Yaffe’s corporate credit card.
Maley, 10-020
Page 20
70. Maley received expense payments from Core Security totaling $7,481.52 in 2009
and 2010 for his appearances as CISO at conferences to promote Core Security
products.
a. Maley received these payments at or about times he recommended or
authorized purchases by the Commonwealth of Core Security products.
b. Expense payments made to or on behalf of Maley by Core Security:
2009 CSO Conference – New York City $1,017.29
2009 RSA Conference – San Francisco $1,512.16
2009 Black Hat Conference – Las Vegas $1,527.16
2009 ISE Awards – Washington, D.C. $ 367.53
*
2010 CSO Conference – San Francisco $3,057.38
Total $7,481.52
*
[sic]. [This relates to the 2010 RSA Conference in San Francisco (Fact Findings
43-52).]
71. Maley also received two payments totaling $5,000 from Core Security between April
and June 2010 to appear as a speaker on behalf of Core Security.
a. Maley received these payments based on his use of Core Impact software in
his capacity as CISO for the Commonwealth.
72. Total payments made to or on behalf of Maley by Core Security were $12,481.52.
73. Payments made by Core Security to Robert Maley for expenses and speaking
engagements totaling $7,960.30 were deposited into Maley’s checking account at
the PA State Employees Credit Union as indicated below:
Date of Check Check Number Amount Reason for Payment
3/10/2009 1587 $ 164.00 Expenses
5/04/2009 1758 $1,162.76 Expenses
8/18/2009 2086 $ 665.50 Expenses
11/13/2009 2378 $ 367.53 Expenses
3/17/2010 2986 $ 453.31 Expenses
4/20/2010 2770 $2,647.20 Compensation & Expenses
7/06/2010 2962 $2,500.00 Compensation
Total $7,960.30
(The following findings relate to Maley’s receipt of gifts from Commonwealth vendor
BitArmor.)
74. On or around August 2007, Maley became acquainted with and established contact
with Commonwealth vendor BitArmor Systems, Inc.
75. BitArmor was based out of Pittsburgh, Pennsylvania, and sold Data Security
Software.
a. BitArmor operated from 2003 until 2010, but was bought out by Chicago-
based software vendor, Trustwave.
76. Based on the recommendation of Maley, the Bureau of Information Technology for
the Pennsylvania State Police (“PSP”) entered into a contract with BitArmor on
March 27, 2009.
Maley, 10-020
Page 21
a. PSP purchased software from BitArmor to be used for Microsoft Word in
order to prevent file encryption.
77. The software the PSP purchased from BitArmor included the following:
Part # Quantity Description Unit Price Amount
2504787 250 PA Control $70.56 $17,640.00
Agent End
Point License
2504791 250 PA Control $44.10 $11,025.00
Server Client
Access License
2504792 250 PA disk $8.82 $2,205.00
Encryption Add
on License
2504793 1 PA BitArmor $2,041.34 $2,041.34
Data Control
Maint &
Support 1 Year
Total $32,911.34
a. The contract between PSP and BitArmor was signed by Michael C. Shevlin,
Chief Information Officer, Bureau of Information for the Pennsylvania State
Police and J. Patrick McGregor, Chief Executive Officer, BitArmor Systems,
Inc.
78. Approximately three weeks after the contract between BitArmor and the PSP, Maley
received tickets from BitArmor to attend a major league baseball game in San
Francisco.
a. Maley was to be in San Francisco attending the 2009 RSA Conference at
that time.
79. Missy Palma, Executive Assistant to J. Patrick McGregor, sent the following email to
Maley on April 17, 2009, at 4:43 p.m. regarding the baseball game:
Hi Bob,
I am Patrick’s executive assistant and he asked that I contact you regarding the
st
Giants/Padres game next Tuesday the 21. The game starts at 7:15 PM so Patrick
was thinking you could meet at 6:45 pm outside of the main gate (which is hopefully
obvious). Please let me know if this works for you. Patrick’s cell phone is xxx-xxx-
xxxx in case you should need to get hold of him while in San Francisco. Can you
please send me your mobile number as well?
Thank you,
Missy Palma
Executive Assistant
BitArmor
The email was sent to Maley’s Commonwealth email address.
80. Maley responded by email using his Commonwealth address on April 20, 2009, at
2:49 p.m. as follows:
Sounds like a Plan. My cell is xxx-xxx-xxxx.
Maley, 10-020
Page 22
81. McGregor purchased a total of six (6) tickets through StubHub on April 14, 2009, for
the baseball game on April 21, 2009, at 7:15 p.m. between the San Diego Padres
vs. San Francisco Giants at AT & T Park in San Francisco, California.
a. The cost of each ticket was $49.99 and with taxes the total amount was
$334.90.
82. Maley attended the game as a guest of McGregor.
a. Of the six tickets used, Maley was the only individual who attended the game
who was not an employee of BitArmor.
b. Maley did not pay for the ticket.
83. McGregor bought the ticket for Maley as a way of networking and doing business in
an effort to generate additional contracts from the Commonwealth of Pennsylvania.
(The following findings relate to Maley’s receipt of transportation, lodging and
hospitality from Commonwealth vendor McAfee, Inc.)
84. McAfee, Inc. is a vendor of the Commonwealth specializing in anti-virus software.
a. McAfee has been providing anti-virus software to the Commonwealth of
Pennsylvania since prior to 2009.
85. In or around the early part of 2009, Maley as the CISO began negotiating a new
contract with Chris Gomolak of McAfee.
a. Gomolak was an Account Manager for McAfee.
86. Maley was the only Commonwealth official Gomolak dealt with in negotiations for
potential contracts with the Commonwealth.
87. On March 27, 2009, Maley attended a business meal at Damon’s Grill in Harrisburg
hosted by Gomolak.
a. Those present included Maley, Gomolak, Mark Rutledge, CEO for McAfee,
and Dave Marcus, a technician for McAfee.
1. The total cost of the meal was $60.65.
b. The dinner discussion focused on desktop security software that McAfee
could provide to the Commonwealth of Pennsylvania.
88. On May 18, 2009, a Master License and Services Agreement was entered into
between McAfee, Inc. and the Commonwealth of Pennsylvania through OA.
a. The Agreement was signed by Mike Carpenter, Senior Vice-President for
McAfee, on May 20, 2009, and Naomi Wyatt, Secretary of Administration, on
May 26, 2009.
b. The points of contact listed on the Agreement included Robert Maley for the
Commonwealth of Pennsylvania and Mark Hauptman and Dave Ackley from
McAfee.
Maley, 10-020
Page 23
c. The services to be rendered included the deployment assistance of the
McAfee Host Intrusion Prevention (“HIPS”) Service for up to five thousand
(5,000) Server Host IPS Agents in Prevention Mode Readiness and up to
five hundred (500) Workstations Host IPS Agents in Protection Mode as time
permits.
d. The compensation to be paid to McAfee by the Commonwealth of
Pennsylvania included agreeing to purchase 10 Stock Keeping Unit (“SKU”)
and acceptance of a Scope of Work (“SOW”).
1. Within six (6) months after McAfee’s receipt of the Commonwealth of
Pennsylvania signed version of the SOW, McAfee and the
Commonwealth of Pennsylvania must mutually agree to a start date
for the commencement of services.
e. Maley participated in discussions regarding the agreement.
89. While Maley and Gomolak were discussing the SOW McAfee was going to perform
for the Commonwealth of Pennsylvania, Gomolak offered to purchase playoff
baseball tickets for Maley.
a. While involved in negotiations with Maley, Gomolak became aware that
Maley was a baseball fan.
1. Gomolak was going to purchase tickets to the Philadelphia Phillies
and Los Angeles Dodgers playoff games scheduled in Philadelphia
for October 2009.
90. Prior to buying the tickets, Gomolak inquired of Maley if he was permitted to accept
the ticket while they were in negotiations for a state contract.
a. Maley informed Gomolak that it was not a problem and that Maley could
accept the tickets.
91. Maley never advised his supervisors at OIT that he had been offered tickets by
Gomolak.
92. On Monday, October 19, 2009, at 12:45 a.m. Maley sent the following email to his
boss, Tony Encinias, and copied Erik Avakian (his assistant). The subject matter of
the email was Vacation Day:
Tony,
An old friend got tickets to the playoff game in Philly Monday night, and invited me
and my son. We want to head down early and enjoy the atmosphere, so I would like
to take a vacation day today.
No meetings are scheduled.
Bob
a. Maley never advised Encinias that the old friend was Chris Gomolak,
Account Manager McAfee, with whom Maley was negotiating a state
contract.
93. The following email exchanges were made between Maley and Gomolak leading up
to the game:
Maley, 10-020
Page 24
From: Maley, Robert
To: Gomolak, Chris
Sent: Fri Oct 16, 2009, 10:19 a.m.
2 seats, right?
From: Gomolak, Chris
To: Maley, Robert
Sent: Fri Oct 16 09:25:15 2009
Yes two seats. Assuming you are bringing your son?
From: Maley, Robert
To: Gomolak, Chris
Sent: Mon Oct 19, 2009, 2:00 p.m.
Just checking in to make sure everything is still a go!
From: Gomolak, Chris
To: Maley, Robert
Sent: Mon Oct 19 13:04:42 2009
Yes! We are on. Happy to see the Sun out there.
Have tickets. See you shortly
Chris
94. Gomolak purchased the baseball tickets for Maley and his son from Jamin
International Sports Marketing located in Rockaway Beach, New York.
95. The following information was reflected on the invoice for the tickets Gomolak
purchased for Maley:
Date Description Ordered Unit Price Extended Price
10/15/09 Phillies vs. Dodgers 2 $380.00 $760.00
10/19/09 NLCS 132 Row 17
96. On October 20, 2009, the day after the baseball game, Maley sent Gomolak an
email containing the following:
From: Maley, Robert
To: Gomolak, Chris
Sent: Tues Oct 20 12:25:55 2009
Great picture! It was a great game. Thanks again for taking us. My son said he will
never forget the experience. I hope your trip home was good.
97. Gomolak filed Expense Report ER283731 on December 21, 2009, to McAfee
related to his sales activities on 10/19/09, which included the cost of tickets
purchased on behalf of Maley.
a. The expense report listed an amount of $760.00 and the description of
expenses was entertainment expense.
b. The attendees listed included Robert Maley, Chief Security Officer,
Commonwealth of PA and Chris Gomolak, AM, McAfee.
c. In the comments section of the report justifying the expenses, Gomolak
noted that Robert Maley and Commonwealth of PA represent largest
customer in Territory.
Maley, 10-020
Page 25
98. On December 1, 2009, Maley was a guest of Gomolak for a lunch at Damon’s Grill,
Harrisburg, PA.
a. Also in attendance were Brian Gumbel and Jose Martinez of McAfee.
b. The total cost of the meal was $55.23.
99. As a result of the negotiations between Maley and officials from McAfee, Purchase
Order 4300214068 was approved on March 15, 2010, authorizing the purchase of
software from McAfee totaling $1,962,293.00.
100. During the time period in 2009 that he was participating as CISO in discussions and
negotiations resulting in the Commonwealth entering into a contract with McAfee,
Maley received baseball tickets for himself and his son valued at $760.00.
(The following findings relate to Maley’s receipt of transportation, lodging and
hospitality from Guidance Software, Inc.)
101. Guidance Software, Inc. is a computer software company with headquarters in
Pasadena, California, that is recognized as a leader in E-discovery and EnCase
technology.
102. In his capacity as the CISO, Maley had meetings and discussions regarding
contracts with Guidance Software representatives.
a. Maley asserts that EISSP held ultimate authority over product selection and
approval.
103. On April 25, 2007, Maley submitted a Chief Information Officer (“CIO”)/Chief
Technology Officer (“CTO”) Procurement Form to the Department of General
Services to obtain EnCase software.
a. The procurement form was needed to secure the software pursuant to a
Department of General Services contract.
104. Maley’s justification for the purchase was outlined in the procurement form as
follows:
This request involves purchasing an enterprise incident response suite, EnCase
Enterprise, to provide automated incident response capabilities to agencies under
the Governor’s jurisdiction. This suite will be used to carry out the technical part of
incident response needed to identify and mitigate damage and risk incurred during
actual breaches of security. The business value includes being able to rapidly
respond to incidents as soon as they occur to quickly qualify, contain, remediate the
incident without taking systems down nor disrupting end users. In addition, all work
performed during the technical response can be seamlessly handed off to law
enforcement and/or used to present admissible evidentiary findings in legal
proceedings when necessary.
a. The procurement dollar value for the software Maley was requesting was
$1,073,304.00.
b. Maley identified the date the item was needed as 12/31/07.
105. As a result of the procurement request made by Maley, a Software License and
Service Agreement was made between Guidance Software and the Commonwealth
of Pennsylvania on December 31, 2007.
Maley, 10-020
Page 26
a. The licensed software that was purchased was EnCase Enterprise products.
106. The descriptions of the services the Commonwealth of Pennsylvania purchased
from Guidance Software included the following:
Description of Services Amount
License Fees Payment Amount $687,080.00
Software Maintenance Service (3 Years) $329,798.40
Implementation $45,000.00
Total $1,061,878.40
107. Maley authorized additional EnCase Software purchases from Guidance Software
for the Commonwealth of Pennsylvania on September 4 and 8, 2008.
a. September 4, 2008
Products Amount
EnCase Data Audit & Policy $124,496.00
Enforcement (5,000 – 9,999 Nodes)
(2 Examiners, 14 Concurrent Connections,
2 Pro Suites)
License Term- - Perpetual
Perpetual License – Standard
Three (3) Years Maintenance Agreement $ 59,758.08
Training – 2 – EnCase Enterprise Phase II 4-Day $ 4,996.00
Total $189,250.08
b. September 8, 2008
Products Amount
EnCase Bit 9 Analyzer Perpetual $65,000.00
License Term – Perpetual
Maintenance Agreement Three (3) Years $31,488.00
Total $96,488.00
108. In or about the time that Maley was participating in decisions to purchase software
from Guidance Software, he was asked to be a speaker at Guidance Software’s
annual conference identified as the Computer Enterprise and Investigations
Conference (“CEIC”).
a. The CEIC is held on an annual basis, and Guidance Software is the major
sponsor of the conference.
b. Guidance Software requests that users of its product participate at the CEIC
and speak of the benefits of using EnCase Software.
109. On September 26, 2008, at 5:35 p.m., Maley received an email from Kimberly
Peterson, Event Manager for Guidance Software, confirming Maley’s appearance
as a speaker on behalf of EnCase at the CEIC Conference:
Bob,
Maley, 10-020
Page 27
We are excited to have you join CEIC as a speaker. I will be working with you to
coordinate your travel, speaking arrangements and conference pass. If at any time
you have questions regarding CEIC, please don’t hesitate to ask me.
For your reference, the link to the conference website is: www.ceicconference.com
We are currently in the process of putting together the agenda for CEIC2009. Do
you have a presentation topic in mind? Larry mentioned the project which resulted
in your nomination for the NASCIO award. Our attendees continually let us know
that they prefer actual studies and real life incidents, and your subject would be a
perfect fit. If you prefer, we can provide some additional speaking topics. For
examples of last year’s sessions please visit:
http://www.ceicconference.com/agenda.aspx
Also, I will arrange for your hotel stay and airfare. I have been authorized to cover
2 nights stay and airfare up to $500. Do you know your travel schedule at this time?
If not, I will set up a reminder in my calendar to reach out to you in a few months to
confirm travel dates.
I look forward to working with you.
110. Maley attended the 2009 CEIC held in Orlando, Florida, from May 17, 2009,
through May 19, 2009.
a. Maley’s expenses to attend the conference were paid by Guidance Software.
111. The following expenses incurred by Maley at the 2009 CEIC totaling $1,663.20
were paid by Guidance Software:
Date Description of Expense Amount
5/17/2009 Air Fare – Air Tran Airways $181.20
5/19/2009 Hotel – Royal Pacific Resort $459.00
5/17/2009 VIP Pass CEIC $128.00
5/17/2009 Admissions/Full Price $895.00
Total $1,663.20
112. Guidance Software agreed to pay Maley’s expenses for the CEIC Conference
because he was appearing as a speaker to promote software products of Guidance
to other potential customers.
a. Maley asserts that the CEIC Conference’s focus was to educate Guidance
Software customers, and not to promote Guidance Software products.
113. Maley never obtained approval and never advised his supervisors of his attendance
at the CEIC Conference to speak on behalf of the EnCase software.
(The following findings relate to the allegation that Maley utilized Commonwealth
computers for his personal benefit.)
114. As a Commonwealth employee, Maley was subject to Commonwealth policies and
procedures regarding internet and email user agreements.
115. Maley signed a standard Commonwealth internet/email user agreement included
with Management Directive 205.34 on November 30, 2005.
a. The general terms of this directive state that any electronic communications
on Commonwealth Internet/Email systems may be tracked, monitored, and
read by all authorized Commonwealth staff and that there is no expectation
of privacy in any Internet/Email Commonwealth systems. Any such
Maley, 10-020
Page 28
communications are the property of the Commonwealth and are to be used
for carrying out Commonwealth business activities.
b. By executing the user agreement, Maley agreed to the security policies of
the Commonwealth and its agencies, and to the nondiscrimination policies of
the Commonwealth.
116. Maley, in his capacity as the CISO, was assigned a Commonwealth desktop and
laptop computer for official business.
a. Maley did not share use of these computers with other employees.
117. During his tenure as CISO from November 2005 until March 2010, Maley used his
Commonwealth-assigned computers for other than official Commonwealth business.
118. The State Ethics Commission conducted a forensic examination on the hard drives
removed from the computers issued to Maley.
a. The forensic examination revealed that Maley utilized the computers for
purposes which did not relate to his duties as the CISO.
b. Internet artifacts found in the cache folders of the Internet Explorer and
Firefox web browsers found that Maley was using his work computer to surf
the web for non-Commonwealth purposes.
119. Maley saved a job resume on his computer and occasionally used the state email
system to send out his resume for potential job offers.
a. On January 12, 2010, at 1:50 p.m. Maley used his state email address to
send his resume for a position as Vice-President of Information Security in
San Francisco.
b. On March 3, 2010, at 12:56 a.m. Maley sent his resume to Liesyl Franz of
techamerica.org
120. Between September 2009 and February 2010 Maley utilized his Commonwealth
computer to occupy no less than 71.21 hours of his stated work hours for non-
Commonwealth related purposes.
a. Total wages paid to Maley during the relevant time period were $3,303.43
(71.21 hours @ $46.39/hr.).
The following findings relate to Allegations that Maley failed to file Statements of
Financial Interests (SFI) for Calendar Years 2006, 2009 and 2010; when he failed to
disclose on his SFI for the 2008 calendar year, name and address and sources and
amounts of payments for or reimbursement of expenses of transportation, lodging
and/or hospitality received in connection with his public position; when he failed to
disclose on SFI filed for the 2007 and 2008 calendar years, his office, directorship or
employment in Susquehanna Digital Forensics, a company in which he is listed as
owner; and when he failed to disclose his financial interest in Susquehanna Digital
Forensics on his SFI filed for the 2007 and 2008 calendar years; and when he failed
to disclose creditors in excess of $6,500 on his SFI for calendar years 2007 and
2008.
121. Maley in his official capacity as the Chief Information Security Officer (“CISO”) for
the Office of Information Technology (“OIT”), Office of Administration (“OA”), was
Maley, 10-020
Page 29
st
annually required to file a Statement of Financial Interests (“SFI”) form by May 1
containing information for the prior calendar year.
122. Maley was required to file SFI for calendar years 2006, 2007, 2008, 2009 and 2010
in his official capacity as the CISO.
123. Maley was annually provided with blank SFI forms to complete by OA’s Human
Resources Department.
a. Filing reminders were transmitted to employees through the
Commonwealth’s email system.
124. After Maley left employment with the Commonwealth of Pennsylvania on March 8,
2010, he was notified by US mail on April 11, 2011, of his requirement to file by May
1, 2011, for the 2010 calendar year.
125. Maley failed to file SFIs for calendar years 2006, 2009 and 2010, even after being
reminded to do so.
126. Maley filed SFIs for calendar years 2007 and 2008 with OA’s Human Resources
Department with the following disclosures:
a. Calendar Year: 2007
Filed: 5/12/08 on SEC-1 REV 01/08
Public Position: Chief Information Security Officer
Chairman
Political Subdivision: Executive Offices
Susquehanna Township Recreation
Occupation: CISO
Creditors: PSECU
Direct or Indirect Sources of Income: Executive Offices, Harrisburg, PA
Gifts: None
Transportation, Lodging,
Hospitality: None
Office, Directorship or Employment
In Any Business: None
Financial Interest in Any Legal Entity
In Business For Profit: None
b. Calendar Year: 2008
Filed: 2/24/09 on SEC-1 REV 01/09
Public Position: Chief Information Security Officer
Chairman
Political Subdivision: Executive Offices
Susquehanna Township Recreation
Occupation: CISO
Creditors: PSECU
Direct or Indirect Sources of Income: Executive Offices, Harrisburg, PA
Gifts: None
Transportation, Lodging,
Hospitality: None
Office, Directorship or Employment
In Any Business: None
127. Susquehanna Digital Forensics is a computer consulting company established by
Maley in or about 2004.
Maley, 10-020
Page 30
a. The website established for the company is
www.susquehannadigitalforensics.com.
b. The website cites the following mission:
Provide clients with the critical tools to discover the extent of security
breaches, diagnose and stop further potential damage, and to avoid legal
penalties and exposure.
c. The company is not incorporated in the Commonwealth of Pennsylvania.
d. Although Susquehanna Digital Forensics maintains an active website, Maley
asserts that he discontinued business efforts in 2005 after being hired by the
Commonwealth.
128. Maley’s SFI for the 2007 and 2008 calendar years did not disclose his ownership
and financial interest in the business Susquehanna Digital Forensics.
a. The business was registered to Maley’s home address.
129. Maley’s SFI for the 2007 and 2008 calendar years did not disclose creditors in
excess of $6,500.00.
a. In both 2007 and 2008 Maley’s creditors in excess of $6,500 were Chase
Bank and MBNA credit card.
130. Maley did not disclose on SFIs for 2007 or 2008 the receipt of transportation,
lodging or hospitality.
131. Maley realized a private pecuniary benefit when he accepted gifts and
transportation, lodging and/or hospitality from vendors he was recommending
and/or approved contracts with the Commonwealth and when he utilized
Commonwealth of Pennsylvania computers for non-Commonwealth purposes.
III.DISCUSSION:
As the Chief Information Security Officer (“CISO”) for the Office for Information
Technology (“OIT”) within the Commonwealth of Pennsylvania’s Office of Administration
(“OA”) from November 2005 until March 8, 2010, Respondent Robert L. Maley, hereinafter
also referred to as “Respondent,” “Respondent Maley,” and “Maley,” was a public
employee subject to the provisions of the Public Official and Employee Ethics Act (“Ethics
Act”), 65 Pa.C.S. § 1101 et seq.
The allegations are that Maley violated Sections 1103(a) and 1105(b) of the Ethics
Act: (1) when he accepted gifts and payments for expenses for transportation, lodging
and/or hospitality from vendors he recommended and/or approved for contracts with the
Commonwealth; (2) when he utilized Commonwealth of Pennsylvania computers for his
personal use; (3) when he failed to file Statements of Financial Interests (“SFIs”)for the
2006, 2009 and 2010 calendar years; (4) when he failed to disclose on SFIs filed for the
2008 calendar year, the names and addresses of sources and amounts of payments for or
reimbursement of expenses of transportation, lodging and/or hospitality received in
connection with his public position; (5) when he failed to disclose on SFIs filed for the 2007
and 2008 calendar years his office, directorship or employment in Susquehanna Digital
Forensics, a company in which he is listed as owner, and when he failed to disclose
creditors in excess of $6,500; (6) when he failed to disclose his financial interest in
Susquehanna Digital Forensics on SFIs filed for the 2007 and 2008 calendar years; and
(7) when, after being terminated by the Commonwealth, he received payments from a
Maley, 10-020
Page 31
Commonwealth vendor that he, in his public position, had recommended to receive State
contracts, to promote that same vendor’s product(s).
Pursuant to Section 1103(a) of the Ethics Act, a public official/public employee is
prohibited from engaging in conduct that constitutes a conflict of interest:
§ 1103. Restricted activities
(a)Conflict of interest.—
No public official or public
employee shall engage in conduct that constitutes a conflict of
interest.
65 Pa.C.S. § 1103(a).
The term "conflict" or "conflict of interest" is defined in the Ethics Act as follows:
§ 1102. Definitions
"Conflict" or "conflict of interest."
Use by a public
official or public employee of the authority of his office or
employment or any confidential information received through
his holding public office or employment for the private
pecuniary benefit of himself, a member of his immediate family
or a business with which he or a member of his immediate
family is associated. The term does not include an action
having a de minimis economic impact or which affects to the
same degree a class consisting of the general public or a
subclass consisting of an industry, occupation or other group
which includes the public official or public employee, a
member of his immediate family or a business with which he or
a member of his immediate family is associated.
65 Pa.C.S. § 1102.
Section 1103(a) of the Ethics Act prohibits a public official/public employee from
using the authority of public office/employment or confidential information received by
holding such a public position for the private pecuniary benefit of the public official/public
employee himself, any member of his immediate family, or a business with which he or a
member of his immediate family is associated.
Section 1105(b) of the Ethics Act and its subsections detail the financial disclosure
that a person required to file the Statement of Financial Interests form must provide.
Subject to certain statutory exceptions not applicable to this matter, Section
1105(b)(4) of the Ethics Act requires the filer to disclose on the SFI the name and address
of each creditor to whom is owed in excess of $6,500 and the interest rate thereon.
Subject to certain statutory exceptions not applicable to this matter, Section
1105(b)(7) of the Ethics Act requires the filer to disclose on the SFI the name and address
of the source and the amount of any payment for or reimbursement of actual expenses for
transportation and lodging or hospitality received in connection with public office or
employment where such actual expenses exceed $650 in an aggregate amount per year.
Section 1105(b)(8) of the Ethics Act requires the filer to disclose on the SFI any
office, directorship or employment in any business entity.
Maley, 10-020
Page 32
Section 1105(b)(9) of the Ethics Act requires the filer to disclose on the SFI any
financial interest in any legal entity engaged in business for profit. The term “financial
interest” is defined in the Ethics Act as “[a]ny financial interest in a legal entity engaged in
business for profit which comprises more than 5% of the equity of the business or more
than 5% of the assets of the economic interest in indebtedness.” 65 Pa.C.S. § 1102.
As noted above, the parties have submitted a Consent Agreement and Stipulation of
Findings. The parties' Stipulated Findings are set forth above as the Findings of this
Commission. We shall now summarize the relevant facts as contained therein.
Background:
In or around 2003, the Commonwealth of Pennsylvania through the Department of
General Services (“DGS”) entered into an agreement with ASAP Software Express, Inc.
(“ASAP”) for the procurement of software and maintenance and other support services.
In or about 2003, the Commonwealth also established “Enterprise Architecture” for
developing information technology standards for the Commonwealth. Standards were
developed through the Enterprise Information Standards Selection Process (“EISSP”). A
committee consisting of officials/employees of OIT and officials from various state
agencies comprised the team that set standards. This team evaluated and scored the
software and hardware of vendors being considered for information technology contracts
with the Commonwealth. Vendors’ products scoring the highest would be selected as the
standard to be used by other Commonwealth agencies when purchasing hardware and
software. DGS would then negotiate costs of products for all state agencies.
Respondent Maley was employed as the CISO for the OIT from November 2005
until March 8, 2010. Maley was removed as the CISO effective the start of business on
March 8, 2010.
As the CISO, Maley was responsible for setting the security strategies for the
Commonwealth of Pennsylvania. The strategies included risk assessment, compliance,
enforcing compliance, security planning and governance, selecting product standards and
controlling risks. Maley managed the information technology budget that included the
integrated enterprise system. Maley participated in the EISSP and evaluated and scored
vendors’ software packages. Maley identified and recommended products and software
from vendors that would be used by the Commonwealth of Pennsylvania. Purchases of
computer software with estimated costs of less than $50,000 were made based on Maley’s
authorization and/or recommendation.
During Maley’s tenure as the CISO, he developed relationships with the following
vendors doing business with the Commonwealth of Pennsylvania: Core Security
Technologies (“Core Security”); BitArmor Systems, Inc. (“BitArmor”); McAfee, Inc.
(“McAfee”); and Guidance Software, Inc. (“Guidance Software”). Maley formed these
relationships as a result of his public position as CISO, which included meeting with
vendors to review proposals and evaluate products.
Maley’s receipt of compensation and paid expenses from Commonwealth vendor Core
Security:
Commonwealth vendor Core Security markets software known as “Core Impact,”
which provides continuous, on-demand automated security testing solutions.
In his capacity as CISO, Maley participated in the EISSP and was part of the team
that established Core Security as a standard. Maley, as the CISO, directed ASAP to make
purchases of software from Core Security. Maley first began purchasing Core Impact from
Maley, 10-020
Page 33
Core Security on April 7, 2006. Maley renewed Core Impact software annually through
2009.
Beginning in or about October 2008, while Maley was purchasing software from
Core Security for the Commonwealth, Core Security invited Maley to attend an all-
expense-paid conference and to speak on behalf of Core Security’s Core Impact software.
That speaking engagement as well as subsequent speaking engagements by Maley at the
request of Core Security were arranged using Maley’s Commonwealth email address.
At the time in 2008 when Maley agreed to be a speaker on behalf of Core Security,
then Governor Edward Rendell imposed a ban on out-of-state travel for state employees
under the Governor’s jurisdiction. Any out-of-state travel required the approval of the
employee’s supervisors. Maley’s supervisors included Brenda Orth (“Orth”), Deputy
Secretary for OIT, and Tony Encinias (“Encinias”), Chief Technology Officer.
In 2009 and 2010, Maley received expense payments from Core Security totaling
$7,481.52 for his appearances as CISO at conferences to promote Core Security products.
Maley received these payments at or about times he recommended or authorized
purchases by the Commonwealth of Core Security products.
In January 2009, Maley attended a Corporate Security Officer (“CSO”) Conference
in New York City. Core Security paid Maley’s expenses to attend the conference, which
expenses totaled $1,017.29. (Fact Finding 70 b). Maley did not seek or obtain
authorization from the Commonwealth to appear as a speaker at the aforesaid conference.
Maley did not discuss his attendance at the conference with either Encinias or Orth. At
the conference, Maley spoke as the CISO regarding his office’s experiences with Core
Impact.
In April 2009, Core Security invoiced the Commonwealth for Core Impact software in
the amount of $25,935.00. The invoice was directed to the attention of Maley. A purchase
order was prepared by the Commonwealth in the amount of $25,935.00. Commonwealth
check number 1018422 was issued to Core Security on May 29, 2009, in the amount of
$25,935.00.
In April 2009, at or about the time Core Security was billing the Commonwealth of
Pennsylvania for Core Impact based upon Maley’s recommendation, Core Security paid
Maley’s expenses to attend the 2009 RSA Conference in San Francisco, California, which
expenses totaled $1,512.16. (Fact Finding 70 b). Core Security only paid for Maley’s
expenses to attend the conference because he was a customer and user of its product,
Core Impact, and was promoting Core Impact. Maley was only able to comment about
Core Impact because of his position as the CISO for the Commonwealth of Pennsylvania.
In preparation for the 2009 RSA Conference, Core Security issued a press release
identifying Maley as the CISO from the Commonwealth of Pennsylvania and indicating that
Maley would address “lessons learned” with regard to defending citizen data, preventing
government breaches, and achieving greater cyber security in the states. Maley never
requested approval from OA to be a presenter on behalf of Core Security or to attend the
conference in his capacity as the CISO. Maley never advised his superiors he was
attending the RSA conference or that his expenses to attend the conference were being
paid by a Commonwealth vendor. Maley utilized annual leave to attend the RSA
Conference.
From June 25, 2009, to July 13, 2009, Maley engaged in a series of emails with
Core Security employees regarding his attendance at the “Black Hat Technical Security
Conference” that was to be held in Las Vegas, Nevada, from July 28, 2009, through July
31, 2009. All of the emails were either sent from or received at Maley’s Commonwealth
email address. Core Security paid Maley’s expenses to attend the conference, which
Maley, 10-020
Page 34
totaled $1,527.16. (Fact Finding 70 b). Maley’s expenses were paid by Core Security
because he was speaking on behalf of Core Impact software.
In or about September 2009, Core Security nominated Maley for the Information
Security Executive (“ISE”) of the Year Award. Maley was the winner for the Government
Category, Safeguarding Citizen Data. An event to present the award was scheduled for
October 27, 2009, in Washington, D.C. Core Security paid Maley’s expenses for attending
the event, which totaled $367.53. (Fact Finding 70 b). Maley never advised his
supervisors at OA that Core Security nominated him for an award or that he would be
traveling to Washington, D.C. to accept the award.
On October 30, 2009, Encinias became aware that Maley had attended the ISE
Awards Dinner on October 27, 2009. After discussing the matter with Orth, Encinias sent
an email to Maley on October 30, 2009, which stated as follows: “Bob, No more
conferences, speaking engagements, personal award submissions, etc. until further notice.
Tony.” Maley ignored the aforesaid directive from Encinias and continued to serve as a
speaker at conferences on behalf of Core Security.
Maley was invited by Core Security officials/employees to attend the 2010 RSA
Conference in San Francisco to speak at the conference on behalf of Core Security
products. All of Maley’s travel plans were arranged by Core Security staff. Between
January 8, 2010, and February 16, 2010, Maley and Core Security staff communicated via
email regarding Maley’s travel arrangements and conference registration using Maley’s
Commonwealth email address.
On Saturday, February 27, 2010--the day before the conference was to begin--
Maley sent an email to Encinias stating that he would be taking vacation during the
upcoming week. The email did not state that Maley was traveling to San Francisco to
appear as a speaker at a conference on behalf of Core Security. Maley never sought
Encinias’ approval nor did he advise him that he was traveling to the RSA Conference in
his capacity as the CISO.
Maley attended the 2010 RSA Conference from February 28, 2010, through March
5, 2010. Maley was a speaker at the conference and was identified as the CISO from the
Commonwealth of Pennsylvania. Maley promoted Core Impact to other potential
customers for Core Security. Core Security paid Maley’s expenses for attending the
conference, which totaled $3,057.38. (Fact Finding 70 b). Core Security paid Maley’s
expenses to attend the RSA Conference as a result of Maley agreeing to speak at the
conference about the benefits of using Core Impact.
At or about the time Core Security was paying Maley’s expenses to attend the 2010
RSA Conference, Maley was recommending and requesting that OA purchase another
Core Impact license for the Commonwealth of Pennsylvania. No individuals from OIT
other than Maley requested that another license be purchased from Core Security.
Between February 10, 2010, and February 11, 2010, Maley exchanged emails with a Core
Security representative to arrange for the purchase of an additional Core Impact license.
Maley subsequently authorized the purchase from Core Security for two Core Impact
licenses and training. On or about March 3, 2010, Core Security submitted to the
Commonwealth Invoice number 0310-1004 in the total amount of $53,183.00 for the
aforesaid order placed by Maley.
Meanwhile, on February 22, 2010, while Maley was still employed as the CISO with
OIT, Maley was solicited by Core Security staff to speak at the April 5-7, 2010, CSO
Perspectives Conference.
On or about March 6, 2010, Maley’s supervisors became aware of Maley’s
attendance at and participation in the 2010 RSA Conference. On March 8, 2010, Maley’s
Maley, 10-020
Page 35
employment as CISO was officially terminated. OIT did not complete the purchase from
Core Security under Invoice number 0310-1004. OIT Officials believed it was unnecessary
to purchase a second license from Core Security.
After being terminated from his position as CISO for the Commonwealth of
Pennsylvania, Maley received two payments totaling $5,000 from Core Security between
April and June 2010 to appear as a speaker on behalf of Core Security. Maley received
these payments based upon his use of Core Impact software in his capacity as CISO for
the Commonwealth.
Maley spoke on behalf of Core Security at the CSO Perspectives Conference in
Santa Clara, California, from April 5, 2010, to April 7, 2010. The conference agenda
identified Maley as the former CISO for the Commonwealth of Pennsylvania. It was noted
in the agenda that Maley was sponsored by Core Security. Maley’s presentation focused
on the following: Commonwealth of PA Profile – Key aspects and facts; Office for
Information Security role; Commonwealth’s responsibilities; the past state in the
Enterprise; outline of problems “we” had to tackle; Project description; Project goals; key
components of the Project; how “we” solved the problems; challenges “we” faced; Project
results – qualitative/quantitative; lessons learned; and recap. Examples used in Maley’s
presentation were security breaches in the Pennsylvania Departments of Labor and
Industry, Veterans’ Affairs and Transportation. Maley had access to security breaches in
his capacity as CISO for the Commonwealth. Commonwealth officials did not want the
potential security breaches to be known publicly. The examples cited in Maley’s
presentation were not available to the public. Core Security paid Maley $2,500 for
speaking at the CSO Perspectives Conference. In addition, Core Security paid Maley’s
expenses totaling $1,508.96 for attending the conference.
Maley also appeared as a speaker on behalf of Core Security at the Gartner
Security Risk Management Summit 2010 held in Washington, D.C. from June 21, 2010, to
June 23, 2010. Maley served on a panel discussing penetration testing. Maley spoke on
his experiences as the CISO for the Commonwealth and used examples of security
breaches in state agencies. Maley spoke on the same subjects as he did at the April 2010
conference. Core Security paid Maley $2,500 for his appearance at the Washington, D.C.
summit on behalf of Core Security. In addition, Core Security paid Maley’s expenses for
his airfare and hotel totaling $1,707.99.
Per Fact Finding 72, total payments made to or on behalf of Maley by Core Security
were $12,481.52.
Maley’s receipt of a baseball ticket from Commonwealth vendor BitArmor:
On March 27, 2009, based upon the recommendation of Maley, the Bureau of
Information Technology for the Pennsylvania State Police (“PSP”) entered into a contract
with Commonwealth vendor BitArmor to purchase software totaling $32,911.34. The
contract between PSP and BitArmor was signed by BitArmor’s Chief Executive Officer, J.
Patrick McGregor (“McGregor”), on behalf of BitArmor.
On April 21, 2009--approximately three weeks after BitArmor and the PSP entered
into the aforesaid contract--Maley attended a major league baseball game between the
San Diego Padres and the San Francisco Giants in San Francisco, California, as a guest
of McGregor. Maley was in San Francisco attending the 2009 RSA Conference at that
time. The cost of Maley’s baseball ticket was $49.99.
Maley, 10-020
Page 36
McGregor’s Executive Assistant and Maley communicated by email, using Maley’s
Commonwealth email address, regarding arrangements for Maley to meet McGregor at the
game.
McGregor bought the ticket for Maley as a way of networking and doing business in
an effort to generate additional contracts from the Commonwealth of Pennsylvania.
Maley’s receipt of baseball tickets from Commonwealth vendor McAfee:
McAfee has been providing anti-virus software to the Commonwealth of
Pennsylvania since prior to 2009.
In or around the early part of 2009, Maley as the CISO began negotiating a new
contract with Chris Gomolak (“Gomolak”), an Account Manager for McAfee. Maley was the
only Commonwealth official Gomolak dealt with in negotiations for potential contracts with
the Commonwealth.
On March 27, 2009, Maley attended a business meal at Damon’s Grill in Harrisburg,
hosted by Gomolak, which included Maley, Gomolak, McAfee CEO Mark Rutledge, and
Dave Marcus, a technician for McAfee. The total cost of the meal was $60.65. The dinner
discussion focused on desktop security software that McAfee could provide to the
Commonwealth of Pennsylvania.
In May 2009, a Master License and Services Agreement was entered into between
McAfee and the Commonwealth of Pennsylvania through OA. The points of contact listed
on the Agreement included Maley for the Commonwealth of Pennsylvania and Mark
Hauptman and Dave Ackley from McAfee.
Maley participated in discussions regarding the aforesaid agreement. While Maley
and Gomolak were discussing the Scope of Work McAfee was going to perform for the
Commonwealth of Pennsylvania, Gomolak offered to purchase tickets for Maley for a
Philadelphia Phillies and Los Angeles Dodgers playoff game scheduled in Philadelphia for
October 2009.
Prior to buying the tickets for the game, Gomolak inquired of Maley if he was
permitted to accept the tickets while they were in negotiations for a state contract. Maley
informed Gomolak that it was not a problem and that Maley could accept the tickets.
Maley never advised his supervisors at OIT that he had been offered tickets by Gomolak.
Maley and Gomolak exchanged emails on October 16, 2009, and October 19, 2009,
regarding Maley receiving two tickets for the game.
Gomolak purchased two tickets for Maley and Maley’s son to attend the Phillies vs.
Dodgers playoff game on October 19, 2009. The tickets were purchased from Jamin
International Sports Marketing located in Rockaway Beach, New York, and cost $380.00
each, for a total cost of $760.00.
On Monday, October 19, 2009, at 12:45 a.m., Maley sent an email to Encinias
stating that he would like to take a vacation day that day because “an old friend” got tickets
to the playoff game in Philadelphia and invited Maley and Maley’s son. Maley never
advised Encinias that the “old friend” was Gomolak, Account Manager for McAfee, with
whom Maley was negotiating a state contract. Maley and his son attended the game.
On December 21, 2009, Gomolak filed an Expense Report with McAfee related to
his sales activities on October 19, 2009, which included the cost of tickets purchased on
behalf of Maley. The expense report listed an amount of $760.00 for entertainment
expense. The attendees listed included Robert Maley, Chief Security Officer,
Maley, 10-020
Page 37
Commonwealth of PA and Chris Gomolak, AM, McAfee. In the comments section of the
report justifying the expenses, Gomolak noted that Maley and the Commonwealth of
Pennsylvania represented the largest customer in the Territory.
On December 1, 2009, Maley was a guest of Gomolak for a lunch at Damon’s Grill
in Harrisburg, Pennsylvania. Also in attendance were Brian Gumbel and Jose Martinez of
McAfee. The total cost of the meal was $55.23.
As a result of the negotiations between Maley and officials from McAfee, Purchase
Order 4300214068 was approved on March 15, 2010, authorizing the purchase of software
from McAfee totaling $1,962,293.00.
Maley’s receipt of transportation, lodging and hospitality from Commonwealth vendor
Guidance Software:
Guidance Software is a computer software company that is recognized as a leader
in E-discovery and EnCase technology. In his capacity as the CISO, Maley had meetings
and discussions regarding contracts with Guidance Software representatives.
On April 25, 2007, Maley submitted a Chief Information Officer/Chief Technology
Officer Procurement Form to DGS to obtain EnCase software. The procurement form was
needed to secure the software pursuant to a DGS contract. The procurement dollar value
for the software Maley was requesting was $1,073,304.00. Maley identified the date the
item was needed as 12/31/07.
As a result of the procurement request made by Maley, a Software License and
Service Agreement was made between Guidance Software and the Commonwealth of
Pennsylvania on December 31, 2007. The licensed software that was purchased was
EnCase Enterprise products. The total cost of the services purchased from Guidance
Software at that time was $1,061,878.40.
On September 4, 2008, and September 8, 2008, Maley authorized additional
EnCase Software purchases from Guidance Software for the Commonwealth of
Pennsylvania. The cost of such purchases on September 4, 2008, totaled $189,250.08.
The cost of such purchases on September 8, 2008, totaled $96,488.00.
In or about the time that Maley was participating in decisions to purchase software
from Guidance Software, he was asked to be a speaker at Guidance Software’s annual
conference identified as the “Computer Enterprise and Investigations Conference”
(“CEIC”). Guidance Software requests that users of its product participate at the CEIC and
speak of the benefits of using EnCase Software.
On September 26, 2008, Maley received an email from Kimberly Peterson, Event
Manager for Guidance Software, confirming Maley’s appearance as a speaker on behalf of
EnCase at the CEIC.
Maley attended the 2009 CEIC held in Orlando, Florida, from May 17, 2009, through
May 19, 2009. Maley’s expenses to attend the conference totaled $1,663.20 and were
paid by Guidance Software. Guidance Software agreed to pay Maley’s expenses for the
CEIC because Maley was appearing as a speaker to promote software products of
Guidance Software to other potential customers. Maley never obtained approval and
never advised his supervisors of his attendance at the CEIC to speak on behalf of the
EnCase software.
Maley’s use of his Commonwealth computer during Commonwealth working hours for
personal purposes:
Maley, 10-020
Page 38
As a Commonwealth employee, Maley was subject to Commonwealth policies and
procedures regarding internet and email use. On November 30, 2005, Maley signed a
standard Commonwealth internet/email user agreement included with Management
Directive 205.34. The general terms of this directive state that any electronic
communications on Commonwealth internet/email systems may be tracked, monitored, and
read by all authorized Commonwealth staff and that there is no expectation of privacy in
any internet/email Commonwealth systems. Any such communications are the property of
the Commonwealth and are to be used for carrying out Commonwealth business activities.
By executing the user agreement, Maley agreed to the security policies of the
Commonwealth and its agencies.
Maley, in his capacity as the CISO, was assigned a Commonwealth desktop and
laptop computer for official business. Maley did not share use of these computers with
other employees.
A forensic examination of the hard drives removed from the computers issued to
Maley revealed that Maley utilized the computers for purposes which did not relate to his
duties as the CISO. Between September 2009 and February 2010 Maley utilized his
Commonwealth computer to occupy no less than 71.21 hours of his stated work hours for
non-Commonwealth related purposes. Total wages paid to Maley during the relevant time
period were $3,303.43 (71.21 hours @ $46.39/hr.).
Private Pecuniary Benefit to Maley:
The parties have stipulated that Maley realized a private pecuniary benefit when he
accepted gifts and transportation, lodging and/or hospitality from vendors he was
recommending and/or approved contracts with the Commonwealth and when he utilized
Commonwealth of Pennsylvania computers for non-Commonwealth purposes.
Statements of Financial Interests:
As the CISO for OIT, Maley was required to file SFIs for calendar years 2006, 2007,
2008, 2009 and 2010. Maley failed to file SFIs for calendar years 2006, 2009 and 2010,
even after being reminded to do so. Maley filed SFIs for calendar years 2007 and 2008
with OA’s Human Resources Department.
Susquehanna Digital Forensics is a computer consulting company established by
Maley in or about 2004. The business was registered to Maley’s home address. Maley’s
SFIs for the 2007 and 2008 calendar years did not disclose his ownership and financial
interest in the business Susquehanna Digital Forensics. Although Susquehanna Digital
Forensics maintains an active website, Maley asserts that he discontinued business efforts
in 2005 after being hired by the Commonwealth.
Maley’s SFIs for the 2007 and 2008 calendar years did not disclose creditors owed
in excess of $6,500. In both 2007 and 2008, Maley’s creditors owed in excess of $6,500
were Chase Bank and MBNA credit card.
Maley did not disclose on SFIs for 2007 or 2008 the receipt of transportation,
lodging or hospitality.
Having highlighted the Stipulated Findings and issues before us, we shall now apply
the Ethics Act to determine the proper disposition of this case.
The parties' Consent Agreement sets forth a proposed resolution of the allegations
as follows:
Maley, 10-020
Page 39
3. The Investigative Division will recommend the following in
relation to the above allegations:
a. That a violation of Section 1103(a) of the Public Official
and Employee Ethics Act, 65 Pa.C.S. §1103(a),
occurred in relation to Maley’s acceptance of gifts and
payments for expenses from vendors he recommended
and/or approved for contracts with the Commonwealth;
b. That a violation of Section 1103(a) of the Public Official
and Employee Ethics Act, 65 Pa.C.S. §1103(a),
occurred when Maley used Commonwealth of
Pennsylvania computers for non-official purposes;
c. That a violation of Section 1103(a) of the Public Official
and Employee Ethics Act, 65 Pa.C.S. §1103(a),
occurred in relation to Maley’s receipt of payments for
promoting a vendor’s product(s) following Maley’s
public employment, when – while employed by the
Commonwealth - Maley recommended that the same
vendor receive State contracts;
d. That a violation of Section 1105(b) of the Public Official
and Employee Ethics Act, 65 Pa.C.S. § 1105(b),
occurred when Maley failed to file a Statement of
Financial Interests for the 2006, 2009 and 2010
calendar years; when he failed to disclose on
Statements of Financial Interests filed for the 2008
calendar year, payments or reimbursement of expenses
of transportation, lodging and/or hospitality received in
connection with his public position; and when he failed
to disclose on Statements of Financial Interests filed for
the 2007 and 2008 calendar years, his interest in
Susquehanna Digital Forensics and creditors in excess
of $6,500.
4. Maley agrees to make payment in the amount of $10,000.00 in
settlement of this matter payable to the Commonwealth of
Pennsylvania and forwarded to the Pennsylvania State Ethics
Commission within thirty (30) days of the issuance of the final
adjudication in this matter.
5. Maley agrees to file Statements of Financial Interests for
calendar years 2006, 2009 and 2010; file amended Statements
of Financial Interests for calendar years 2007 and 2008
disclosing all information regarding name and address and
sources and amounts of payments for or reimbursement of
expenses of transportation, lodging and/or hospitality received
in connection with his public position; his office, directorship or
employment in Susquehanna Digital Forensics; creditors in
excess of $6,500; his financial interest in Susquehanna Digital
Forensics on Statements of Financial Interests, if such has not
already been done, within thirty (30) days of the date of the
issuance of the final adjudication of the matter. Copies of such
forms must also be forwarded to the State Ethics Commission.
Maley, 10-020
Page 40
6. Maley agrees to not accept any reimbursement, compensation
or other payment from the Commonwealth of Pennsylvania
representing a full or partial reimbursement of the amount paid
in settlement of this matter.
7. The Investigative Division will recommend that the State Ethics
Commission take no further action in this matter; and make no
specific recommendations to any law enforcement or other
authority to take action in this matter. Such, however, does
not prohibit the Commission from initiating appropriate
enforcement actions in the event of Respondent's failure to
comply with this agreement or the Commission's order or
cooperating with any other authority who may so choose to
review this matter further.
Consent Agreement, at 2-3.
In considering the Consent Agreement, we accept the recommendation of the
parties for a finding that a violation of Section 1103(a) of the Ethics Act occurred in relation
to Maley’s acceptance of gifts and payments for expenses from vendors he recommended
and/or approved for contracts with the Commonwealth.
Gifts, transportation, lodging or hospitality received from a vendor may form the
basis for a violation of Section 1103(a) of the Ethics Act when the public official/public
employee uses the authority of his public position as to the vendor. See, e.g., Munford,
Order 1390; Espenshade, Order 1387; Helsel, Order 801; cf., Haldeman, Order 1443
(involving tickets to sporting events and clothing items received from grant applicants).
In 2008, at or about the time that Maley was participating in decisions to purchase
software from Guidance Software, Maley was asked to be a speaker at Guidance
Software’s annual conference. Maley’s expenses to attend the 2009 conference held in
Orlando, Florida, totaled $1,663.20 and were paid by Guidance Software.
In 2009 and 2010, Maley received expense payments from Core Security totaling
$7,481.52 for his appearances as CISO at conferences to promote Core Security products.
Maley received these payments at or about times he recommended or authorized
purchases by the Commonwealth of Core Security products.
Maley’s attendance at the aforesaid conferences to speak on behalf of, and at the
expense of, Commonwealth vendors with whom he had official dealings was unauthorized.
As for the baseball tickets that Maley received, the cost of the ticket provided by
BitArmor was only $49.99. However, the cost of the playoff tickets provided to Maley by
McAfee was $760.00. A McAfee Account Manager offered to purchase the playoff tickets
for Maley at or about the time the McAfee Account Manager and Maley were involved in
discussions regarding the Scope of Work to be performed by McAfee for the
Commonwealth.
Based upon the Stipulated Findings and Consent Agreement, we hold that a
violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in relation to
Maley’s acceptance of gifts and payments for expenses from vendors he recommended
and/or approved for contracts with the Commonwealth.
We agree with the parties that a violation of Section 1103(a) of the Ethics Act
occurred when Maley used Commonwealth computers for non-official purposes.
Maley, 10-020
Page 41
It is axiomatic that Section 1103(a) of the Ethics Act prohibits the use of
governmental facilities, equipment, time, and the like for private purposes. See, e.g.,
Sindiri, Order 1572; Debias, Order 1539; Neff, Order 1498; Morton, Order 1491; Rembold,
Order 1417; Cobb, Order 1354; Confidential Opinion, 05-001.
Maley, in his capacity as the CISO, was assigned a Commonwealth desktop and
laptop computer for official business. Between September 2009 and February 2010 Maley
utilized his Commonwealth computer to occupy no less than 71.21 hours of his stated work
hours for non-Commonwealth related purposes. Total wages paid to Maley during the
relevant time period were $3,303.43 (71.21 hours @ $46.39/hr.).
With each element of the recommended violation of Section 1103(a) established,
we hold that a violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a),
occurred when Maley used Commonwealth of Pennsylvania computers for non-official
purposes.
We shall now address the parties’ recommendation for a finding of a third violation
of Section 1103(a).
After being terminated from his position as CISO for the Commonwealth of
Pennsylvania, Maley received two payments totaling $5,000 from Core Security between
April and June 2010 to appear as a speaker at two conferences on behalf of Core Security.
Maley was solicited by Core Security staff to speak at the April 2010 conference while he
was still employed as CISO for OIT.
Maley received the aforesaid payments based upon his use of Core Impact software
in his capacity as CISO for the Commonwealth. Maley’s presentations included examples
of security breaches in certain Pennsylvania agencies. The examples cited in Maley’s
presentations were not available to the public. Maley had access to security breaches in
his capacity as CISO for the Commonwealth.
We accept the parties’ recommended disposition and hold that a violation of Section
1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in relation to Maley’s receipt of
payments for promoting a vendor’s product(s) following Maley’s public employment, when--
while employed by the Commonwealth--Maley recommended that the same vendor receive
State contracts.
Turning to the allegations involving Maley’s SFIs, the parties have recommended
the finding of a violation of Section 1105(b) of the Ethics Act with respect to Maley’s
delinquent SFIs for calendar years 2006, 2009, and 2010, and deficient SFIs for calendar
years 2007 and 2008. While a violation for failure to file is generally based on Section
1104(a) of the Ethics Act, such a failure to file would necessarily include a failure to
disclose the required information pursuant to Section 1105(b). Therefore, we accept the
parties recommended disposition and hold that a violation of Section 1105(b) of the Ethics
Act, 65 Pa.C.S. § 1105(b), occurred when Maley failed to file SFIs for the 2006, 2009 and
2010 calendar years; when he failed to disclose on SFI(s) filed for the 2008 calendar year,
payments or reimbursement of expenses of transportation, lodging and/or hospitality
received in connection with his public position; and when he failed to disclose on SFIs filed
for the 2007 and 2008 calendar years, his interest in Susquehanna Digital Forensics and
creditors in excess of $6,500.
As part of the Consent Agreement, Maley has agreed to make payment in the
amount of $10,000 in settlement of this matter payable to the Commonwealth of
Pennsylvania and forwarded to this Commission within thirty (30) days of the issuance of
the final adjudication in this matter.
Maley, 10-020
Page 42
Maley has agreed to not accept any reimbursement, compensation or other
payment from the Commonwealth of Pennsylvania representing a full or partial
reimbursement of the amount paid in settlement of this matter.
Maley has further agreed to file: (1) SFIs for calendar years 2006, 2009 and 2010;
and (2) amended SFIs for calendar years 2007 and 2008 disclosing all information
regarding name and address and sources and amounts of payments for or reimbursement
of expenses of transportation, lodging and/or hospitality received in connection with his
public position; his office, directorship or employment in Susquehanna Digital Forensics;
creditors in excess of $6,500; and his financial interest in Susquehanna Digital Forensics,
if such has not already been done, within thirty (30) days of the date of the issuance of the
final adjudication of this matter, and to forward copies of all such forms to this Commission.
We determine that the Consent Agreement submitted by the parties sets forth a
proper disposition for this case, based upon our review as reflected in the above analysis
and the totality of the facts and circumstances.
Accordingly, per the Consent Agreement of the parties, Maley is directed to make
payment in the amount of $10,000 payable to the Commonwealth of Pennsylvania and
th
forwarded to this Commission by no later than the thirtieth (30) day after the mailing date
of this adjudication and Order.
Per the Consent Agreement of the parties, Maley is further directed to not accept
any reimbursement, compensation or other payment from the Commonwealth of
Pennsylvania representing a full or partial reimbursement of the amount paid in settlement
of this matter.
To the extent he has not already done so, Maley is directed to file: (1) SFIs for
calendar years 2006, 2009 and 2010; and (2) amended SFIs for calendar years 2007 and
2008 disclosing all information regarding name and address and sources and amounts of
payments for or reimbursement of expenses of transportation, lodging and/or hospitality
received in connection with his public position; his office, directorship or employment in
Susquehanna Digital Forensics; creditors in excess of $6,500; and his financial interest in
th
Susquehanna Digital Forensics, by no later than the thirtieth (30) day after the mailing
date of this adjudication and Order, and to forward copies of all such forms to this
Commission.
Compliance with the foregoing will result in the closing of this case with no further
action by this Commission. Noncompliance will result in the institution of an order
enforcement action.
IV.CONCLUSIONS OF LAW:
1. As the Chief Information Security Officer for the Office for Information Technology
within the Commonwealth of Pennsylvania’s Office of Administration from November
2005 until March 8, 2010, Respondent Robert L. Maley (“Maley”) was a public
employee subject to the provisions of the Public Official and Employee Ethics Act
(“Ethics Act”), 65 Pa.C.S. § 1101 et seq.
2. Maley violated Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), in relation
to his acceptance of gifts and payments for expenses from vendors he
recommended and/or approved for contracts with the Commonwealth.
3. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred
when Maley used Commonwealth of Pennsylvania computers for non-official
purposes.
Maley, 10-020
Page 43
4. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in
relation to Maley’s receipt of payments for promoting a vendor’s product(s) following
Maley’s public employment, when--while employed by the Commonwealth--Maley
recommended that the same vendor receive State contracts.
5. A violation of Section 1105(b) of the Ethics Act, 65 Pa.C.S. § 1105(b), occurred
when Maley failed to file Statements of Financial Interests for the 2006, 2009 and
2010 calendar years; when he failed to disclose on Statement(s) of Financial
Interests filed for the 2008 calendar year, payments or reimbursement of expenses
of transportation, lodging and/or hospitality received in connection with his public
position; and when he failed to disclose on Statements of Financial Interests filed
for the 2007 and 2008 calendar years, his interest in Susquehanna Digital
Forensics and creditors in excess of $6,500.
In Re: Robert L. Maley, : File Docket: 10-020
Respondent : Date Decided: 9/27/11
: Date Mailed: 10/12/11
ORDER NO. 1594
1. As the Chief Information Security Officer for the Office for Information Technology
within the Commonwealth of Pennsylvania’s Office of Administration, Robert L.
Maley (“Maley”) violated Section 1103(a) of the Public Official and Employee Ethics
Act (“Ethics Act”), 65 Pa.C.S. § 1103(a), in relation to his acceptance of gifts and
payments for expenses from vendors he recommended and/or approved for
contracts with the Commonwealth.
2. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred
when Maley used Commonwealth of Pennsylvania computers for non-official
purposes.
3. A violation of Section 1103(a) of the Ethics Act, 65 Pa.C.S. § 1103(a), occurred in
relation to Maley’s receipt of payments for promoting a vendor’s product(s) following
Maley’s public employment, when--while employed by the Commonwealth--Maley
recommended that the same vendor receive State contracts.
4. A violation of Section 1105(b) of the Ethics Act, 65 Pa.C.S. § 1105(b), occurred
when Maley failed to file Statements of Financial Interests for the 2006, 2009 and
2010 calendar years; when he failed to disclose on Statement(s) of Financial
Interests filed for the 2008 calendar year, payments or reimbursement of expenses
of transportation, lodging and/or hospitality received in connection with his public
position; and when he failed to disclose on Statements of Financial Interests filed
for the 2007 and 2008 calendar years, his interest in Susquehanna Digital
Forensics and creditors in excess of $6,500.
5. Per the Consent Agreement of the parties, Maley is directed to make payment in the
amount of $10,000 payable to the Commonwealth of Pennsylvania and forwarded to
th
the Pennsylvania State Ethics Commission by no later than the thirtieth (30) day
after the mailing date of this Order.
6. Per the Consent Agreement of the parties, Maley is further directed to not accept
any reimbursement, compensation or other payment from the Commonwealth of
Pennsylvania representing a full or partial reimbursement of the amount paid in
settlement of this matter.
7. To the extent he has not already done so, Maley is directed to file: (1) Statements
of Financial Interests for calendar years 2006, 2009 and 2010; and (2) amended
Statements of Financial Interests for calendar years 2007 and 2008 disclosing all
information regarding name and address and sources and amounts of payments for
or reimbursement of expenses of transportation, lodging and/or hospitality received
in connection with his public position; his office, directorship or employment in
Susquehanna Digital Forensics; creditors in excess of $6,500; and his financial
th
interest in Susquehanna Digital Forensics, by no later than the thirtieth (30) day
after the mailing date of this Order, and to forward copies of all such forms to the
Pennsylvania State Ethics Commission.
Maley, 10-020
Page 45
8. Compliance with Paragraphs 5, 6, and 7 of this Order will result in the closing of this
case with no further action by this Commission.
a. Non-compliance will result in the institution of an order enforcement action.
BY THE COMMISSION,
___________________________
Louis W. Fryman, Chair