MADISON -- Security consultants warn that Wisconsin state lawmaker email practices uncovered in a FOX6 investigation can expose your personal information to cyber attacks.
The FOX6 Investigators went through thousands of pages of emails for 43 current and recent state senators and representatives as part of a public records request. 33 percent had government emails on their personal Gmail, AOL, Yahoo, and Hotmail email accounts.
The group was evenly-split between two parties. Democrats Peter Barca, Gordon Hintz, Josh Zepnick, Mark Miller, Dianne Hesselbein, Steve Doyle, and Beth Meyers had government emails on their personal accounts, along with Republicans Chuck Wichgers, Dale Kooyenga, Andre Jacque, Van Wanggaard, Joel Kitchens, Rob Brooks, and Jim Steineke.
What's the big deal?
"People send things via email that they shouldn't all the time," Ontech Systems senior consultant John May said. "For someone higher profile like a state lawmaker? Once they start doing that kind of stuff, it can get pretty intense."
May's job is to help clients, including local governments, shore up their cyber security. He says one of the easiest ways to do this is to stop doing government business on personal email accounts.
"The mentality is, 'It’s usually a lot easier to use personal Gmail' or something like that," May said. "But it's also a lot easier to compromise that account."
IT departments can monitor government accounts, which May says tend to have more security requirements like firewall protections and password change requirements. He says personal accounts have less oversight and fewer security measures; the ones that do exist tend to be optional.
May also points out that advancements in technology and more affordable prices should make it easy for someone who works in IT to put software on elected leaders' phones and laptops that would allow them to easily and safely access their more-secure government accounts.
How does this affect my information?
"The first thing that happens is the attacker spends some time going through the person's email and starts to connect the dots about the relationships that this person has," May said.
FOX6 found emails with constituent names, phone numbers, email addresses and home addresses on state lawmakers' personal accounts. May says a cyber attacker targeting a state lawmaker's personal email could use those details to then attack or impersonate state lawmakers and their constituents.
"What we’re seeing in the environment today is attackers are becoming more and more complex and targeted in their attacks," May said. "They’re doing a really good job of impersonating the person they’re attacking."
Some state lawmakers redacted sensitive medical and tax information information when responding to FOX6's public records request; others blacked out personal and identifying details about themselves, staff, and constituents. But if that same information ends up on personal email accounts - like it did on Van Wanggaard's and Peter Barca's Gmail accounts, for example - there's no way to redact that information from a cyber attack.
"People need to be aware of the dangers that are out there," May said. "It affects our daily life."
While the FOX6 Investigators were able to identify certain state lawmakers who definitely have government emails on personal accounts, a special exception allowing legislators to delete emails and other records at almost any point makes it impossible to know for sure how many are using personal accounts for government business and how often they're engaging in the practice.
State lawmakers are not allowed to use their government email addresses for campaign purposes. FOX6 did not include campaign emails in its count of government emails on personal accounts.
FOX6 asked the 14 current and recent Wisconsin lawmakers who had government emails on their personal accounts to weigh in. Five responded.
Former state representative and current Revenue Secretary Peter Barca said in a phone call that he occasionally used his Gmail account for government business when he was a lawmaker because he felt it was faster than his legislative account and allowed him to be more responsive. Barca said at that point, he had not thought about the cybersecurity issues surrounding email use but acknowledged that now he considers it a "legitimate concern," saying it is "always appropriate for the legislature to re-evaluate" its rules and policies. Barca said he will not use a personal email account for government business in his capacity as Revenue Secretary.
State Senator Andre Jacque (R-DePere) sent a statement saying:
"While I cannot prevent anyone from contacting me on my personal email, when I have been contacted through it for official state business I have always made a point to forward that email to my official legislative account, and include all emails concerning state business in open record requests. I understand the security risk involved in using a personal account for legislative business, and have accordingly avoided any improper use."
The office of Senator Van Wanggaard (R-Racine) sent a statement saying:
"To ensure that the Senator receives messages in a timely manner, we sometimes use the Senator's personal Gmail account to convey information."
"The use of his personal email should not raise transparency concerns. As demonstrated by your open records request, state-related emails that were sent to/from his personal account were provided, as required by law."
"If someone hacks the Gmail account they would find, other than pictures of his grandchildren and spam, what would be generally discoverable via an open records request. We don't deal with national security issues, investigations, or state secrets, so cybersecurity is not an issue in that sense."
Senator Mark Miller (D-Monona) sent a statement saying:
“Transparency is extremely important to me. Government business on my personal account is subject to the same laws as my official account and I treat it as such.”
The office of Representative Beth Meyers (D-Bayfield) sent a statement saying:
"Rep. Meyers does use a personal email for work sometimes, and she complies with all the rules of the Assembly when it comes to electronic records."