As the fate of a bill to reverse much of the contentious $215,000 raise given to Kentucky’s Chief Information Officer Charles Grindle last year will be sealed on Thursday — the last day of the 2019 session of the Kentucky General Assembly — records detailing Grindle’s international travel last year raise new questions about spending in his department.
Republican House Majority Floor Leader Bam Carney’s House Bill 499 cutting Grindle’s $375,000 salary nearly in half – or just below the second-highest paid state chief information officer in the country – followed reporting by the Courier Journal last year about the substantial raise given to the longtime friend and business associate of Gov. Matt Bevin.
Though HB 499 passed the House and a Senate committee without a single dissenting vote, Republican leadership in the Senate failed to call it for a vote in that chamber before the two-week veto period that just ended. While it could still be passed by the Senate on Thursday, it would likely then be vetoed by Bevin — who has strongly defended the raise he gave Grindle as appropriate — with the legislature now unable to override that veto and make it become law.
While the legislative effort to curb spending on Grindle’s salary appears likely to fail, records obtained by Insider Louisville detailing the travel of the Commonwealth Office of Technology leader also raise questions about its cost and utility.
Of particular note was a weeklong trip taken by Grindle to a cyber conference in Israel last summer at a price tag to taxpayers of $4,300, in which his primary reason for attending was to learn about a European regulation that experts say has little, if any, application to state and local government agencies and their chief technology officers in the United States.
According to spending records of the Kentucky Finance and Administration Cabinet that houses the Commonwealth Office of Technology, Grindle’s flight to Tel Aviv in June of 2018 cost $1,660. Grindle also spent $2,640 on a travel agency in Israel for his five-night stay before flying back, with the agency contact on the conference’s website indicating that it could assist attendees with accommodations and special rates for “organized tours” of the country.
Asked about the cost and purpose of this trip, cabinet spokesman Glenn Waldrop within the Department of Revenue told Insider that Grindle attended Cyber Week, “the world’s largest gathering of cyber leaders.”
While there were multiple reasons to attend the conference, Waldrop stated that “one of the most significant reasons was to get a better understanding of the Global Data Protection Regulation (GDPR) from the individuals who drafted the regulation and learn how it applies to the Commonwealth.”
However, a review of experts in the field of cybersecurity on GDPR — including a free webinar on GDPR hosted by the National Association of State Chief Information Officers (NASCIO) a week before his Israel trip was booked — suggests that work done by state agencies could fall under the scope of the European Union regulation only in very limited circumstances.
GDPR is a new regulation that went into effect in the territory of the European Union last year, designed to both protect the privacy and data of users online and unify the regulatory environment for businesses operating in the EU. Those operating within the EU must follow the GDPR rules on transparency and consent when it comes to collecting and storing users’ online data.
While these GDPR regulations are of particular interest to any company that does business online in Europe, state and local governments do not typically operate or directly target individuals within the EU.
According to a NASCIO webinar presentation in May of last year by Alex White, the deputy chief privacy officer for South Carolina, “there’s probably not a huge risk for state and local agencies” when it comes to GDPR.
White cited statements by regulatory officials in Ireland, Germany and the United Kingdom indicating that the work of state and local government would be outside the scope of the GDPR. Though White noted a possible exception in the case of a state tourism department targeting advertising with Europe, he added that GDPR concerns in such a case could be avoided if such marketing was done by a third-party contractor.
Grindle and spokespersons for the cabinet did not respond to Insider’s questions asking how the GDPR applied to state agencies in Kentucky.
A review of the agenda schedule from last year’s Cyber Week conference shows that only two panels were primarily devoted to a discussion of the GDPR, while the most substantive one — with an eight-hour agenda on the conference’s first day — was almost over by the time Grindle’s flight was scheduled to land in Israel. The agenda for the second GDPR-centric panel appears to focus on multinational corporations operating within the EU.
Waldrop from the Finance Cabinet indicated that while Grindle was in Israel, he also “reviewed and discussed cyber tools related to homeland security and protecting the Commonwealth’s network,” in addition to reviewing “product offerings and conduct proofs of concept to evaluate those products for implementation.”
Grindle was not the only state official in Israel during June of last year, as so too was Gov. Matt Bevin, who has known Grindle since serving in the Army with him over 30 years ago.
Bevin tweeted a photo of himself with U.S. Ambassador to Israel David Friedman on June 14 — two days before Grindle’s flight — writing that the two had a “good conversation about many topics including ways to strengthen economic ties (agriculture, defense mfg, cyber-technology)” between Israel and the Cabinet for Economic Development.
Spokespersons for Bevin did not reply to Insider’s question asking for the days that the governor was in Israel.
A month and a half before the Israel trip, Grindle traveled to Dell’s annual conference in Las Vegas, where he stayed at The Palazzo at The Venetian. Finance Cabinet records show he paid $690 for his flight and over $1,000 for his three-night stay at a Palazzo suite.
According to Waldrop, Grindle appeared at the Dell World conference “to speak on a panel with business leaders to discuss infrastructure optimization with Dell technology and to learn about Dell’s (EMC) acquisition and integration with Kentucky’s virtual server platform.”
Three months before speaking at the Dell conference, the Finance Cabinet signed what appears to be a no-bid contract with the Minnesota-based Winthrop Resources Corporation to provide over $40 million in IT equipment to the Commonwealth Office of Technology, with the large majority of such equipment being identified as Dell EMC. This amended a previous master agreement with Kentucky-based companies to provide IT equipment.
Waldrop and a Finance Cabinet spokeswoman, Pamela Trautner, did not reply to questions from Insider about the specific process and reasoning behind this contract amendment to acquire Dell equipment from Winthrop, as well as the details from Grindle’s panel discussion on the state’s partnership with Dell.
Last September, a Louisville-based IT company lodged a formal protest with the Finance Cabinet asserting that it was harmed by the Commonwealth Office of Technology amending a large services contract with AT&T in violation of the state’s competitive bidding rules, though the cabinet rejected that protest in December.
The protest by Tier3 Technologies was filed the day before Grindle spoke to the annual business conference of AT&T in Dallas, where he touted the agency’s ability under his leadership to minimize unnecessary contracts and rely on larger “trusted partners” like AT&T for modern IT services.