Former US state agency CIO, IT exec plead guilty to bribery and extortion scheme

Pair's multimillion-dollar contract caper unraveled

A former Maryland Cabinet-level official and a former IT executive have pleaded guilty to involvement in a bribery and extortion scheme related to technology contracts about a decade ago.

According to the US Attorney's Office of the State of Maryland, Isabel FitzGerald, 52, of Annapolis, Maryland, and Kenneth Coffland, 67, of Riva, Maryland, pleaded guilty last week to charges of bribery and extortion, respectively. They were indicted in 2017.

From 2009 through September 2011, Coffland worked [PDF] at ACS, which held a $129 million IT hosting contract and $229 million applications contract with the State of Maryland Department of Human Resources (DHR). ACS, acquired by Xerox in 2010, managed the datacenter that hosted DHR applications for administering welfare benefits under federal and state programs.

During that time, Coffland developed a working relationship with FitzGerald, then DHR’s CIO and the person responsible for overseeing the hosting and applications contracts. By 2010, the relationship had become personal, according to court documents.

FitzGerald between 2007 and 2014 held a number of state positions, including as well as DHR CIO, executive consultant to the DHR Secretary, DHR Deputy Secretary of Operations, and the Secretary of the Department of Information Technology in the Cabinet of then-Maryland Governor Martin O'Malley.

FitzGerald resigned from DHR as of October 2011 but from December 2011 until about a year later, she served as a consultant to her successor at DHR.

Coffland resigned from ACS/Xerox in September 2011 after FitzGerald had given notice that she intended to step down. Days after his resignation, Coffland started work for a second company that was responsible for reviewing ACS/Xerox's contract and for reporting this information to DHR – while FitzGerald was consulting for DHR.


Microsoft accused of spending millions on bribes to seal business deals


By December 2012, FitzGerald had rejoined DHR – she was appointed Deputy Secretary for Operations of DHR and reported to the DHR Secretary.

According to Coffland's plea agreement [PDF], FitzGerald in early 2013 encouraged her successor as DHR CIO to tell ACS/Xerox to remove the person serving as hosting director. She then met ACS/Xerox's program manager about ostensibly problematic performance with regard to the hosting contract.

She indicated she would not renew the company's state contract after it expired in 2014 unless it addressed the problems she cited. But she suggested if the company rehired Coffland as hosting director, he would be able to fix the cited problems and that would lead to the renewal of the state contract.

ACS/Xerox did not want to do so, according to the plea agreement, because it believed Coffland, because of his personal relationship with Fitzgerald, would not fairly represent the company's interests when dealing with the state. Nonetheless, the business did offer to rehire him.

Coffland, informed of FitzGerald's negotiations prior to receiving the hiring offer, had leverage and countered the company's initial offer with a demand for far more money and a position as an independent contractor rather than employee.

The company, despite its reservations, agreed to pay Coffland at a rate of $125 per hour for up to 2,400 hours annually, a potential salary of $300,000, plus quarterly bonuses of up to $50,000, or $200,000 annually.

Court filings also describe how FitzGerald conspired with employees of an Indiana-based IT firm to threaten the cancellation of a $27.6 million DHR project if the state failed to subcontract a portion of the work through the Indiana firm. From this, FitzGerald got paid a portion of the deal through a company she formed, Aeon Consulting and Technical Services. As part of her guilty plea, FitzGerald must pay $38,310 in restitution.

FitzGerald faces up to 10 years in federal prison for bribery involving an agent acting on behalf of a program receiving federal funds. Coffland could receive as much as 20 years for extortion. Sentencing for both is scheduled for October 13, 2022. ®

Broader topics

Other stories you might like

  • America edges closer to a federal data privacy law, not that anyone can agree on it
    What do we want? Safeguards on information! How do we want it? Er, someone help!

    American lawmakers held a hearing on Tuesday to discuss a proposed federal information privacy bill that many want yet few believe will be approved in its current form.

    The hearing, dubbed "Protecting America's Consumers: Bipartisan Legislation to Strengthen Data Privacy and Security," was overseen by the House Subcommittee on Consumer Protection and Commerce of the Committee on Energy and Commerce.

    Therein, legislators and various concerned parties opined on the American Data Privacy and Protection Act (ADPPA) [PDF], proposed by Senator Roger Wicker (R-MS) and Representatives Frank Pallone (D-NJ) and Cathy McMorris Rodgers (R-WA).

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Spain, Austria not convinced location data is personal information
    Privacy group NOYB sues to get telcos to respect GDPR data access rights

    Some authorities in Europe insist that location data is not personal data as defined by the EU's General Data Protection Regulation.

    EU privacy group NOYB (None of your business), set up by privacy warrior Max "Angry Austrian" Schrems, said on Tuesday it appealed a decision of the Spanish Data Protection Authority (AEPD) to support Virgin Telco's refusal to provide the location data it has stored about a customer.

    In Spain, according to NOYB, the government still requires telcos to record the metadata of phone calls, text messages, and cell tower connections, despite Court of Justice (CJEU) decisions that prohibit data retention.

    Continue reading

Biting the hand that feeds IT © 1998–2022