Nearly 1,000 pages of documents turned over by the Kansas Attorney General’s Office show Kris Kobach has used a private email address for government work purposes.
From filing lawsuits to reviewing bill drafts and testimony to editing opinion pieces published in conservative media, Kobach’s private Gmail account is a regular recipient of government emails.
“Attorney General Kobach and his staff sent emails to his personal email address for ease of access and to ensure business was handled in a timely manner,” said Charles Dalton, Kobach’s chief of staff, in a statement. “The emails did not include any sensitive items. In fact, the documents sent are part of the public record and subject to the Kansas Open Records Act.”
The Topeka Capital-Journal obtained eight PDFs totaling 940 pages of emails and attachments. A list indicates 169 separate emails sent to Kobach’s private email account, plus 39 sent by that Gmail. The Kansas Open Records Act request cost the newspaper $209.13.
But the KORA response also indicates there was an unspecified number of additional pages that weren’t released, deemed confidential enough to excluded entirely from the responsive records. A handful of the released documents contained redactions.
“What concerns me is why the hell does he need a personal email account to conduct public business?” asked Rep. John Carmichael, D-Wichita. “Because that’s the harbinger, if you will, of concealment. And so when I first hear a story like this, my initial thought is that somebody’s trying to hide something.”
The newspaper filed the public records request after Kobach told a Nebraska town that he could be their private attorney while still carrying out his duties as Kansas attorney general. The town accepted into the public record an email from Kobach — which The Capital-Journal obtained from the city of Fremont through a records request — that showed Kobach’s private Gmail address.
It is not clear from the emails to what degree Kobach uses his private email instead of his work one. The records show emails and attachments in the attorney general’s office’s possession that were either sent to or received from Kobach’s private email between Jan. 9, the day he was sworn into office, and Sept. 13, the day the KORA request was filed.
Does using a private email pose a security concern to Kansas?
Cybersecurity has garnered more attention in Kansas government as the judicial branch continues to grapple with the effects of a foreign cyberattack on the court system.
The attackers have made demands, though officials have not formally called it a ransomware attack, and the Kansas Supreme Court justices have admitted that potentially confidential data was stolen. The attackers have threatened to post the data on the dark web.
Kobach’s office didn’t directly respond to questions of whether the attorney general’s office’s IT team has any concerns with Kobach using a personal email or whether any steps have been taken to ensure it is secure following the court hack.
Kobach’s own private emails to his work emails note a security concern.
“CAUTION: This email originated from outside of the Office of The Attorney General of Kansas organization,” said one such email on June 15 from Kobach’s private email to his work one. “Do not click links or open attachments unless you recognize the sender and know the content is safe.”
Carmichael, who is an attorney, said security of Kobach’s private emails as compared to his government account could be a valid concern.
He said other lawyers in private practice may also use private emails for work purposes, but “probably the larger the law firm though, the more of those security rules and protocols there will be,” likening the attorney general’s office to a large law firm.
Likewise, using email in general “has been a topic of debate and evolving standards of care, if you will, for the past 30 years now,” he said.
The legal profession is aware of the security risks of using email, he said, prompting some lawyers to seek consent from clients beforehand or to disclose that email may not be a secure method of communication.
“To the extent that somebody can hack in and get to the email server, that information could be illegally and improperly obtained by third parties,” Carmichael said. “At the same time, I have a file cabinet in my office — or at least when I was in active practice of law I had a file cabinet in my office — it had all sorts of clients secrets in confidence. I had multiple file cabinets, and theoretically, the janitor could have broken into the cabinet, and the same thing somebody can can break in the front door of your office.”
How top legislator on IT committee views use of private emails, devices
Rep. Kyle Hoffman, R-Coldwater, chairs the Joint Committee on Information Technology.
When asked how concerning it would be for a state officer to use a private email for work purposes, Hoffman said, “It all depends on the what they’re using it on.”
When told Kobach was using a private email to send lawsuits, bill drafts and op-eds, Hoffman said: “I don’t know. That’d be something I guess I’d look into.”
Hoffman said he doesn’t know if it is a security concern, likening it to legislators using personal emails.
“There’s a lot of us, even us legislators, who have campaign emails,” he said. “I’m sure that they’re out there. People send us inquiries on those emails sometimes over our regular one, and we use our personal devices. So there’s, I think, as we go through the next several months to years in looking at our IT security issues, I think all of that’s going to have to be looked at.”
He said the judicial branch IT security incident increases the need to look at security, including for private devices and emails.
“Oh yeah, I think it does,” he said. “I don’t know what’ll end up happening, but I do think that it has created more of a discussion on the security of all of that. That’s not going to be something that is going to be easy.
“I’m not advocating for that to stop, because I use my phone a lot for emails, stuff like that. A lot of legislators have their own computers that they use instead of the state-issued computer. I’m not advocating for that to stop, I just think that there may be some additional security that might have to be put in place when you use those in the future. I don’t know what it would be, but I think it’s going to have to be looked at.”
State employees aren’t supposed to use private emails for work purposes
Jeff Maxon is the executive branch’s chief information technology officer and the chief information security officer, serving the Kelly administration but not other statewide elected offices. For those agencies, the policy is that staff use their state-provided work emails.
“That’s the purview of the agency, but the stance is to use business email,” Maxon said. “That’s why it’s provided, and obviously as a government agency it needs to be a government system.”
Under Kansas law, private emails can be public record
Max Kautsch, president of the Kansas Coalition for Open Government, noted the release of Kobach’s private emails reinforces the intent of a 2016 law.
“The Kansas Open Records Act was amended in 2016 to mandate that government officials conducting business on private devices or accounts must, absent an enumerated exception set forth in the law, make records created on such devices or accounts open to the public,” Kautsch said. “The Attorney General’s disclosures in response to the open records request here prove that producing such records in compliance with the law is a simple matter.”
That law was inspired by the use of private emails in Gov. Sam Brownback’s administration.
“I find it surprising,” Carmichael said, “that with all of the difficulties that occurred in the Brownback administration with use of private email accounts for public business, with the various municipalities and others who’ve run into trouble with that since the Brownback administration, with the changes of the law in 2016, it just doesn’t seem prudent that the attorney general would be using a private email account to do any type of public business, unless it was through inadvertence.”