A former Metro Transit employee's improper searches of driver's license records has led the agency to restrict the number of supervisors who have access to the database.
An investigation by the regional transit agency found that Richard P. Johnson, a former supervisor, snooped on ex-girlfriends, fellow transit employees, media and sports personalities. Metro Transit officials say the veteran employee, who resigned last month, searched the records of about 1,300 people.
The allegations -- the latest example of a government employee abusing his access to personal data -- were met with a "here-we-go-again" response from Chuck Samuelson, executive director of the ACLU of Minnesota. He said such actions erode the public trust.
"I've lost count how many times this has happened," Samuelson said. "Well, there are five of these that we've heard about, there must be way more. Or maybe there's more but not way more. Or maybe there aren't any more. And we don't know because it's all done in secret. So we start distrusting law enforcement, we distrust building inspectors, and all sorts of government entities."
Even if Johnson didn't mean to harm anyone, his actions harmed everyone, Samuelson said, because every time such actions are revealed, the public is left to wonder just how far the scope is.
Johnson's activities came to light earlier this year, when Metro Transit performed an audit of all of its employees who have access to the state's Driver and Vehicle Services records.
It discovered just one instance of abuse.
Johnson, who monitored bus operations from the transit control center in Minneapolis, improperly searched more than 7,000 records, according to Metro Transit documents. The 22-year veteran of the agency told transit officials he did it out of boredom and "innocent" curiosity.
Metro Transit police are coordinating with other law-enforcement agencies to consider possible criminal charges against Johnson.
The Metro Transit case is being revealed as state lawmakers are working on bills aimed at toughening penalties for data breaches.
"Part of what they're hearing is a lot of testimony from state and local government that everybody's working real hard to fix this," said Don Gemberling, who oversaw government data-privacy issues for the state from 1973 to 2004. "There is some evidence that there has been less, but clearly the latest incident and some other things I've heard about illustrate that the problem continues."
One recent case involved a Department of Natural Resources employee who was accused of inappropriately looking up driver's license records about 19,000 times. Among other things, the records include photos, addresses, height and weight. Gemberling, who has offered his expertise to legislators, said he's clued into a pattern:
"Much of this breach stuff is focused on people looking up women," he said. "And frankly, the prettier, the better. And it's like, 'Wait a minute.'"
In the Metro Transit case, the investigation into Johnson fails to mention whether he was targeting either sex. Besides public figures and former girlfriends and their spouses, Johnson looked up records of relatives and fellow transit employees. He told agency officials the snooping didn't affect his job and took place during idle time from 2011 to 2013.
Metro Transit spokesman John Siqveland said agency officials jumped on the case as soon as they learned what the audit had uncovered in February.
"We had moved to take corrective action, to discipline the employee and move towards termination, and this is something we've trained employees on many times and retrained," Siqveland said. "So we do take this very seriously."
In March, Metro Transit had recommended Johnson be fired. Johnson appealed the decision and resigned late last month, before the appeal process concluded.
Metro Transit documents show that Johnson and other control-center staff were trained on proper access of the driver and vehicle database. Siqveland notes that Johnson signed a memo acknowledging he understood the rules.
"It was very clear what is and what is not proper," Siqveland said.
Siqveland said Metro Transit will continue its audits. The police investigation is determining whether to notify the more than 1,000 individuals whose personal information was breached.
But it's unclear what the latest breach means for future lawsuits. In February, a federal judge in Minneapolis dismissed three cases involving wrongful snooping of Minnesota driver's license data, saying the information isn't private.
Department of Public Safety spokesman Bruce Gordon said he didn't know all the specifics in the Metro Transit case, but said in general, the individual employee and employer need to take special care when accessing the driver and vehicle data. The department performs audits of heavy users and provides the results to the employers so they may investigate whether there was any inappropriate use, Gordon said.
"We're committed to strengthening the training and oversight, but it's no substitute for an individual honoring their professional or ethical obligations under the law," he said. "Misuse should not be tolerated -- whether it's law enforcement, a state agency, a media outlet -- anyone that has authorized access to that data should be held accountable."
An email requesting comment for this story from Johnson's union, the Transit Managers and Supervisors Association, was not returned Wednesday afternoon.