
When the operational and financial infrastructure of a local government begins to crack under the weight of internal mismanagement, transparency is invariably the first casualty. We have documented this exact systemic breakdown extensively at marionwatch.com/silentsabotage, detailing the deliberate, silent sabotage of Marion’s IT infrastructure and municipal financial controls.
Across Ohio and the nation, municipalities are increasingly attempting to dodge accountability by rebranding administrative incompetence as a highly classified “cybersecurity” threat. Under this guise, agencies issue blanket denials to withhold fundamental IT logs, software permission grids, and module configurations from taxpayers. There are many examples, too numerous to list, but some are included below, along with the original legal documents.
This tactic is legally bankrupt, and the clock is always ticking against the agency employing it.
Our core network at Marion Watch does not simply guess at how these failures occur.
With a centralized, multiple state team built on over two decades of full-stack systems administration, complex corporate network management, law enforcement, military security, legal compliance, and other professions nearly everyone in our network has direct, hands-on experience recognizing the unmistakable signs of municipal mismanagement.
We know exactly what a fractured internal control environment looks like.
Furthermore, many on our team have direct, professional experience initiating public records lawsuits, dismantling blanket exemptions, and triggering state and federal oversight enforcement.
Those in the IT field—and especially the Systems Administration sector—have a foundational, ethical duty to ensure the safety and integrity of the data we manage. Those of us who take this profession seriously are highly offended when we see practices like shared administrative passwords, loose access configurations, and the predictable, devastating effects these failures have on financial controls.
Municipalities that attempt to hide these operational IT failures behind cybersecurity rhetoric inevitably find themselves facing consequences far more severe than the disclosure they initially tried to avoid.
When a cornered administration chooses a blanket denial over legal compliance, they do not stall transparency—they guarantee escalation.
Let’s briefly look closer at how this works in the real world.
In short, the main point of this article—and the entirety of the Silent Sabotage Series—is this:
It happened and is well documented.
The citizens have a right to know.
The data belongs to the public.
The courts require its release.
And the receipts will be pulled.
Marion Watch has deliberately delayed legal escalation to ensure that as much data as possible is analyzed by subject matter experts and presented directly to We the People. By placing these records in the public domain first, we preempt any attempts by the municipality to use court-ordered protective seals, discovery restrictions, or other litigation maneuvers designed to bury the evidence.
However, some of the most shocking revelations have not even been released yet. One example is the basis for this article.
LOOK CLOSERTHE SILENT SABOTAGE OF MARION, OHIO’S I.T. AND FINANCIAL CONTROLS HERE:
THE DELAY TACTIC: MANUFACTURING “SECURITY” CRISES
When a public office fears exposure, delay becomes a weapon.
Agencies stall responses to public records requests, ignore follow‑ups, or issue vague claims that they are “reviewing security implications.”
Under Ohio Revised Code 149.43, these delays are not merely bureaucratic inconveniences.
They are statutory violations.
- Delays of weeks can breach the statute.
- Delays of months almost always constitute unlawful withholding.
- Delays approaching a year are legally indefensible and often trigger statutory damages.
Investigative media, subject matter experts, and informed citizens do not simply walk away from a blacked-out public record.
We escalate.
We file lawsuits which ultimately causes further financial distress of the municipality that is already struggling.
We demand statutory damages which also causes further financial distress of the municipality that is already struggling.
We forward documented failures to state auditors and federal oversight bodies and federal law enforcement entities.
Municipalities that attempt to hide internal control failures behind cybersecurity claims virtually guarantee this escalation.
THE LEGAL MANDATE: REDACT, DO NOT DENY
Ohio Revised Code 149.43(B)(1) is explicit: if a document contains exempt information, the agency must redact the specific exempt portion and release the remainder.
Blanket denials are illegal.
Administrative discomfort is not an exemption.
Fear of political embarrassment is not an exemption.
Generalized, theoretical cybersecurity concerns are not an exemption.
The law requires strict specificity.
WHAT IS ACTUALLY PROTECTED?
True security assets that could expose infrastructure to a direct external attack are legitimately exempt.
Agencies may lawfully redact:
- Actual passwords.
- Password hashes.
- Cryptographic keys (e.g., AES-256 or ChaCha20-Poly1305 configurations).
These items, if disclosed, could directly compromise system integrity.
WHAT IS UNCONDITIONALLY PUBLIC?
The following records are not security vulnerabilities.
They are operational accountability records, and courts have repeatedly ruled they must be disclosed:
- Usernames and active account lists.
- Assigned job titles and department roles.
- Permission levels (e.g., administrator, finance, read-only).
- Historical audit logs and help-desk error reports.
- Internal misconduct reports regarding unauthorized access.
- Software module configurations (including documentation of missing or disabled modules).
These records do not reveal exploitable vulnerabilities to hackers.
They reveal whether internal controls are functioning.
They show exactly who had access to public funds, who should not have had access, and how management responded when internal failures occurred.
They are public records, period.
NATIONAL PRECEDENT: FORENSIC IT AUDITS COLLIDE WITH PUBLIC RECORDS LAW
Municipalities often assume that invoking the phrase “forensic IT investigation” will automatically shield them from public records disclosure.
Courts nationwide, AND internationally have repeatedly dismantled this assumption.
FEDERAL CASES INVOLVING FORENSIC IT AUDITS & INVOLVING OPERATIONAL IT RECORDS
IN RE CAPITAL ONE CONSUMER DATA SECURITY BREACH LITIGATION (E.D. VA. 2020)
After Capital One suffered a massive data breach, the company hired the cybersecurity firm Mandiant to conduct a forensic investigation.
The company attempted to sweep the forensic report under attorney‑client privilege by having outside counsel direct the work.
The federal court rejected the claim.
The court noted that the forensic IT audit was paid for as a “business-critical” expense, not a legal one, and the resulting report was widely distributed among 50 non-legal employees for operational remediation.
The forensic IT audit was ordered released, firmly establishing that forensic reports are not automatically privileged and cannot be used as a blanket shield against disclosure.
GUO WENGUI V. CLARK HILL, PLC (D.D.C. 2021)
A prominent law firm attempted to withhold a forensic cyber investigation report after a breach exposed a client’s sensitive information.
The firm claimed a “two-track” investigation strategy to protect the report generated by the firm Duff & Phelps.
The court ruled that the report was not privileged because it contained non-legal, operational remediation advice and was shared broadly with internal IT leadership and the FBI.
The forensic report was ordered released.
RUTTER’S DATA BREACH LITIGATION (M.D. PA. 2021)
When the Rutter’s convenience store chain hired a forensic firm to investigate a breach, they attempted to classify the forensic report as privileged legal material.
The court rejected the argument, finding that the report fundamentally served business and operational purposes.
The forensic IT audit was ordered disclosed.
(INTERNATIONAL) MCCLURE V. MEDIBANK PRIVATE LIMITED (FEDERAL COURT OF AUSTRALIA, 2025)
Although an international case, this ruling is widely cited in U.S. litigation regarding corporate transparency.
The court ordered the release of three Deloitte forensic reports, ruling that they were created for governance and transparency purposes, not strictly for legal advice.
This reinforces the global legal principle that forensic IT audits cannot be withheld simply because they involve cybersecurity frameworks.
STATE-LEVEL CASES INVOLVING OPERATIONAL IT RECORDS
THE MARKUP V. OHIO DEPARTMENT OF JOB AND FAMILY SERVICES (OHIO COURT OF CLAIMS, 2023)
ODJFS attempted to withhold software algorithms, parameters, and operational metadata by claiming they were protected “infrastructure” and “security” records.
The Court of Claims explicitly rejected the argument and ordered an unredacted release.
This ruling establishes that operational system metadata is not inherently a security record.
STATE EX REL. MAUK V. SHELDON (OHIO SUPREME COURT, 2025)
In a major December 2025 ruling, the Ohio Supreme Court penalized the Richland County Sheriff’s Office for over‑redacting operational access logs.
The Court held that the agency failed to meet its burden of proving the exemptions applied, ruling that improper redactions constitute unlawful denials of public records, and awarded $2,000 in statutory damages to the relator.
This case is critical because forensic IT audits and system investigations fundamentally rely on access logs, permission matrices, and internal control documentation.
OHIO HB 96 (2025)
Ohio’s 2025 revisions to public records law clarified exactly what is and is not exempt.
Operational IT records, system configurations, and internal control documentation remain definitively public.
This codification ensures that forensic IT audit materials documenting operational failures cannot be withheld unless they contain specific, narrowly defined exempt content.
WHY THESE CASES MATTER FOR MUNICIPAL TRANSPARENCY
Across all these state and federal cases, the judicial pattern is unmistakable:
- Courts distinguish sharply between true cybersecurity risks and internal operational failures.
- Forensic IT audits are not automatically privileged.
- Operational system documentation is not inherently a security record.
- Blanket denials are illegal.
- Over‑redaction is treated as unlawful withholding.
Municipalities cannot hide misconfigured modules, inappropriate user access, internal misconduct, or failed internal controls behind cybersecurity claims.
The law requires disclosure.
The courts enforce disclosure.
When forensic IT audits reveal internal administrative failures, those records belong to the public.
THE PUBLIC RIGHT TO KNOW
When internal controls fail, the public has an overriding, statutory right to know exactly what broke down.
Taxpayers have a right to know:
- If former officials retained high-level administrative access long after leaving office.
- If users held permissions far beyond their legitimate business needs.
- If a municipal system was so heavily compromised that a chief executive had to personally intervene to revoke access.
- If specific software modules required for financial integrity were disabled, missing, or deliberately misconfigured.
These failures do not expose external threats.
They expose internal mismanagement.
Municipalities that hide behind “security” exemptions in these scenarios are not protecting critical infrastructure; they are protecting themselves.
THE RECEIPTS AND THE RESOLUTION
Investigative teams, transparency advocates, and public records specialists do not have to guess how digital infrastructure works.
We know.
Backed by decades of hands-on experience in full-stack infrastructure management, complex IT systems administration, law enforcement and legal frameworks, we know exactly what backend audit logs exist or should exist.
We know what role-based permission matrices look like.
We know what modules must be installed for a system to achieve compliance, and we know exactly what internal communications a municipality is legally required to retain.
Municipalities facing requests for user account lists, permission grids, misconduct reports, and module configurations have only two lawful options:
- They can redact actual passwords and cryptographic keys and release the rest.
- Or they can issue a blanket denial.
Choosing the latter guarantees escalation.
The data belongs to the public.
The courts require its release.
And the receipts will be pulled.

