DENVER — When state government gets audited, the taxpayer gets to find out what's really going on behind the scenes.
Except this week.
Twice this week, lawmakers in Colorado heard about two audits relating to IT -- information technology.
Twice this week, those audits and conversations about those audits remained private and out of the public view.
One audit was about how the Colorado Department of Education keeps personal data protected, and the other was about the IT systems for the Colorado Department of Public Health and Environment.
"If we reveal our sources and methods in an audit report, then we give hackers a bread crumb trail to get at things more quickly than they might otherwise get to it, and that's not the right pathway to go down," said Sen. Paul Lundeen (R-Monument).
Lundeen sits on the Legislative Audit Committee, the group of lawmakers that gets to be the first to learn about all state audits. The committee received information on an IT audit of a "mission critical system" from the Colorado Department of Education.
"Mission critical is a really big broad term," said Lundeen. "Everybody, today, carries around in their pocket a little device that they consider to be mission critical to their life. It's their smartphone. So much data that's captured in that smart phone is mission critical to our lives."
But the audit doesn't have smart phone information on students. What is part of the "mission critical system" with the state Department of Education? We don't know because the audit was kept private.
"My perspective, when we're protecting student personal information, is 'when in doubt, don't,'" said Lundeen.
The state's auditor was prepared to release a public portion of the audit.
"A lot of our results relate to information that a malicious actor could use to harm the state," said Matt Devlin, the Deputy State Auditor in charge of IT Audits. "A lot of the information could provide a road map to malicious actors, like hackers, if the information were made public."
According to Dana Smith, the Department of Education Communications Director, there was no data breach with the IT systems.
She said some of the data the department keeps includes:
- Where a student attends school
- Assessments taken
The data isn't necessarily personally identifiable to steal your identity or credit, but Lundeen said it might be data that could be used against you later in life if it were leaked.
"If an insurance company says, 'you know what, we have access to data that says you weren't a great student and therefore you're going to get the less preferred rate on your insurance, than that is a misuse of data,'" said Lundeen.
On Tuesday, the Joint Budget Committee received an update on a Colorado Department of Public Health and Environment IT systems audit.
That discussion was also held in a private executive session.
"We always ask questions of departments about how they are using taxpayer dollars efficiently, and when there was an audit done, we wanted to ask more questions, and in order to do that, on a confidential audit, we had to go into executive session," said JBC Chair Rep. Daneya Esgar (D-Pueblo). "If (the Office of Information Technology) has an issue that needs to be looked at deeper, it's the Joint Budget Committee's responsibility to look at it and see if there's anything we need to change with funding to fix any issue."
The JBC is the group of lawmakers that do a deep dive on the state budget and do the hard work to determine how and where the state spends money each year. The discussion was to educate the JBC on if the IT office needs more money or if the money being allocated isn't being used properly.
According to the state's Office of Information Technology, the state's public health department data might include:
- Health information
- Social security numbers
- Tax information
- Driver licenses and registration
- Any other type of information provided to state government agencies by Colorado residents
SUGGESTED VIDEOS | Full Episodes of Next with Kyle Clark