Our state stores a lot of sensitive data that needs to be protected. As mentioned in last month’s blog The State of Idaho’s Cybersecurity, my team uncovered and reported to the state a number of vulnerabilities on state-owned website. Then we found more, this time stemming from legislation that was passed without full consideration of the impact to privacy and security of sensitive financial records.
Passed in 2010 by the Idaho Legislature and the Governor, House Bill 699 was intended to provide more transparency to education spending:
“Adds to existing law to provide for school districts and other education providers to create an Internet-based website with searchable expenditure and revenues.”
On the surface, this seems simple enough. Require school districts to publish their financial records to their existing websites. What could possibly go wrong? Quite a lot, it turns out.
Without clear, consistent guidance, each school district across Idaho was left to determine how best to publish their financial information–much of which is highly sensitive. They are not funded or staffed appropriately to evaluate the risks of what they implement, nor do I think they should have to be. Some school districts entered their monthly financial statements into spreadsheets, others scanned and published bank records, directly exposing sensitive account information and tax identification numbers. This information can be easily accessed and used by criminals to defraud our school districts and Idaho taxpayers.
My team also ran into a barrier while trying to notify the state of this: there is no central cybersecurity incident team within the Idaho State government that can coordinate across state and local agencies. While we found an email address listed in official state documentation for cybersecurity incident reporting, it was invalid and bounced our initial disclosure. We then reached out to state employees and officials. After several redirects and delays, we were able to get the needed attention to this issue. Idaho lacks a central cybersecurity response center with the authority and ability to quickly assess cybersecurity issues, whether financial disclosures, sensitive financial information or potential breaches of state-owned websites or databases.
As your next Lieutenant Governor, I will gladly take over Lieutenant Governor Brad Little’s role as chair of the Idaho Cybersecurity Cabinet Task Force. Because of my expertise and background in the tech sector, I can ensure that cybersecurity’s best practices are implemented and security is considered early in the legislative process and addressed in implementation to avoid
what has happened with HR 699.
Idaho, we need to up our game on Cybersecurity, and it starts with a vote for me on November 6.