Oklahoma IT Reforms Spell Trouble for State (Opinion)

The latest data breach from Oklahoma Department of Securities is a case study in why the state should consider the adverse effects of reversing the consolidation of its IT departments.

by The Oklahoman Editorial Board / January 23, 2019

(TNS) — The chairman of the state Senate Appropriations Committee has filed legislation to give state agencies more independence when making information technology decisions. The discovery of millions of unsecured files at the Oklahoma Department of Securities shows why lawmakers should approach this idea with extreme caution.

The UpGuard Data Breach Research team reports it discovered three terabytes and millions of files at the Department of Securities that were effectively unsecured. The data included names of AIDS patients, details about FBI investigations and personally identifiable information for at least 100,000 finance brokers going back three decades.

During the past eight years, state government has consolidated IT infrastructure under the Office of Management and Enterprise Services. Previously, IT decisions were made on an agency-by-agency basis, which led to duplication and associated financial waste. In some cases, systems at one agency couldn't communicate with those at another. Cybersecurity was notoriously hit-and-miss across state government.

The consolidation process wasn't without challenges. For many small agencies and boards, consolidation required increased spending, due partly to a lack of prior investment in reliable security. Some agency officials complain approval processes are cumbersome, impeding their ability to respond swiftly to changing circumstances.

Even so, it's estimated consolidation saved millions and significantly reduced the chance of Oklahomans' personal information being stolen.

So why did this reported breach occur? It can be blamed, in part, on the Department of Securities not taking part in IT consolidation. The agency makes its IT decisions independent of OMES. Notably, UpGuard's report indicated the department's website was the least secure of all sites with an ok.gov address and was running on a web server that is no longer supported by its manufacturer.

The Department of Health, which was plagued by financial mismanagement, offers another cautionary tale. A multicounty grand jury found the department's mismanagement evaded detection for years because, in part, it used an “antiquated internal financial system, as opposed to the statewide financial system used by the vast majority of other state agencies …”

Former Rep. Jason Murphey, R-Guthrie, was a leader in government modernization efforts, including things like use of open-source technology, reform of government purchasing processes, IT consolidation, and even pushing agencies to make payments electronically at about 5 cents per electronic transfer instead of $13.50 per paper payment. Now that Murphey has termed out, the Legislature lacks a champion for such common-sense reforms, and that can open the door to backsliding. Sen. Roger Thompson, R-Okmulgee, has filed legislation to free agencies from some OMES oversight on IT issues, which includes cybersecurity.

While there may be specific instances where change is needed, lawmakers should carefully craft any revision of state law to address only those situations. Oklahoma can't afford to go back to the old days where officials at every agency did as they pleased regardless of cost, lack of functionality or adverse impact on Oklahoma citizens.

©2019 The Oklahoman. Distributed by Tribune Content Agency, LLC.