A statewide audit released Thursday has found some Kentucky agencies aren't adequately protecting sensitive data.
The report from Kentucky Auditor Adam Edelen’s office identifies the Treasury, Department of Revenue, and Finance and Administration Cabinet as having cyber security deficiencies - but no breaches.
“It’s important to note that we didn’t identify any breach,” said Edelen spokeswoman Stephenie Hoelscher. “We are not saying that this data is lost or stolen. What we’re saying is, we identified steps they could take to further protect this data.”
Kentucky Treasurer Todd Hollenbach said his staff had been working to correct the problem before the audit was released.
“It’s not one of those things that will ever be complete because as we come up with new defenses, nefarious sorts out there that would like to get that data are coming up with new ways to try and do just that,” Hollenbach said. “So it’s going to be an ongoing thing, probably ad infinitum.”
Hollenbach said the treasury - which has an uncertain fate as a bill that would dissolve the office awaits action from the state House - is the conduit for all financial transactions throughout the state, and security for sensitive data like retirement and unemployment checks is paramount to the agency.
Kentucky is one of just four states that doesn't require the government to notify citizens if it loses their sensitive or confidential information. This is the first year that data protection controls have been included as part of the statewide audit.
The audit, known as the Statewide Single Audit of Kentucky, contains a total of 40 findings with recommendations related to deficiencies in internal controls over financial reporting. That’s down from 55 last year. The number of findings has decreased due to improvements related to the Kentucky Human Resource Information System and state agencies adequately addressing problem areas identified in the prior year audit.
The audit found that the Department of Workforce Investment did not have proper internal controls in place to ensure the accuracy of Unemployment Insurance drawdowns, which could have led to a $24 million reporting error had it not been detected during the audit.
Six findings at the Department of Juvenile Justice indicate lack of proper financial controls. Last year's audit contained similar findings related to DJJ.
Federal law requires an audit of the state's financial statements, which expresses an opinion on $23.2billion in expenditures. The second part of the audit, to be released in March, focuses on the state's compliance with federal grant requirements.
A total of 40 auditors, 30 financial auditors and 10 IT auditors, reviewed the commonwealth's financial statements and technology systems. The audit took nearly 26,000 hours to complete.