OKLAHOMA (UPDATE) NEW DATA SECURITY APROACH The Edmond Sun - Data loss spurs new IT approach:

Data loss spurs new IT approach
James Coburn
The Edmond Sun

EDMOND — OKLAHOMA CITY — State Rep. Jason Murphey is among legislators pushing for reforms they say will secure state government computer data to protect Oklahomans’ personal information. Murphey is urging the quick enactment of House Bill 1704 or Senate Bill 980.

Several state computers were lost or stolen in recent months, including a flash drive from the Oklahoma Employment Security Commission and laptops from the Oklahoma Housing Finance Agency and the Department of Human Services.

“One little crack is all it takes to breach 1.25 million people at a time,” said Dan Yost, chief technology officer for MyLaptopGPS, a Stillwater-basedcomputer security firm.

A chief information officer for state government would be created if either bill becomes law, Murphey said Wednesday morning at the state Capitol. The CIO would oversee security and technology purchases made by all state agencies.

“I support the CIO bill based on the concept of modernization,” said Murphey, R-Guthrie. “The House has a modernization agenda which is very aggressive.”

Murphey is the House author of SB 980 with Senate President Pro Tem Glenn Coffee, R-Oklahoma City. The concept of the bill was initiated last year by Rep. David Derby, R-Owasso, who is the House author of HB 1704.

As a fiscal conservative, Murphey said he supports Derby’s bill because it eliminates waste, creates smaller government and improves security.

“It made a whole lot of sense to me to say, ‘You have $340 million a year being spent in state government on just IT. That is money being spent in all these different agencies that’s not being leveraged,’” Murphey said. “It’s like having all the agencies shopping and buying at 7-11 instead of coordinating the purchases and leverage buying at Sam’s.”

State computers are under daily threats from Chinese computer hackers, creating “a nightmare scenario” for law enforcement, Murphey said. Securing confidential information has become problematic when information technology has spread among every state agency, he added.

“It’s really hard to hold one individual responsible for security,” he explained.

SB 980 would eliminate five bureaucratic steps of a senseless security process, Murphey added.

“So if an agency has a process in place by which an employee is taking home hundreds of names of (non-encrypted) data, that’s a terrible security risk,” Murphey said. “It shouldn’t be happening, but who do you hold responsible when it’s agency after agency creating these policy risks and they’re putting our data at risk?”

SB 980 would give the CIO the central authority to mitigate policy issues to prevent security risks such as removing a computer from an agency, Murphey said.

While some lawmakers have asked Gov. Brad Henry to fix the problem, the governor has little authority to do so, Murphey said. SB 980 would give the governor the authority to appoint the CIO.

Two laptops that were stolen recently are essentially without protection from the use of two passwords, Yost said.

“The point to bring us back home is we’ve got a bill that’s trying to streamline technology. It can save money; it can save waste,” Yost said. “But from the security standpoint, think of it this way. If you’re not streamlining the process, and if agency A is doing a good job, but agency B … is not, every single end-point device by itself is a pointing pill that can breach 1.25 million Oklahomans’ personal information.”

Derby said it cost the state $200,000 to inform people by mail that their information was compromised.

“There’s also the value placed on the data that’s on the laptop,” Derby said.

Murphey said the start-up cost of the CIO bill would depend on two possible approaches. Either the CIO could become an agency or it could continue to use the existing infrastructure, he said.

“I favor the latter approach and I suspect that will be the House position,” Murphey said. “And that would cut down on the initial start-up cost.” The bill mandates a net savings within three years.

Murphey said he expects either the House or Senate bill will emerge from conference next week with strong support.



jcoburn@edmondsun.com | 341-2121, ext. 114