FOR IMMEDIATE RELEASE

Third-Party Investigation into Passwords Posting Complete, Report Issued with Recommendations

Denver, Colo. – Baird Quinn, LLC has issued the report of their investigation into the posting of passwords to some voting equipment on the Department of State’s website.

In November, Baird Quinn was engaged to conduct an independent investigation to determine how the posting happened, how it could be prevented in the future, and to present recommendations for improvement of Department practices and procedures. Baird Quinn was given full access to Department personnel and documents to conduct their investigation. The investigation was supported by a company specializing in digital forensics for the purpose of providing expertise on metadata and other information associated with the specific files involved in the password posting.

The investigation concluded that the BIOS passwords contained in the hidden worksheets posted on the Department website were posted “mistakenly, unknowingly and unintentionally.” The report also finds that “a series of inadvertent and unforeseen events led to the public disclosure of the BIOS passwords.” The report notes that, “The investigator finds that this unique set of circumstances would have been difficult to anticipate,” and, “on an organizational level, the Secretary of State/CDOS consistently took significant and appropriate measures to protect state information, including the BIOS passwords.” The report determined there was a policy failure to adequately “review the posted document to ensure that non-public information would not be disclosed.”

The report furnished seven recommendations for the Department to consider to minimize risk of any inadvertent disclosure in the future. They include:

1. Instituting a policy prohibiting the use of “hide” functions for highly sensitive or confidential information within documents.
2. Establishing a requirement that all passwords of any kind, whether they be individual user log-in credentials or password information such as the BIOS passwords, be kept only in a password safe unless an exception to that policy is granted in writing.
3. Requiring better training on the data protection features of the computer software programs used on a daily basis, such as Microsoft Excel and Word.
4. Updating the “Acceptable Use Computing Policy” (AUP) so the policy on the use of the password safe and the policy on creating and managing passwords are single stand-alone policies rather than policies contained at various places within the User ID and Password section of the AUP.
5. Requiring employees to review its AUP policy every year and sign that they have reviewed the document.
6. Creating a substantive review process for the Elections Division (and possibly other Divisions) for web requests involving posting documents to the Department website.
7. Reviewing the transition and exit processes for departing employees whose responsibilities involve handling sensitive or confidential information.

Baird Quinn LLC Final Report (PDF).

The Department commits to implementing all of the recommendations presented in the report as soon as practicable.

“The Department of State thanks Baird Quinn for their thorough review of this matter. We are committed to implementing their recommendations to ensure a situation like this never occurs again ” said Secretary Griswold. “

Colorado’s elections are protected by multiple layers of physical and network security measures. All of Colorado’s elections, including the recent General Election, are accurate and secure. The below factsheet highlights the multiple layers of security, and how the Department of State verified the security and accuracy of the election.

2024 General Election Fact Sheet (PDF).

###