The Legislature’s auditing division released a three-year study Wednesday that reveals significant information technology security weaknesses across 19 state agencies.

More than half the agencies failed to comply with IT security practices that protect sensitive information against data loss or theft. The findings show that no progress has been made from past reports that reflected similar concerns.

"It's a very serious situation," said Sen. Julia Lynn, a Republican from Olathe who serves as chairwoman of the Legislative Post Audit Committee. "Our constituents expect and believe their data is safe. These continual reports have shattered the faith of the Post Audit Committee that these issues are being seriously addressed."

The findings were presented to the committee during executive session, and a full report was published online.

The audit division studied IT functions at 19 state agencies from January 2017 to December 2019. Most agencies failed to scan and patch computers to keep them secure. They didn’t have adequate response plans in place, didn’t provide adequate security training, and didn’t encrypt, back up or destroy electronic data.

"The state will face significant consequences if hackers are able to access an agency’s network or confidential data because of poor security controls," the report warns. "A significant security breach could disrupt an agency’s mission-critical work, and their reputation would be sorely damaged. A breach also could require costly customer credit report monitoring and could create legal liabilities or financial penalties for the state."

The audit warns that hackers consistently target government agencies across the nation. In March 2017, hackers accessed 5.5 million Social Security numbers in a security breach at America’s Job Link Alliance, a Topeka company and contractor for the Kansas Department of Commerce. The breach affected individuals in 10 states, including thousands in Kansas.

The report blamed a lack of management attention and inadequate resources for the failures identified in Kansas agencies.

Kansas Department of Administration Secretary DeAngela Burns-Wallace assumed the role of chief IT officer for the state after arriving last summer. She has called attention to cybersecurity needs lacking in state government.

"Burns-Wallace has emphasized throughout her six months leading (the Office of Information Technology Services), robust cybersecurity is a critical need for the state of Kansas," said Samir Arif, spokesman for the Department of Administration. "Addressing cybersecurity deficiencies and developing a strong cybersecurity posture across state agencies is a priority."

Lynn said she planned to call Burns-Wallace into hearings for a better understanding of how agencies would respond to IT failures highlighted in the audit.

"I don't think we're going to tolerate very much longer any excuses about why this cannot get addressed," Lynn said.

Rep. Jim Gartner, a Democrat from Topeka and member of the post audit committee, said it was important to give Burns-Wallace a chance to make improvements.

"It just seems in the past there hasn't been any accountability, and people were moving the problems internally and not really getting to the root and fixing the problems," Gartner said. "I'm hoping this changes."

He said one of the problems in recent years was the inability to fill vacant IT positions at various agencies.

The audit is a warning sign, Gartner said, "and we need to get better."

"Everybody needs to take a look internally and do a better job of IT in their department," he said.