North Dakota's information technology chief faced lawmakers Tuesday about an audit noting undocumented electronic devices, some potentially containing private information of state residents.
The recent debate over the devices' status has included a confusing mix of terminology.
State Auditor Josh Gallion released a report in July of his regular, two-year audit of the state Information Technology Department. He noted 217 "unlocated" pieces of office, network and computer equipment in the department's 2018 inventory, including 24 devices, purchased for about $92,000, potentially containing "sensitive information."
That could be home addresses, phone numbers, Social Security numbers, usernames and passwords of state employees and residents. Gallion's spokeswoman said no such information was penetrated or used from the outside, but that the situation did pose a security risk.
Chief Information Officer Shawn Riley told the Legislature's Information Technology Committee the 217 devices "unaccounted for" have since been "reconciled" to 117, 10 of which could have sensitive information but are worth $0, such as a laptop more than 15 years old.
He said his department believes those 10 devices have been "purged" from the system but weren't inventoried due to paperwork errors.
The IT Department implemented a new inventory system in May, Riley added.
It's unclear if any devices are missing or lost. Riley has described the devices as "unfound," "unaccounted for" and "not inventoried."
Riley said any stolen devices would have "absolutely raised flags" and "impacted services."
Rep. Corey Mock, D-Grand Forks, who chairs the IT Committee, said he's glad lawmakers heard the audit report and Riley's response. He added that he understands the circumstances of the unaccounted items.
"It sounds like by all accounts that they're not missing; just simply, the records were not updated to say what happened to them when they were destroyed or purged in the process that they went through," Mock told The Bismarck Tribune. "But we needed to get to the bottom of it."
The committee's discussion lasted about 15 minutes. Riley and Chief Operating Officer Dan Sipes said their department was aware of the inventory issue before the audit report -- hence, the IT Department's new controls.
"Just to be clear, this isn't something, like, the audit discovered," Sipes said. "It's something that we've been managing and risk-managing all along."
Riley said he expects the remaining 117 devices to further decrease but not be fully accounted.
His department has said some devices are expected to be in place if electronically "pinged," but some can be verified only on sight, such as a worker seeing inside a public library's wiring closet.
"If we have to continue doing an eyes-on-device methodology, then that raises the overall time and cost of getting this done versus a verification of having to send out a computer signal, get a signal back and verifying that way," Riley said.