Secretary of State switches law firms for voting machine passwords investigation

The Colorado Secretary of State’s Office has hired a new law firm to investigate how passwords to Colorado’s voting machines ended up online.

Attorneys Beth Quinn and J. Mark Baird with the law firm Baird Quinn LLC will look into the security breach.  

They are replacing the office’s first pick for the investigation, a law firm that has deep ties to the Democratic Party. Several principals at that practice had donated to Democratic Secretary of State Jena Griswold’s past political campaigns.

Democratic leaders, including Colorado’s Speaker of the House, have called for an independent investigation after current passwords for about half of the state’s voting machines were found on a hidden tab on a spreadsheet posted by the Secretary of State’s office. 

Griswold’s office originally hired David Powell, with the Denver firm Garnett Powell Maximon Barlow & Farbes, to conduct a personnel investigation. 

One of the partners at the firm, Stan Garnett, is the former Democratic District Attorney for Boulder. His son, Alec Garnett, is the former Speaker of the Colorado House and previously served as Gov. Jared Polis’ Chief of Staff. Stan Garnett donated $2,250 to Griswold’s campaign between 2017 - 2022.  Another partner, Hubert Farbes, donated $2,400 to Griswold’s campaign, while a third partner, Josh Maximon, donated a small amount. 

The new firm is a boutique employment, labor and commercial law firm based in Denver, and neither partner has donated to Griswold’s campaign. 

The Secretary of State’s Office said going with Baird Quinn ended up making practical sense based on how quickly they could begin the investigation.

“They can get going on it in a timely manner, which we think is best,” said Kailee Stiles, a spokeswoman for the office. 

Stiles said the goal is to release a thorough report to the public as soon as possible. 

“The scope of the investigation is primarily: how did this occur, what was the breakdown in process?” Stiles told CPR News. “Our plan is to release as much as we can.” 

State law limits what specific information about personnel can be made public, and the report won’t contain sensitive information about security processes, she said.

How we got here

Voting machine passwords for equipment in 34 of Colorado’s 64 counties were listed on a hidden tab on a spreadsheet uploaded to the Secretary of State’s website in June. The state removed the passwords on Oct. 24, after an election vendor discovered it. 

The public first became aware days later, through an announcement by the Colorado GOP.  A conservative election activist said he discovered the passwords in August. He didn’t alert the state.  

Colorado election officials and vendors determined the password breach did not pose a security risk because of all of the other security measures the state has in place. Using the passwords requires in-person access to the voting machines, which are stored in locked rooms, under 24-7 video surveillance, at county clerk’s offices around the state. Entry to those areas is limited to a small number of background-checked staff.

But Griswold has acknowledged that having passwords posted in plain text in a spreadsheet violated the Department's standards and processes, even if they were never intended to end up online.

“Putting passwords on a spreadsheet is against department training and our data policy,” Griswold told CPR News in an earlier interview. “We do a lot of training and reinforcement that passwords must be stored in a password safe. We need passwords to be in an encrypted setting.”

Griswold said, to the best of her knowledge, the spreadsheet, including the hidden tab, was originally created by an employee who left the office on amicable terms earlier this year and that a subsequent employee, who was apparently unaware of the hidden data, posted the spreadsheet online. That person still works for the state. 

The Denver District Attorney’s office is also investigating the password situation on behalf of inquiries from three other DA offices. A person familiar with the investigation told CPR News there’s no evidence at this point of criminal activity.