State Board of Elections 
140 Walnut Street, Frankfort, Ky 40601 

State Board of Elections Board Member,
I am writing this letter to address concerns I have been having here at the State Board of
Elections over the past year or so. Certain situations have occurred that have raised red flags for
me, but I was unsure of how to have them properly addressed. As issues have piled up, I have
become trapped in a feeling of being stuck in quick sand. I feel very overwhelmed trying to figure
out what exactly my responsibilities are both by statute and by the expected standard operating
procedures inside of this agency.
You know by our limited monthly interactions that I am retired military and am currently
serving as the assistant director, but you may not know much more than that. Therefore I would
like to provide you with some background that explains my past occupation, so that you may
better understand how I conduct business in my professional and personal life.
I served as a Reconnaissance and Surveillance First Sergeant for the last 10 years of my
22 year military career. I led small teams and larger organizations ranging in size from 12-1000
people with a wide range of backgrounds (military, civilians, contractors, and foreign nationals).
I had extensive experience in combat operations, peace keeping operations, contract
management, and logistics integration. Our mantra was to never leave a man or woman behind,
whether it is on the military battlefield or in the civilian sector. I continue to live by the Army
values that were instilled in me at a young age: loyalty, duty, respect, selfless service, honor,
integrity and personal courage. I have always tried to do the hard right over the easy wrong. I
am a purple heart recipient, I own two Bronze Stars and eight Army Commendation medals, one
with Valor.
The issues I am about to share with you would have been easy for me to just look the
other way, but I feel it is my duty to try and protect the agency that ensures the sanctity of open,
free, and fair elections. I have been at times belittled, bullied, and flat out discounted during my
time with this agency by what I always considered to be my higher chain of command. This job
has become more stressful this last year than any other job I have ever had and it’s an off-election
year. I hit several IEDs in Baghdad during the surge of ’06 and have been wounded in combat, so
Page   1

 that is saying something. The stress is not due to normal operations at the State Board of
Elections. My wife on many occasions has asked me to resign and take a job closer to our home,
near Ft. Knox and just be done with it.
I have outlined several major issues in this document that I feel need to be addressed. I
would have come to you sooner, except I only had theories. It has taken time for these issues to
fully develop and for me to analyze the situations created by these issues. I feel I now have
enough information to give you a more accurate picture. I want to explain to you the issues that
have made me uneasy and the steps I have taken to look into them.
I was told by Maryellen Allen upon accepting the Assistant Director position that we are
not to discuss anything directly with the Board members and that if we needed to send them any
correspondence, it should be sent to Lindsay Thurston first, for vetting. These same parameters
are in effect for any correspondence or documents that need to go to all 120 County Clerks. I
asked why this was and she stated that was the directive from the Office of the Secretary of State.
I believe this is to keep everyone compartmentalized, to better control any information that is
needed for decision making processes.
Therefore, due to having no clear channel to discuss my concerns, I put myself on the
record at the Executive Branch Ethics Commission back in June, 2017, regarding the concerns
outlined in this document. I wanted a second opinion of my concerns to ensure I was not making
a mountain out of something that maybe was only a mole hill. When I filed the complaint, I
became a protected whistleblower under KRS 61.102(1). The SBE and its staff are currently being
interviewed by the Ethics Commission’s investigators on the filed complaint, which I have listed
in the attached documentation. I have felt that my employment has been in jeopardy for the last
year, due to my questioning of directives that have been given to my agency by the SOS and her
staff.
It is my belief that sometime in the beginning of August the Secretary of State and her
assistant, Lindsay Thurston, were sent letters by the Ethics Commission informing them that they
were under investigation. Around this same time, the SOS and her staff started to distance
themselves from the SBE. The SOS staff up until this time was involved in every facet of
operations at the SBE. If there was something that we as an agency felt was not appropriate or
would not serve as a value to our agency, we were dismissed at every turn and told that it was
happening, no ifs, ands, or buts.
By statute at KRS 117.025(1) and (2) (Attachment #8), we are supposed to have a Director,
Assistant Director, Training Officer, and General Counsel to carry out our duties. One of our
biggest problems is that we have not had a general counsel since I started working here. If we
have a question as to whether we should or should not be doing something dictated to us by the
Page   2

 SOS, then we must consult the SOS general counsel. You can guess what the answer always is:
we should do what the SOS is directing us to do. We also share an HR person with the SOS. It has
been made clear to me over the last year that any staff action that we are discussing inside of
our agency must first be run by the Assistant SOS. Two weeks ago our receptionist retired due
to the proposed pension changes. We called to set up a meeting with Michelle Starkweather to
discuss the vacant staff position and what we planned on doing in regard to it. Michelle
Starkweather told us in the meeting that she would have to run this by Lindsay Thurston to see
if she would be alright with it. The SOS office has effectively strangled the State Board of
Elections, essentially making it just another branch of the office of SOS. I’m pretty sure this is not
how the statute intended this office to be run, but I could be wrong.
It is my professional assessment that the SBE is currently operating in a toxic work
environment. I believe this has been caused by the continual circumventing of the SBE Directors
by the SOS and her staff. The SBE directors and their staff are not allowed to carry out their
duties as prescribed in the statute because of the constant micromanagement occurring by the
SOS and her staff. It is the complete control exerted by the Secretary of State and her staff over
SBE that has directly led to the concerns I have laid out in this document. In my opinion, the only
way these problems can be corrected and avoided in the future is if the SOS office is completely
cut out of the SBE’s daily operations. This starts by hiring an SBE general counsel and hiring or
upgrading a current staff position to an HR position. These steps ensure that the SBE is able to
act independently of the SOS office, and to be held accountable by the entire Board, rather than
only by the SOS.
While I realize the following descriptions of events are lengthy, I ask you to please give
them a full review so that you may better understand why I am so concerned about the integrity
of this agency. Everything below has been turned into the Ethics Branch.

Matthew L. Selph

Assistant Executive Director

Page   3

 WEBSITE JUNE 2016
SBE has one massive primary system, the Voter Registration System. VRS is used daily in all 120 counties.
VRS is also accessed in real-time by Circuit Clerks across the state every time a KY Driver’s License
application is filed.
There are also six separate database-driven web sites, including Online Voter Registration (OVR) and the
Voter Information Center (VIC).
All of these complex data systems must be monitored, maintained and upgraded on a continuing basis.
All of these systems must also maintain Federal data integrity and security standards. Our IT team
consists of two full-time and one part-time contract software engineers and one IT Specialist.
With so many state agencies depending on VRS remaining available, system architecture plans are made
years in advance to ensure that VRS does not fail. Detailed planning and scheduling is performed weekly
by our engineers, with management oversight, to ensure that mission-critical maintenance, new
functionality and bug fixes are all prioritized and implemented as quickly, and seamlessly, as possible.
Failure is never an option for VRS, but it is especially critical that VRS remain stable during election
cycles. Therefore it is crucially important that any serious bug fixes, major new system functionality, or
business process changes occur only during off-election periods.
The three hour planning session we conducted on May 26, 2016, is typical of our development staging.
We identified the time we had available before the General election cycle began and then we
determined what needed to be accomplished during that four month period.
It was shortly after the three developers had begun to work on the projects outlined in the May 26
meeting that Tom Watson and Steve Spisak were diverted directly by the Secretary of State’s office.
Bradford Queen and Matt Daley had been tasked with overseeing a new project that SBE’s developers
were told was top priority; to start work on a new web site for the SBE.
Neither I, nor my director, was notified of this proposed project or that our developers were being
directly tasked by individuals from another agency.
Upon our discovery that our developers had been told to put our system fixes on hold and instead to
focus on a project that I had previously investigated as important but that was most definitely not
mission critical, I notified Matt and Bradford that our IT team was needed for critical SBE VRS work that
had been already delayed for months simply due to a lack of time. I also explained how important this
particular list of pre-scheduled work was, especially in light of the forecasts for a larger than usual
Presidential election. We also discussed what the ramifications could be if SBE personnel didn’t
complete the assigned work in the short window of opportunity that was available. I was then told by
Bradford, “You know the deal, she (SOS) wants it to happen, so it’s happening“.
After thinking all of this through and discussing their work loads and the importance of the tasks
identified in late May with the both the IT staff and my director, I made one last attempt to halt the
Page   4

 work now being done on the new SBE website. But again I was told that it was useless to fight it, and to
“do your best” to get the system corrected using only our 3rd developer.
I worked over the next two months without the assistance of two crucial team members, both of whom
were now focused primarily on trying to meet a very rushed SOS imposed deadline for the new site. The
developers were given a timeline of 7 weeks or so to complete the work on the website. They
completed the work on the 8th week and turned it over to the SOS staff. To my knowledge, it was never
discussed again. I’m not sure of the reason, but the website was never published and is still sitting on a
server collecting dust.
During that same period of time, our one remaining developer and I were able to complete some of the
items on the May priority list, but not all of them. Even the tasks we did complete were never
thoroughly tested, because testing takes people and time, and we had neither. This eventually turned
into an issue; just as our IT team had feared.
Once the registration books closed we found that we had missed something in the work flow of the
registration process. Because of this, our system encountered a failure that resulted in over 10k
registrations being temporarily lost somewhere between the COT and SBE servers. Even though we did
eventually catch this issue on the last day of registration, it was an avoidable bug which testing would
have exposed. This one single misuse of time and resources ended up causing a ripple effect across the
state with new registrations popping up in every county with some having hundreds to process after
they thought they had already been completed.
There were other problems created by our team not having the time to address the issues they had
previously identified as critical, too many to detail. Although our systems are reliable and robust; they
are also vastly complex and complicated systems.
Bottom line? Our overworked staff does NOT have the time for frivolous, spontaneous, ill-planned and
poorly executed side projects.
To this day I’m not sure why the website became a sudden emergency priority between our busiest
Primary and General Election in recent history, but it did. It caused us to not be able to complete work
that desperately needed to be completed, all for a website that was then never used.

Page   5

 VRS Audit Feb 2017
In the beginning of February we were notified by a county that a polling location had been deleted from
the VRS. This was alarming since only one SBE staff member deals with polling locations and this change
had to have happened from within the VRS system.
In an effort to identify how this may have happened, I investigated our VRS user list and their access
levels. I was surprised to find that there were over five SOS employees who had VRS accounts and that
they had full “Admin” rights.
This seemed more than odd to me, since it had never been discussed that they would have access to the
VRS system at all. I checked with IT and was told that they thought they might have been given access to
monitor the Complaint System on Election Day. I was also informed that the Complaint System should
probably be removed from within the VRS system so that it could have separate access controls and that
really it didn’t belong in the system at all. This was an adequate explanation and didn’t raise any alarm
bells with me or the staff.
We later discussed the deleted polling location mystery during a staff meeting with Mary Sue Helm in
attendance. Sometime after the meeting, Mary Sue sent me an email saying that she had looked at her
access and found that she had “Read only”, so it couldn’t have been them that had deleted the polling
location. I replied back to Mary Sue explaining that while investigating I had found other SOS employees
that also had VRS access. I also noted that the reason she now had “Read only” access was because
previously, somehow they had all had “Admin” access and that I had changed them to “Read only”.
Considering the situation settled, I forgot all about it until a week or so later when discussing how we
might keep tighter controls on our VRS access, my senior developer told me that from now on all access
changes had to be approved by him and/or Maryellen Allen. When I questioned him on his reasoning for
that decision, he explained that he and Maryellen had recently been called over to the SOS office for a
very serious meeting with the Assistant SOS and that he wasn’t supposed to discuss it further.
In an effort to better understand what this was all about I asked him to tell me what he could. He
explained that at the meeting Lindsay had mostly focused on speaking very seriously with Maryellen but
that she had also expressed concern to him about who had access to the system and what that access
level was. She had also asked him if he knew how SOS personnel had gotten access and why they had
“Admin” rights. He explained that it had never occurred to him until the polling location investigation
that SOS personnel would have ever had access to the VRS and to his knowledge they previously had
not.
In preparation for the meeting, he had also been asked to provide a spreadsheet containing all SBE/SOS
staff that currently had VRS accounts and their access rights. During the meeting, they reviewed this list
and he was instructed, by Lindsay, on who to remove and what access levels to give to those remaining.
Even though he was discussing it with the Assistant Director, he remained uncomfortable because he
had been instructed to personally enforce system access in the future and not to discuss it further.
I found this all to be very curious and started investigating how this could have happened. I talked to
Aaron Gabhart and Keith Miller, the staff members that had previously authorized all VRS access. They
were both adamant that they had never granted any access to anyone on the SOS staff.
As I continued looking into this issue, I finally discovered that Steve Spisak, who is on loan to us as a
part-time developer from the SOS, was told by Lindsay Thurston to ensure they had access to the
Page   6

 Complaint System for Election Day. Since the SOS staff is in a different user domain, they could not be
granted access through the normal routes and would have to be tunneled in directly through some
other manner. I knew that the SOS staff had access to the Complaint System, but had previously
assumed that they had been given access through our normal protocols. It had not been alarming to me
that Steve had given the SOS staff VRS access for Election Day complaint system monitoring since it was
necessary on Election Day and the Complaint System had not yet been moved out of VRS.
What was unsettling is the overreaction of the SOS office once I discovered that SOS staff members had
VRS access with “Admin” rights and had them set to “Read only”. It is also concerning that once again;
very important decisions were being made outside of our established agency protocols. This time, even
our security measures for VRS access were circumvented by SOS staff, (which led directly to the
confusion over access as there was no way for us to track what Steve had done at their request).
Even after finding out all this information, I still wasn’t sure why this had escalated so quickly and blame
assigned to SBE. I was told later, by a staff member that has been here for several decades, that the SOS
staff has never had access to the VRS system and that he thought that there had been an opinion given,
(Attachment #2, pg4) by the Ethics commission on the matter and that might be why this has become
the issue it has. I don’t know, but I am forced to conclude that this could also explain why the Director
and the SBE senior developer were called directly over to the SOS office under strict confidentiality?
Whatever the actual answer is, the SOS staff logins continue to this day. I have attached a sample from
our Voter Registration System logs (Attachment #2b) of the continuing SOS staff access from 3/17 to
today.

CyberScout Feb 2017
A company by the name of CyberScout was introduced by the SOS during our February Board meeting.
We were told that the company had been discovered by the Secretary herself at a National Association
of Secretaries of State (NASS) meeting.
During the meeting, CyberScout gave a brief presentation of services that they offered. It is important to
note that the Board also went into a closed session, for a personnel action, during this meeting. At the
end of the meeting, the Secretary made a motion to continue to engage with CyberScout and the
motion passed.
We were then directed by the SOS to investigate the CyberScout organization and determine if the SBE
could use their services. We assigned this to our senior developer, Tom Watson, since he has the
technical expertise on what we should be looking for in a cyber security company and had already been
engaged in discussions with several leading security firms for some months previous to this meeting.
After a week, Tom briefed Maryellen and me on his CyberScout findings. Tom showed us what their
background was, (data breach insurance and public relations remediation), and what services they
currently offered. Tom’s opinion was that CyberScout seemed to be new to both practical security
methodologies and working with the public sector. From their own documentation, and the fact that
they had only recently introduced their new security auditing services, (after renaming their company to
Page   7

 CyberScout from IDentity Theft 911 in early 2017), it seemed obvious that they didn’t have the handson, real-world security experience or expertise that we were seeking. Maryellen and I then decided that
we should continue to pursue a contract with Trustwave, one of the companies that our IT team had
also been investigating.
In the beginning of March, Maryellen and I met with Lindsay to discuss upcoming SBE projects. During
this conversation we discussed CyberScout. We told Lindsay that we had looked into CyberScout and
that we did not want to pursue them for a contract and the reason why. After the conversation Lindsay
told Maryellen and I that she would pass the word up the chain and not to worry, they would back off
the CyberScout project.
One week later the March Board meeting was held. At the end of this Board meeting, the SOS informed
the Board that the SOS and SBE had decided to move forward with CyberScout and there would be more
information to come. This news was a complete surprise to us, since we had decided as a staff that this
company did not offer the level and type of security services that we needed, and had been assured by
Lindsay not to worry about it.
A short time after this, our financial officer, Katrina Beckley, came to me with an issue. Katrina told me
that she had received a call on her personal cell phone from Lindsay asking her to approve a contract
payment for CyberScout.
Katrina asked me if I remembered a Board vote being taken by the SBE Board to authorize a contract. I
told Katrina that I didn’t remember a vote being taken. I went and pulled up the Board meeting minutes
to ensure there hadn’t been something I may have missed. The Board minutes reflected no such vote
and I relayed this to Katrina.
Katrina came back to me stating that she had received another call from Lindsay asking her again to
authorize the payment. Katrina expressed to me that she did not feel comfortable with Lindsay calling
her directly, asking her to do this.
Katrina explained that there is a protocol for these types of actions and that she needed Board minutes
and Maryellen’s authorization for it to be completed. I went and asked Maryellen if she knew what was
going on with the CyberScout contract, specifically a contract authorization and that Katrina was
receiving calls from Lindsay to authorize the transaction. Maryellen was surprised and said “no”, she had
no idea what was going on with the calls from Lindsay and that she would call her to try to find out.
I was not in the room for the call, but after the call, Katrina and Maryellen told me how the conversation
went. This is what I was told: The call was on speaker to Lindsay Thurston. Maryellen asked what was
happening with this CyberScout contract approval. Lindsay told Maryellen that the SOS office had sole
sourced (Attachment #3) the contract and that we needed to go ahead and approve it. Maryellen then
asked about how it was sole sourced and who sole sourced it. Lindsay replied that there was no need for
us (SBE) to worry about the sole source documents. Maryellen then told Lindsay that we could not
authorize the contract without a Board vote, reflected in the Board minutes. Lindsay replied that the
Board had voted on it and again told Maryellen to authorize it. Maryellen then explained that we had
looked at the Board minutes and there was never a vote taken. Lindsay then said that the vote had
happened when the Board was in closed session. At this point, Maryellen had Katrina leave the room
and continued the conversation in private.
After the phone call was finished, Maryellen told Katrina that she was to authorize the $304,000.00
contract. I asked Maryellen again what was really going on and did we at least have a scope of work
Page   8

 document or contract terms? Maryellen said she had none of those things, but was told by Lindsay to
“authorize it or else”. I asked Maryellen what she thought, “or else”, might mean. Maryellen told me she
was not exactly sure, but she took it to mean that she would be fired.
At this point, I reached out to a few Board members in an effort to understand what was occurring. I
asked if there had been a Board vote during the closed session. I was told that “no”, there was no such
vote during a closed session. I asked if the Board knew that a contract was being authorized and was
again told “no”, as a matter of fact they were waiting to see what the scope of work and cost was going
to be.
Upon learning these distressing facts, I then tried to stall the authorization for a few weeks to see if I
could find out what was happening with this contract. After trying to pursue many different avenues, I
came to the conclusion that there was nothing more I could do about it and that this contract was going
to happen.
Near the end of April, Maryellen was attending an election conference in Texas. During this time, Tom
Watson and I had a meeting with Lindsay to discuss CyberScout. We carefully laid out our concerns and
explained that as an election system, we face a uniquely daunting task in today’s threat-filled
environment.
We reminded her that our IT team has been working with both the FBI and Homeland security for
months on these very issues and that their recommendations were to pursue “world-class protection”,
provided by industry leading companies with the size, experience and highly sophisticated equipment
needed to get our election data secured as quickly and robustly as possible. We were also in continuous
discussions about our specific security needs with David Carter, the Chief Information Security Officer
(COT CISO) for Kentucky. All of these organizations were pointing us toward highly sophisticated,
specialized equipment managed by teams of certified security specialists.
We explained that even though we do not have the budget, we are working with all of these
organizations in a continuing effort to implement as many of the recommendations as possible. We
reiterated that the entire IT department was in solid agreement that for our specific needs, a “security
audit” from CyberScout would be a waste of our time and money and that it would provide very little, if
any, of those specialized security services.
Lindsay replied that it was a “done deal” and to “move on”. Unbelievably, she then asked us, “Why don’t
you want an audit, what do you have to hide”?
This was a stunning statement for me and I quickly realized that if I were to lobby against this anymore, I
would be classified as someone trying to hide something.
Lindsay then went on to tell me that I needed to pull an RFP for EPoll books out of procurement. The
RFP had been over there for weeks waiting its turn in line to be proofed. I asked why we would want to
pull the RFP back and explained that if we did this it would put us a month behind our proposed
timeline. Lindsay said she needed to make some technical changes. I asked her what changes
specifically, since it had already been approved by COT? Lindsay said again that she just needed to make
some changes to the RFP. I pressed her on it, because Lindsay has no experience with poll books, let
alone technical issues. Lindsay pushed a document to me to look at, and then said that she needed it
back. I felt something was suspicious about this and took a picture of it so I could analyze it for more
information later.
Page   9

 (Please refer to E-Poll Books - May 2017 for more information regarding Attachment #4.)
The CyberScout contract was finally approved by finance. At the very least I was able to get the contract
budget terms changed. The contract was set up by the Office of the SOS and finance to pay CyberScout
$150,000 for the month of June 2017 (end of fiscal year 16) and an auto renew payment of $150,000 for
July 1 (fiscal year 17). I had the end of year 16 combined with 17 for a total of $150,000, so all they will
receive this year is $150,000, instead of the agreed upon $304,000.
st

CyberScout arrived at the State Board of Elections offices in June for a preliminary meeting. The entire
SBE staff met with four CyberScout staff, Eric Hodge, Harri Hursti, Brian Huntley and an intern. The
meeting for the most part was uneventful, but one statement stood out to me. CyberScout said they
have done work in Ohio. I know the assistant director of elections in Ohio and asked him if he knew who
CyberScout was and if so, how did they do up there? The assistant director would eventually write me
back saying he had never heard of them, but would ask his staff and reach out to some of his local
jurisdictions.
The meeting continued with CyberScout asking us vague questions about what we think they should be
doing while here. At the conclusion of the meeting they outlined four objectives that they had gathered
from the meeting and would focus on those for the duration of the contract. Our IT staff engaged
directly with them for hours and hours trying to understand how they were going to “assist” us with our
security needs. Even after weeks of working with them, we are all still unsure of what it is they doing.
The assistant director of Ohio eventually returned my text and told me that he had checked with the
Ohio SOS staff and his election staff and no one had heard of CyberScout. He asked me if I had said that
CyberScout employed a hacker. I said yes and he is actually in my conference room at that very moment.
He then sent me an article to read about an upcoming conference in Las Vegas called DEFCON. He said
that Ohio had been warned to be on the lookout for hackers and any type of unusual hacking attempts
on their systems.
I read the article that outlined what DEFCON was going to be and asked Hari Hursti if he knew anything
about DEFCON. He said “not only do I know about DEFCON, I am the co-founder of DEFCON”. I couldn’t
believe what he had just told me. I passed this information up the chain to ensure everyone was alerted
of the danger of having this “ethical” hacker inside of our building about to embark on an internal audit
of our VRS. The SOS office replied back later that day that they already knew this information and to
continue on. I sat there stunned.
At this point we just tried to make the best of it and hoped at the end of this contract we might get
something of use out of it. We had a few more teleconferences with them that always seemed to go
nowhere. Our IT staff rapidly became even more concerned as the CyberScout team exhibited no
interest in, or knowledge of, security devices or the security layering of applications. Even though asked
repeatedly for information on these crucial areas, neither was ever addressed.
Right from the start, CyberScout reported directly to Lindsay Thurston, and they still do to this day, even
though they are under contract with the SBE. The few sparse written updates SBE has received are
virtually unreadable. They consist of vague concepts and organizational notes with virtually no actual
meaning.
In the meantime, Lindsay had instructed Maryellen to coordinate a CyberScout visit with two counties. I
asked Maryellen if the counties were covered under some sort of non-disclosure agreement with
CyberScout. I was told that no, they were not covered.
Page   10

 I suggested that we might not want to call clerks and arrange meetings for a company that wants to
hack voting equipment without assurances of complete privacy and secrecy of the findings. Maryellen
agreed but said that she had been told to do this by Lindsay and that if she didn’t it would be considered
“insubordination”.
Maryellen arranged the meetings with the counties and the counties accepted the visit. I felt I was in
between a rock and a hard place at this point. I knew the counties agreed to this visit because they knew
we would never send anyone to them that would put them in any type of jeopardy. I decided to call
those counties and explain a little bit more about the audit to them and suggest that at the very least,
they needed to make CyberScout sign a NDA.
To understand the full scale of what is happening you would have to look at the few scattered and
confusing documents that they have produced and speak to the SBE staff that have been forced to work
with them. Maryellen and I have insisted that our IT team try to get something of value from CyberScout
and continue to cooperate in a good faith effort. But at the end of the day, there just hasn’t been any
tangible result to their “audit” at all.
It is important to look at the original sole source document date that was sent to finance (Attachment
#5). It appears that this document went up to be approved the day before the February Board meeting
where they were first introduced.
I am unaware if this document has any importance, but feel it at least needs to be looked at by others
that may have more insight on it (Attachment #6).
During the CyberScout sequence of events, I couldn’t shake the feeling that something was very wrong
with this contract. I asked many questions of many people and decided that I needed to go on the
record with my concerns. I went to the ethics branch and filed a complaint which officially made me a
whistleblower. My complaint was reviewed by the ethics branch board members. An active
investigation is currently ongoing.

E-Poll Books-Proposed $5.5 million contract - May 2017
In January of 2016 I was tasked by the SOS to spearhead an ePoll book pilot program. I was told to find a
vendor that would be willing to come to Kentucky and let us do an ePoll book pilot in multiple
counties. Over the next few weeks I reached out to several vendors to see if any of them would be
willing to do a pilot program for Kentucky.
Only one vendor, by the name of Tenex, volunteered to participate in the pilot program. After several
months of working together, we successfully conducted an ePoll book pilot in 6 counties for the primary
election of 2016.
I was again tasked by the SOS the following September to see if Tenex would also participate in a
general election ePoll book pilot program. I reached out and Tenex again volunteered to provide ePoll
books for the same six counties for the general election of 2016. As both pilots were a complete success,
it was decided by SBE to move forward with the ePoll books RFP process in February of 2017.
During the next month, I finished the first draft of the RFP. All through this process, I was in contact
with the Finance Cabinet’s Procurement office and followed recommended process accordingly. It then
Page   11

 took many weeks to get the RFP moving because Finance had to perform several preliminary checks,
with multiple agencies, that needed to be completed before the RFP could be put out to bid.
Once their requirements were all met, I sent the RFP draft over to procurement so it could be assigned
to a procurement officer. There were only two procurement officers on staff at the time, so there was a
lengthy list of RFPs in front of ours. It then took our RFP two more months to move towards the top of
the list.
In April, I was notified by Lindsey Thurston that the RFP needed to be pulled out of procurement. I
asked Lindsay what this was about and why it would be necessary to pull it out of the procurement
process. Lindsay told me that she wanted to make some “technical changes” to the RFP. I asked her
what “technical changes” since it had already been through the COT technical approval process. Lindsay
stated that she “just needed to make some technical changes”.
I explained to her that if we pulled it out of the procurement process that we would be at least another
month behind, and that each month we wasted would put us up against an impossible implementation
deadline. Lindsay then handed me a document, while talking to Tom Watson, to summarize the
technical changes that she needed to make. When I looked at the document, I realized that CyberScout
was on its heading. I knew that CyberScout was not approved at this time to do work in Kentucky since
finance was still trying to approve the contract, so I took a picture of the document. (Attachment #4)
Later that day, I was thinking all this over and questioning why Lindsay would have any “technical
changes” to make to the RFP when I realized that it had probably come from CyberScout. They had
already been doing consulting work for the SOS on the ePoll books RFP even though they were not on
contract.
As the primary POC for the RFP, I had a very real fear that this uncontracted vendor might be working
with an ePoll book vendor. If this were the case, it would jeopardize the ePoll book RFP we had just
spent a year working on.
In spite of my worries, I pulled the ePoll book RFP from procurement and sent it to Lindsay like she had
asked. Lindsay then kept the RFP for 8 more days. During those 8 days, the chain of custody of the RFP
was broken and I now had no idea where it went, or whose hands had been on it.
After Lindsay returned the RFP to me, I looked it over and realized that there had indeed been changes
made to the technical requirements, just as I had feared. Having no choice, I took the RFP and sent it
back to procurement again. The RFP sat at procurement for a few more weeks until I received an email
from Nikki James who had been assigned as the procurement officer for this RFP. She explained that all
further communications concerning the RFP would be only with her.
That same Friday, Nikki sent me another email saying that the format of the RFP now had to change to
the new fiscal year 2017 format. I then sent Lindsay a note saying that the RFP had finally been assigned
to a procurement officer and that the procurement officer also said that the format had to be changed.
I replied back to Nikki James and told her that I was in training on Monday but would get it back to her
with all of the changes on Tuesday. On that following Tuesday afternoon, I sent the RFP back to Nikki
with the required changes. Nikki sent me an email back asking if the RFP I had sent was the one to
accept, or was it the one that Lindsay had sent her the day before. I was unaware that Lindsay had also
sent Nikki an RFP and requested that Nikki send me that copy so I could see what Lindsay had sent to
her.
Page   12

 Nikki sent me the RFP that Lindsay had sent. The RFP had some slight discrepancies and I told Nikki to
use my copy. The next day, Wednesday, I was sitting in my staff meeting and received an email from
Nikki James supervisor. The email was sent to me and Lindsay, and it was asking which one of us was the
POC. I replied back that I was the POC for the SBE.
Lindsay replied back within the hour stating that she was the POC. After reading this email, I went and
talked to Maryellen and asked her what was going on with the ePoll book RFP. She read the email chain
and then told me that she had no idea what was going on with the RFP and that she would call
Lindsay. During this call, Lindsay told Maryellen that she was the POC and that she would come to our
office later to explain why.
Lindsay came to our office the following day, Thursday, for a meeting to discuss ePoll books and
CyberScout. During this meeting Lindsay stated that since I had been in charge of the ePoll book pilot
program that she was removing me as the POC so as not to jeopardize the RFP because of conflict of
interest.
Lindsay stated that she knew it was their fault that I had to work with a vendor for the pilot, but
nevertheless, it could be construed as a conflict of interest. I was ok with this after talking it over with
her, but told Lindsay that someone in SBE should be the POC and it should probably be Maryellen. This
idea was turned down by Lindsay and she stated that she would remain the POC. Maryellen and I talked
about it and Maryellen also agreed that she should be the POC, but was told we were done discussing
the subject any further.
At this point Lindsay told me not to have any more contact with vendors and also gave Maryellen and
myself an order not to discuss ePoll books with any county clerks. If county clerks called me with a
question, I was to tell them to contact Lindsay. I was concerned that if I did this, the county clerks would
lose faith in our agency on this project and slowly distance themselves from it. I complied with the
directive while still trying to do my job communicating with county clerks on other issues. Even though
we had not missed any county clerk conferences in over two years, Lindsay also directed us that we
were not to attend any conferences. I argued against the wisdom of isolating ourselves from the county
clerks association, but was told that the decision had been made.
My fear with Epoll books is that it was taken away suddenly after CyberScout became involved. Nothing
about the RFP after it was taken by Lindsay has been discussed with anyone at the SBE in detail. The
selection panel to choose E poll books was comprised by Lindsay and was made up of 2 SOS staff
members, 1 CyberScout staff member and Maryellen and no county clerks, as was originally agreed on. I
was then told by Maryellen that Lindsay stated to her that the panel was selected by Nikki James and
they couldn’t help who was put on to the panel. I knew this to be untrue and because of this small
unnecessary deception, I remain suspicious of the entire project at this point.

Page   13

 VRS Data Breach Aug 2017
We have strict protocols for who has access to the VRS and the different levels of access depending on
your job here at SBE. When you log into VRS, you are immediately presented with a security banner
(Attachment #7) and an icon authenticator, to ensure that you are an authorized user and that you
understand what you can and cannot do on the system.
In August Steve Spisak came over to our office. He was visibly upset about something and started to
vent to Maryellen and I, in her office, about something that had just happened over at the SOS office. He
stated that he was called by the capital police and asked to move his car from where it was parked.
Apparently, he had been given a parking spot by the SOS many years ago. Steve went up to the SOS
office and talked to someone there, I think he said Lindsay, but cannot be sure. He was told that they
had hired someone new to the SOS staff and that the new person would need his parking spot.
This did not sit well with Steve, who is in his 70’s, and would now have to walk a great distance to get to
his office there. As Steve was venting to us he mentioned, “I can’t believe they have done this to me”
and then started talking about all the decades he has worked for the office of SOS, etc. During this rant
Steve mentioned, “Especially after all of the things they’ve had me do for them”.
I asked Steve, “like what things”? Steve replied with, “I’ve done a lot of software work for them an many
projects”. Then he said, “ and other things, like the times they had me come over here and download
data for them.” This peaked my curiosity and I then asked him, “what types of data?” Steve said, “Voter
registration data.” I asked him again to be sure I had heard him correctly, “what types of data?” Steve
replied with, “All kinds of data, like during their elections, they would ask me to come over here and get
data for them.” I asked Steve how many times this had happened? Steve replied, “Probably 3 or 4 times
. . . every time they were running”. I asked, “ Is they the SOS ?” Steve replied, “Yes”.
I also asked, “Why didn’t they get the data like everyone else got the data?” Steve replied with, “Well,
they said they paid for the data already and that I just needed to come over and get it, so I did.” I asked
Steve, “Well, if they paid for the data, they would have been given a disk by Sheila like everyone else?”
Steve started realizing at this point that there was probably about to be a problem and stopped
answering my questions.
There are several problems with this situation. For starters, there is an established protocol for people
that want voter registration data. If you want data and you are a candidate, you submit a “Request for
Data” form that is either approved or denied by the State Board of Elections, depending on your
eligibility criteria. If you are approved you pay a $450 fee for each request. Upon receipt of the fee, you
receive a disk containing only the data that was requested. (There is one payment of $450.00 on record
by the SOS campaign, but only one).
There is also the issue of data security and privacy laws. There is data that can be released and data that
cannot be released and following the process allows our staff members to ensure that nothing leaves
the building that shouldn’t, in any format. Data that is released is documented, recorded and tracked
through every step of the system to ensure that everything was done properly.

Page   14

 When the data was taken out of this building on a thumb drive, that trust was broken. We have no way
to know what was on it, where it went or what it was used for. For all we know, it could have been the
entire data base. I don’t think that is was. But that’s the point, because it was taken in this manner, I just
don’t know, and actually, we will never know for sure.
This is wrong on so many levels it is hard to describe them all, but in particular this worries me because
if the data was copied and then shared between machines it could be picked up by someone nefarious
and broadcast to the world. It would then appear as though the SBE was hacked or careless with the
entrusted state VR database. Either of these situations is bad for everyone involved, but especially for
those of us who safeguard this data on behalf of the people of Kentucky.

Website 11 Oct 2017
All of us from SBE who were in attendance at the September board meeting were shocked to discover
that the SBE was receiving a new website. This website took me completely by surprise as there has
been no discussion of launching a new SBE site, either in our office or from the SOS office.
Maryellen and I discussed this and she told me that she had been told that the SOS was reviewing
content for the new website earlier in the year, but she had thought they were talking about the new
website that they had insisted our developers create the summer before.
When asked about this new website, SOS staff said they had been working on it for the last year.
In other words, another agency had been working on a website, for our agency, for an entire year. A
entire year without even one discussion with our agency about the design or content or even that it was
being done at all.
On the morning of October 11th, we were notified by the SOS media director, Bradford Queen, that he
would be coming over that afternoon to discuss the new website. Maryellen told me, Aaron Gabhart
and Sandy Milburn to be at the website meeting. We sat in the meeting that afternoon as Bradford
Queen told us that they were launching the website the next morning.
This again took us by complete surprise and Maryellen asked how they could possibly launch a “State
Board of Elections” website without us even looking at it?
Bradford said that we could “look at it now”. Maryellen stated to Bradford that she was a little shocked
by this and it seemed like we would have been in communication well before the eve of the website
launch and press release to ensure the website had no errors. Bradford replied to Maryellen saying
“That’s why I am here now”.
I then told Bradford that this entire situation seemed inappropriate to say the least. I asked him why the
SOS office would make a new website for SBE, especially after I’ve been trying to update and/or create a
website for the last three years for my agency and have been consistently told “no”. Bradford told me
that the reason they had made this new website was because they knew how busy we had been over
here, and they wanted to take some of the burden off our shoulders.

Page   15

 I told Bradford that while we are very busy at the State Board, I am a very experienced manager, more
than capable of successfully running multiple projects at one time, hence the notbook full of website
design notes and multiple meetings with Kentucky Interactive. Bradford then stated again that “we
know how busy you are, so we decided to do it”.
I then asked Bradford who had the administrative rights to our website. Bradford said that we would
share administrative rights. I asked him why the SOS would have admin rights to our website and he
said it was so that he could make changes as well. Prior to this the SBE website was controlled solely by
the SBE staff. I then turned to Maryellen and told her that in my opinion “we should not launch this
website tomorrow until we work out who is in control of this website and until we have had a chance to
thoroughly examine every page of content”.
I then excused myself from the meeting. The website was launched the next day with no regard for our
needs or opinions or expertise. Very predictably, the following week has brought many major content
errors and data omissions that we could have easily caught and fixed if given the common courtesy of:
1) Knowing we had a new web site under development.
2) Being allowed to decide what our agency needs and wants on our own website.
3) Having a decent amount of time to proof and test the new site.

Budget Meeting 16 Oct 2017
As I was driving home to Elizabethtown, on Oct 16th around 5:30, I received a text from Katrina Beckley,
asking if I was still at work. I replied no, that I was driving home. I then received a phone call from
Katrina. I could tell that was very upset by the shakiness of her voice. I asked her what was wrong. She
said she had received a phone call earlier in the day from Michelle Starkweather (SOS/SBE HR)
requesting a budget meeting.
She said she had told Michelle that wouldn’t be a problem and to come over later in the afternoon.
Katrina also told me that she thought this was strange because Michelle had just been over, the week
before, going over the budget and that everything had been sorted out then. When Michelle arrived,
she went into Katrina’s office and shut the door. She asked Katrina if the meeting could be confidential.
Katrina told her yes, it could be, unsure of what the meeting was about. At that point Michelle sat her
phone on Katrina’s desk and sat back in her chair. Katrina said she thought it was odd that she would
set her phone on her desk and then sit several feet back in her chair, and she wondered then if Michelle
might be recording their conversation.
Michelle then told Katrina that she shouldn’t feel that she should have to answer her questions just
because she had been given a pay raise the previous month. Katrina told me that this initial statement
had made her feel very uneasy.
Page   16

 The next question that was asked to Katrina was, “Is anyone over here scared of Matt?” Katrina asked
her to repeat the question because she wasn’t sure she heard her correctly, and Michelle again asked
“Are people over here scared of Matt?” Katrina told me that she replied “No, I don’t know of anyone
that is scared of Matt. Usually everyone goes to Matt if they have a problem.”
Michelle then asked Katrina “Does Matt run the staff meetings, and if he does, does he let people talk?”
Katrina replied with “Usually Maryellen runs the staff meetings, but if Maryellen is away, Matt does and
everything goes fine.” Michelle then asked, “Are staff meetings going better now that we are sending
Mary Sue over here?” Katrina replied “Mary Sue usually just sits here taking notes, but yes, they seem
to be running the same as always”.
Katrina then told me that what was said next “made her feel really uneasy”. Katrina had previously told
Michelle that she had accidentally deleted a folder off of her phone that had contained pictures of her
vacation. She had told Michelle about this in the April/May timeframe, while they were sitting on a
panel together trying to hire a new financial person for the SOS. She had mentioned to Michelle that
the folder got deleted because she was trying to delete an attachment that I had sent her in an email
that she accidentally saved to her picture folder. When she deleted what she thought was the
attachment, it actually deleted the entire folder of pictures.
Katrina told me that she had forgotten that she had even mentioned this to Michelle back then.
However, Michelle’s next question to Katrina was “Do you think Matt sent you some sort of attachment
with a virus to intentionally wipe out your phone?”
Katrina replied “No, absolutely not. I accidentally deleted the wrong item.” Katrina said there were a
few more questions, but she couldn’t remember what they were because the entire situation had
stunned her.
Michelle left the building after the meeting and Katrina said she was too nervous to mention anything
about this meeting inside the State Board of Elections building. At this point I realized that the SOS
office may be using Michelle Starkweather to build a packet on me for possible termination. I thanked
Katrina for calling me and letting me know about this event and apologized that this had happened to
her. I called Maryellen to inform her of what Katrina had just told me.
The next day Katrina informed me that she had thought long and hard about what had taken place the
previous day and had decided that it was completely inappropriate. She then informed me that she had
decided that she was going to make a formal complaint.

Page   17