The state’s Department of Revenue is falling short on its efforts to protect the private data of residents and has no security plans in place to respond in case the agency’s data is hacked, Auditor Suzanne M. Bump told WCVB-TV in an interview that aired Sunday.
A new audit by Office of the State Auditor found that the revenue department was not complying with executive orders or meeting standards that have been prescribed for state agencies that hold personal information, Bump said.
“We found that in several significant respects, DOR was falling short of its ability to protect data, to do the long-term planning to test security procedures,” Bump said, describing the report’s contents. “And in fact, they were lacking in procedures. They had policies, but they had no means, no plans for how they were going to implement any of these policies.”
Bump told “On The Record” hosts Janet Wu and Ed Harding that the Department of Revenue has acknowledged its failures, but hasn’t been “operating with an eye for security.”
“The whole infrastructure for data security was missing at the Department of Revenue,” she said.
At the Department of Revenue, the agency wasn’t taking steps to prevent hacks; it did not have procedures to respond to hacking; and there was no appropriate committee that included the department’s IT and business units to determine what planning and investment was needed to secure the data that it now has, Bump said.
Because of the lack of planning, “there has been the risk of a hack, and then, an inability on the part of the Department of Revenue to quickly identify the hack, and remedy the situation,” Bump said.
The Office of the State Auditor has an information technology unit that can audit state agencies to ensure they have proper security plans, she said.
A spokesman for the state’s Executive Office for Administration and Finance said in a statement Sunday that the Department of Revenue is committed to ensuring information security, and has already taken steps to address findings in the audit.
That includes developing new policies and procedures, and forming work groups to evaluate risks and compliance, the statement said.
“The audit found procedural and documentation shortcomings only and did not find any instances of personal data being exposed or used inappropriately,” the statement said.
A spokesman for Bump’s office said a statement would be issued at 10 a.m. Monday regarding the report.
Bump’s report comes more than a year after the Department of Revenue wrongly released the tax information for roughly 6,100 people. That private data, which included Social Security numbers of people who owed child support, were sent to the wrong addresses.
A Department of Revenue spokeswoman told the Globe in April 2018 that the incorrect mailings were due to a “coding error” by Accenture, the company that designed and developed the state’s child-support system.
The state tax agency has been also criticized for a separate data breach of the records for thousands of business taxpayers.
That business data included federal employer identification numbers, tax payments, and other data. It did not have information on individual employees, such as Social Security numbers.
Early last year, the agency reported it also failed to deliver timely child support payments to about 1,500 parents.