By Sam Smith
The Maryland Department of Information Technology (DoIT) lacks adequate oversight over the protection of personal information contained in IT systems of various state agencies and this could jeopardize the privacy of citizens, auditors found.
A legislative audit released Tuesday also found that the Maryland Personal Information Protection Act that governs how businesses protect personal information does not cover state agencies, including the protection of individual social security numbers.
Although state law says that it is the responsibility of the IT department to monitor and enforce agency compliance with the information security policy, that responsibility has been delegated to each individual agency. The audit recommended that DoIT implement a process to enforce agency compliance, but the department said it does not have resources to do so and will continue to leave compliance up to each individual agency.
However, DoIT will add Personal Information Protection Act compliance to its security policy for the agencies.
Department says it lack resources to monitor agencies
At the suggestion of the auditor, DoIT will update its information security policy to provide additional guidance and assistance that it can provide the agencies. DoIT’s response also stated that it will update the policy when new technology becomes an emerging threat to IT systems.
Five state agencies that were evaluated in the audit report each handle personal information of one kind or another. The Comptroller’s Office, Department of Health and Mental Hygiene, Department of Public Safety and Correctional Services, Department of Human Resources and Maryland Department of Transportation were all included in the audit as being state agencies that are in need of improved system protection processes.
Security breaches have happened in other states
The audit states that system breaches are common in government agencies around the country, but it did not cite any that occurred in Maryland. Certain information about IT vulnerabilities were left out of the report to prevent them being exploited.
In 2011, The Privacy Rights Clearinghouse tracked 535 breaches in the United States that compromised 30.4 million personal records. “One of the most significant data breaches identified for 2011 involved the compromise of data on 3.5 million individuals held by the State of Texas,” the report said. “The breach occurred when this data was left unencrypted on publicly accessible servers. Texas government officials attributed the breach to numerous failures to follow security procedures.”
Other IT breaches occurred in Utah and Alaska agencies.
A study by The Ponemon Institute and Symantec found that the average cost of data breach to an organization in 2010 was $7.2 million. The average cost of a compromised record at that time was $214.
Risks not reduced to “acceptable level”
The audit said that none of the five agencies had an implemented risk management processes that help reduce risks to an “acceptable level.” Only one of the five agencies, the comptroller, has documented security levels for all of its information systems, which is vital to evaluating risks to data confidentiality.
All five of the agencies said in their responses that they will work on implementing risk management process for their systems, as well as develop security levels for their systems.
Another security risk is storing information on state-owned portable devices such as laptops and smart phones without the proper encrypted protection. The Department of Health and Mental Hygiene and the Department of Human Resources had not implemented encryption practices that will protect confidential information in the case of lost or stolen portable devices.
Both agencies are taking steps to rectify the situation, they said. The health department emphasized that no confidential information was found on the 10 laptops that were reviewed.
Security software being installed
DHMH is installing security software on all hard drives, laptops and removable media throughout the agency. The Human Resources said it is creating portable media encryption hardware and will have an encryption management system implemented statewide by next February.
The audit also mentioned the need for DoIT to install data loss prevention programs to help prevent the accidental or malicious loss of data in the systems.
However, DoIT maintains that the department does not have the “skilled resources” necessary to implement such solutions. Until the department has the resources, the individual agencies are responsible for preventing data loss.