Auditor flags improper storage, destruction of records at 12 agencies


By Andy Metzger


STATE HOUSE — State entities handling taxes, programs for people with mental illness and drivers licenses are among 12 agencies that failed to fully comply with data security requirements, Auditor Suzanne Bump reported Thursday.

At the Office of the Chief Medical Examiner, electronic equipment “that may have contained confidential information” was stored in areas “easily accessible” to people outside of the office’s information technology department, Bump’s office found. The medical examiner, which investigates the cause of suspicious deaths, left 40 hard drives “designated as worthless” in an “open, unsecured area,” the new audit found.

In another example contained in the audit, the State Police were unable to provide an inventory record for “several hundred pieces of stored electronic equipment,” which the department said “contained confidential and personal information and had been offline and out of service for as long as four years.”

The audit said that State Police should maintain records of hard drives that have been removed from computers, warning that without that the department “cannot be certain that all the drives are properly accounted for and that any [personally identifiable information] they contain is protected from unauthorized access.”

The 12 agencies included in the audit vary from those administering land records to the office that designs and sells Lottery tickets. A spokeswoman for Bump said the agencies were chosen for the audit because they had the most equipment scheduled for disposal.

“None of the 12 agencies included in our audit fully complied with state requirements regarding the removal of confidential information from electronic equipment,” the audit found.

In response to the auditor’s findings and before the audit was released, the State Lottery Commission purchased a tool to wipe data from hard drives before returning them to their vendor for destruction. The chief medical examiner’s office told the auditor it would remove confidential data from its electronic equipment before sending it to be destroyed.

The Department of Industrial Accidents, the Department of Mental Health, the Department of Public Health, the Department of Youth Services and the Lottery used inadequate methods to attempt to wipe information, according to Bump.

“Unfortunately, some common methods of removing data – such as reformatting hard drives – leave residual data that can still be retrieved, and therefore they are not completely effective in preventing inappropriate access to, and disclosure of, confidential information, which can lead to identity fraud,” the audit says.

Identity fraud cases have targeted major companies and last week the U.S. government reportedly admitted hackers had accessed personal information on 4 million current and former federal employees.

Lauren DeFilippo, a spokeswoman for Bump, said that to the knowledge of the auditors no confidential information was accessed by the public.

Auditors recommended the Massachusetts Office of Information Technology consider developing policies dictating timeframes when data must be removed from equipment slated for disposal or return. The auditor’s office also recommended the Operational Services Division think about requiring certification that data has been wiped from equipment such as cell phones and hard drives before the division authorizes it for transfer or destruction.

Other agencies whose policies were found lacking are the Department of Transportation, the Department of Revenue, the District Attorneys Association, and the Teachers’ Retirement System.

Of the agencies surveyed, only the Hampden County Register of Deeds had adequate policies for wiping confidential data, according to the audit, which said the register had failed to document the removal of confidential data before returning equipment to a vendor. In its response, the register said it obtained vendors that could provide certification.