Shira Schonenberg The Republican/MassLive.com |
“The Department of Revenue has incredibly sensitive data about every taxpayer and business in the Commonwealth,” Bump said in a statement. “Taxpayers have no choice but to provide this information to DOR, so it has a responsibility to do everything it can to keep it safe.”
In recent years there have been two high profile data breaches involving the agency. In late 2017, a breach inadvertently made private information about 39,000 business taxpayers visible to other companies, the Boston Globe reported. In 2018, the agency accidentally sent notifications about 6,100 people who owed child support to the wrong addresses.
Bump said she hopes the audit will lead to reforms at the agency.
According to the audit, the agency does not have any kind of committee responsible for making decisions about information technology security risks. Its security review board has been inactive since early 2017.
It does not have a policy in place detailing how it will respond to security incidents. It has not assessed risks related to the third-party vendors that have access to Department of Revenue data.
The Department of Revenue, in a written response to the audit, said it will convene a committee to look at strategic risks, it is developing the security response document, and it will create a working group to examine ways of assessing risks from third-party vendors.
The Department of Revenue has been transferring some information technology responsibilities to the state’s Executive Office of Technology Services and Security, a new office established in August 2017 to consolidate the state’s IT functions. But according to the Department of Revenue, it has taken them three years to try to negotiate an agreement, which they still have not completed, laying out the responsibilities at each agency. The Department of Revenue blames organizational and managerial changes at the technology agency.
-From MassLive.com
No comments:
Post a Comment