Your personal information is big business. Every one of your clicks on Facebook, every keystroke of a Google search, every “Buy Now” button you hit on Amazon Prime is worth money to someone.
Yet what you willingly (or inadvertently) share with private businesses, however, pales in comparison to what you let the state Department of Revenue see -- Social Security numbers, birth dates, and information about your business and your children. The data is an almost literal gold mine for identity thieves and other ne’er do wells.
“Taxpayers have no choice but to provide this information to DOR, so it has a responsibility to do everything it can to keep it safe. If this information was improperly disclosed by the agency or one of its vendors, it could wreak havoc on the lives of millions of Bay State residents,” state Auditor Suzanne Bump said in a statement earlier this month. “In recent years, we’ve seen what can happen when DOR does not properly protect this information.”
The risks are real. Hackers are constantly trying to dig their way into the state’s computer systems.
“Every day, we have attacks,” Curtis Wood, the state’s secretary of Technology Services and Security, said this fall. “We receive about 525 million probes a day from foreign soil.”
The state is not doing nearly enough to fight off those cyberattacks and others like it, according to a troubling new report from Bump’s office.
The audit, released last week, found the DOR had no strategy to address the risk inherent in handling the private data of millions of citizens and businesses, and did not properly assess the risks of working with private vendors who had access to that information. The DOR, the audit said, also did not efficiently work with other departments -- such as the Executive Office of Technology Services and Security -- to combat the problem.
The audit, which covered the department’s activities from July 2016 to 2018, also found the revenue department did not have a written plan for responding to security incidents, and had not tested how well its systems stood up to hacking attempts.
Bump was more blunt in an interview with WCVB TV.
“The whole infrastructure for data security was missing at the Department of Revenue,” she said.
In its response to the audit, the DOR said it is already addressing many of the issues raised and noted the investigation didn’t turn up any instances of personal information being used inappropriately.
While that is true, it is not necessarily comforting. There have been plenty of recent examples where private data was exposed by government error, ranging from private business information to child support payment records containing Social Security numbers.
The Baker administration’s recent record for handling management issues -- think of the horrific record-keeping at the Department of Motor Vehicles and the slow-motion crash that is the MBTA -- does little to inspire confidence.
So what can be done? The first step is for the DOR to develop a data security plan that includes testing for security breaches and accidental dissemination of information. There also needs to be better communication between executive branch departments with access to sensitive data.
But before we put all the blame on the governor’s office, it must be noted the Legislature also has a role to play. This spring, Baker filed a $1.5 billion IT bond bill that included a $135 million “information security center.” The bill is currently in front of the House Ways and Means Committee.
Too often it takes a disaster for state government to act. It wasn’t until seven people died in a horrific accident in New Hampshire that it was learned the Massachusetts Registry of Motor Vehicles wasn’t processing reports of out-of-state infractions, allowing drivers who had no business being behind the wheel to stay on the road.
The state can’t wait to act until there is a major data breach. The time to act is now, before a major event affects the lives of thousands of state residents.