Although California is a prime target for computer data breaches, only four out of 77 state entities responding to surveys from the California State Auditor indicated they were in full compliance with security standards.

They were crummy at “information and asset risk management, information security program management, information security incident management, and technology recovery.” The audit warned that their vulnerabilities could prevent them from performing day-to-day operations, which could jeopardize public health, wealth and safety.

The auditor laid blame at the feet of the California Department of Technology. Not only is the department not addressing these deficiencies, “until our audit, it was not aware that many reporting entities had not complied with its requirements.” Forty-one of the entities surveyed by the auditor had told the technology department they were 100% compliant with security standards.

Turns out only four were. None of the entities surveyed are named in the audit. But the auditor’s report emphasizes that important private data could include medical, tax and other sensitive information, like Social Security numbers.

The department relies on poorly-designed forms for self-reporting, which “may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not,” the audit said. Eight of the entities said they wouldn’t really be in compliance until 2020.

But all is not lost. The technology department has a pilot program to validate the security controls in key technology-driven entities. However, it only has staff to do eight audits a year. They would be done in around 20 years.

The auditor suggested they speed up the timetable. 

Although there was much that the technology department did not know about security among the entities, there was also much that was known, but ignored. The department knows that 40% or so of the entities self-reported they were not fully compliant, but had no process for systemic follow-up.

Half of the surveyed entities complained to the auditor that the technology department didn’t give them enough guidance. More than a third said they didn’t understand the security standards.  

At issue is the “unauthorized modification, deletion, or disclosure of information included in the State’s files and databases.” Data breaches are on the rise. The Ponemon Institute surveyed 567 executives last year and found 43% of them had experienced data breaches, a 10% rise over 2013. Sixty percent experienced more than one breach, up from 52%.

Last year, a data breach at Oregon’s Department of Employment exposed the private information of 851,000 people. A breach at Montana’s Department of Public Health and Human Services may have cost 1.3 million people their Social Security numbers and other personal data.  

The technology department agreed with the audit and its eight recommendations for improvement.

–Ken Broder   

To Learn More:

Audit: California Agencies Vulnerable to IT Security Breach (by Juliet Williams, Associated Press)

A Look at How State Agencies Fail to Protect Personal Information (by Ken Broder, AllGov California)

High Risk Update—Information Security (California State Auditor) (pdf)