What the Vermont Department of Labor must do to protect data | News


MONTPELIER, Vt. – A Department of Labor audit came back with six recommendations to better protect people’s personal information, one of which is secret.

State Auditor Doug Hoffer announced Wednesday that the second of two audits requested by Governor Phil Scott has been completed, this one focusing on the Department of Labor’s personally identifiable information (PII) practices. The first report focused on the department’s 1099G issuance process and was released on April 22, 2021.

The five recommendations made public were: The department should implement a comprehensive program to protect personally identifiable information, document the ingress and egress of such information, establish an inventory of where all such information is stored, conduct privacy impact assessments and put in place appropriate safeguards, and it should train employees more in handling sensitive documents.

CliftonLarsonAllen, LLP, the company Hoffer hired to conduct the audit, will release a report with a sixth recommendation to the Department of Labor, but that report will be confidential because it contains “sensitive safety information.”

Hoffer wrote that the department agreed with the recommendations, but did not offer a timeline for their implementation. He recommended that the Scott administration and the General Assembly “request specific timelines for the completion of corrective actions and hold the Department accountable for meeting those timelines.”

According to the report, the department collects sensitive information from individuals such as social security numbers, alien registration numbers, driver’s license numbers and bank account numbers when direct deposits are involved, especially when processing unemployment insurance claims.

“The department relies heavily on the culture of trust instilled in its employees to protect PII, and has developed minimum guidelines for employees for the protection of PII, but has not established a comprehensive set of policies, procedures and other guidelines specific to PII protection,” reads the report.

During the pandemic, an unprecedented number of unemployment insurance claims were processed as many departmental employees worked remotely.

“PII data now resides in more areas in greater volume, and in some cases during the pandemic, has extended beyond the physical boundaries of the department into a telecommuting environment,” reads the report, which adds that all of this made an attractive target for “malicious cyberattackers”. This is why a comprehensive data protection system must be in place.

The department agrees with the report’s conclusion that it needs to better manage information flowing in and out of its systems. According to the report, the department uses a system called VABS, which “is a legacy mainframe application with a complicated system of routine inbound and outbound interconnects, integrations, and/or interfaces.” The system has the potential to generate multiple copies of documents containing personally identifiable information, reads the report. All of these must be identified and tracked.

In addition to this, an inventory must be created of all locations where personal data is stored.

“Examples include performance metrics, adjudication data, mail records and EFT files to process claims payment. These extractions and reports are performed daily, weekly, monthly and quarterly and may result in the storage of a significant amount of data in file or transfer storage areas,” the report states.

The ministry also agreed with this, saying it would work with the Digital Services Agency on this and other recommendations.

The report found that the department has strong security practices in place for its core systems, such as “user passwords and authentication requirements, role-based access controls, encryption in transit and at rest and periodic review of user access”. It should, however, develop procedures to assess which data would be most harmful if disclosed and protect that data accordingly.

The ministry responded that in December it hired a third party to perform a scan of its vulnerabilities, although it was not as thorough as the audit recommended. He notes that the state is working to modernize all of its IT systems, which will address many of the issues raised in the report, but the department has also hired new staff to oversee security issues.

The report acknowledges that new Department of Labor employees all receive training on how to protect personally identifiable information, as they all need access to it at some level. They also receive annual cybersecurity training. That said, the training is not comprehensive enough and does not change depending on the roles of the people accessing the data and the level of risk involved.

“Overall, anything we can do right now, like reviewing and updating processes and procedures, or training staff, we will do, and we’ve already started in some cases; however, some of the recommendations are dependent on our ability to modernize our system, for which we are currently seeking funding from the legislature,” Department of Labor Secretary Michael Harrington said in an email Thursday. “Phase 1 of the modernization was funded last year, which includes the various user interfaces, and this effort has just been put out to tender. the modernization effort, is still being discussed by the Legislative Assembly.

The audits came after a 2021 Department of Labor data breach that resulted in 180,000 reissues of 1,099 tax forms.

“Keep in mind that last year’s incident that resulted in Vermonters’ personal information being unintentionally shared was the result of human error and not an underlying vulnerability in our systems,” said Cameron Wood, Director of the Department’s UI and Salaries Division. of work. “As highlighted in the first review by (CliftonLarsonAllen), the Department has implemented significant corrective measures to ensure that similar cases do not occur in the future. These have been reviewed. by (CliftonLarsonAllen) and they had no additional recommendations.

He wrote that the department uses sound security practices, but can do more to meet the “gold standard” set by the National Institute of Standards and Technology.

“Specifically, we must continue to develop our documented policies, data flow diagrams, documented storage inventories, etc.” he stated. “Essentially, we don’t need to change our systems or processes because there don’t appear to be any vulnerabilities. Where we need to improve is in generating documentation to account for these processes. »

Wood said modernizing computer systems will fix many of the problems described in the report.

“Again, I can’t stress enough, and I believe the audit report points out, Vermonters’ information is secure within the systems of the Vermont Department of Labor,” he wrote. “The review did not highlight any vulnerabilities in the system. We will always work with our partners (the Digital Services Agency) to ensure the IT security of the system, as this is an ever-evolving area. »

keith.whitcomb @rutlandherald.com


About Author

Comments are closed.