MONTPELIER — An audit of the Department of Labor has come back with six recommendations for it to better protect people’s personal information, with one of them being a secret.
State Auditor Doug Hoffer announced Wednesday that the second of two audits requested by Gov. Phil Scott was complete, this one focusing on Department of Labor practices regarding personally identifiable information (PII). The first report was on the department’s 1099G issuance process and was released April 22, 2021.
The five recommendations made public were: The department should establish a comprehensive program for protecting personally identifiable information, that it should document the inflow and outflow of such information, that an inventory of where all this information is stored should be established, that it should conduct privacy impact assessments and install appropriate safeguards, and it should further train employees on the handling of sensitive material.
CliftonLarsonAllen, LLP, the company Hoffer hired to conduct the audit, will release a report containing a sixth recommendation to the Department of Labor, but that report will be confidential as it contains “sensitive security information.”
Hoffer wrote that the department has agreed with the recommendations, but has not offered a timeline for their implementation. He recommended the Scott Administration and the General Assembly “request specific timelines for the completion of corrective actions and to hold the Department accountable for meeting these deadlines.”
According to the report, the department collects sensitive information from people such as Social Security numbers, Alien Registration Numbers, drivers license numbers, and bank account numbers when direct deposits are involved, especially when processing unemployment insurance claims.
“The department relies heavily on the culture of trust instilled in its employees to protect PII, and has developed minimum guidance for employees for the protection of PII, but has not established a comprehensive set of policies, procedures, and other guidance specific to the protection of PII,” reads the report.
During the pandemic, an unprecedented number of unemployment insurance claims were processed while many department staff were working remotely.
“PII data now resides in more areas in greater volume, and in some instances during the pandemic, has extended beyond the physical boundaries of the department into a telework environment,” reads the report, which adds that this has all made for an attractive target to “malicious cyber attackers.” This is why a comprehensive system for protecting data needs to be put into place.
The department agreed with the report’s finding that it needs to have a better handle on information coming in and out of its systems. According to the report, the department uses a system called VABS, which “is a legacy mainframe application with a complicated system of routine inbound and outbound interconnections, integrations and/or interfaces.” The system has the potential to generate multiple copies of documents containing personally identifiable information, reads the report. These all need to be identified and tracked.
In addition to that, an inventory needs to be created of all locations where personal data is stored.
“Examples include performance measures, adjudication data, mailing statements, and EFT files to process payment of claims. These extractions and reports are run daily, weekly, monthly and quarterly and may result in a significant amount of data being stored in file storage or staging areas,” reads the report.
The department agreed with this as well, saying it would collaborate with the Agency of Digital Services on this and other recommendations.
The report found that the department does have solid security practices in place for its main systems, such as “user passwords and authentication requirements, role-based access controls, encryption in-transit and at-rest, and periodic review of user access.” It should however, develop procedures for assessing what data would be most harmful if released and protecting that data accordingly.
The department responded that in December it did hire a third party to conduct a scan of its vulnerabilities, though it wasn’t as extensive as what the audit recommends. It notes that the state is working toward modernizing all of its computer systems, which will address many of the issues raised in the report, however the department has also hired new staff to oversee security issues.
The report acknowledges that new hires at the Department of Labor all get training in how to safeguard personally identifying information, since they all need to access it on some level. They also get annual cyber-security training. That said, the training isn’t comprehensive enough and doesn’t change depending on the roles of people accessing the data and the level of risk involved.
“Overall, anything we can do in the immediate, such as reviewing and updating processes and procedures, or training staff, we will do, and have already begun in some cases; however, some of the recommendations hinge on us being able to modernize our system, which we are currently seeking funding from the Legislature for,” stated Department of Labor Secretary, Michael Harrington, in a Thursday email. “Phase 1 of modernization was funded last year, which includes the various user interfaces, and that effort just went out for bid. Phase 2, which is the larger part of the modernization effort, is still being discussed by the Legislature.”
The audits came about after a Department of Labor data breach in 2021 that resulted in 180,000 re-issuance of 1099 tax forms.
“Keep in mind, the incident last year that resulted in the unintended sharing of Vermonters’ personal information was the result of human error and not due to any underlying vulnerability in our systems,” stated Cameron Wood, UI and Wages Division director at the Department of Labor. “As was pointed out in the first review done by (CliftonLarsonAllen), the Department has instituted significant remedial measures to ensure that similar instances do not occur in the future. Those were reviewed by (CliftonLarsonAllen) and they had no additional recommendations.”
He wrote that the department is using sound security practices, but can do more to meet the “gold standard” set by the National Institute of Standards and Technology.
“Specifically, we need to work on further developing our documented policies, data flow diagrams, documented storage inventories, etc.” he stated. “ Essentially, we do not need to alter our systems or processes as there does not appear to be any vulnerabilities. Where we need to improve is in generating documentation to account for those processes.”
Wood stated that the modernization of computer systems will address many issues outlined in the report.
“Again, I cannot emphasize enough, and I believe the audit report points out, Vermonters’ information is secure within the Vermont Department of Labor’s systems,” he wrote. “The review did not point out system vulnerabilities. We will always be working with our (Agency of Digital Services) partners to ensure system IT security as it is an ever evolving field.”