Aaron C. Davis reports some of the findings from an audit of Maryland’s Department of Information Technology and some other state agencies:
… state agencies have not consistently or adequately protected personal identifiable information, such as residents’ Social Security numbers. They also have not consistently reported data breaches, according to the state’s nonpartisan Department of Legislative Audits.
Auditors said they did not uncover instances in which personal information had been compromised, but they said a state system lacking in central control and reporting requirements might make it impossible to know of every problem.
Over a two-year period ending last year, agencies that control residents’ personal information reported just five Internet attacks to the state department responsible for cybersecurity — a fraction of the total that workers told auditors they had identified internally.
The report also says two agencies that have authorized state employees to use laptops or tablets to store and access residents’ personal information, including personal health data, did not adequately protect the information, such as by having it in fully encrypted files.
Read more on Washington Post.