Measures in place to protect data at DRS
The state agency responsible for exposing 106,000 taxpayers to potential identity theft when a laptop was stolen two years ago has adopted advanced security measures to prevent a recurrence.
Released to the media at the close of business Wednesday, the information from the state Department of Revenue Services comes in response to a state audit released Tuesday that called for stronger safeguards, better training and greater employee accountability to prevent a future occurrence.
No identity thefts had been "definitively connected" to the breach, the audit said, but the missing laptop has not been recovered.
The loss of a laptop containing confidential taxpayer information constituted "a serious breach of security," Commissioner Richard Nicholson said in a statement. New security procedures and technologies now in use will be combined with continued vigilance, he said.
Across the board, confidential data is no longer stored on any laptop or desktop computer. Instead, that information has been moved to secure network drives with access limited to key employees, Nicholson said.
Field audits now rely on encrypted USB biometric thumb drives that incorporate advanced encryption standards adopted by the federal government by requiring a fingerprint and strong password verification before granting access.
In addition, fewer employees are handling data that must be encrypted when transferred between the agency and its vendors, minimizing security risks. And all employees are now given awareness training and specialized training if they handle laptops.
Employees taking equipment, including laptops, from the building are authorized to do so by using special identification passes. Data is now also being redacted when paperwork containing confidential information is used in the field. And e-mail used to communicate sensitive information to taxpayers will be encrypted.
The auditors, Robert G. Jaekle and Kevin P. Johnston, and Attorney General Blumenthal had also recommended three other steps the agency should take, which Nicholson said "will be addressed separately by the agency."
They include: training all employees to spot data breaches and know what to do if they occur; holding employees accountable if procedures are not followed; and studying how other states and federal agencies handle the safekeeping of such data.
p.daddona@theday.com
Comment threads are monitored for 48 hours after publication and then closed.