State Auditor Calls on Dept. of Revenue to Enhance Security of Taxpayer Data

Auditor Bump says inadequate controls at DOR could make data vulnerable...
State Auditor Suzanne M. Bump (Courtesy photo)

Boston, MA – In an audit released today, State Auditor Suzanne M. Bump cautions inadequate controls at the Massachusetts Department of Revenue (DOR) could make sensitive taxpayer data, including Social Security numbers and tax payment history, vulnerable to cyberattacks and inappropriate disclosure. In the audit, which examined July 1, 2016 through December 31, 2018, she lays out steps the agency should take to protect itself from these threats and improve its overall IT operations.

The audit found DOR was not prepared to respond to or mitigate cyberattacks it or its vendors face. The report notes DOR did not have procedures in place to guide its response to IT security incidents. Without developing, documenting, and testing these procedures, DOR likely will not be prepared to quickly respond to security incidents when they occur, which could lead to additional lost or compromised data. Additionally, it had not fully assessed the IT vulnerabilities facing third-party vendors that have access to personally identifiable information (PII), such as Social Security numbers. The failure to develop these plans and assess these risks increases the likelihood that sensitive data could be inappropriately accessed.

“The Department of Revenue has incredibly sensitive data about every taxpayer and business in the Commonwealth. Taxpayers have no choice but to provide this information to DOR, so it has a responsibility to do everything it can to keep it safe. If this information was improperly disclosed by the agency or one of its vendors, it could wreak havoc on the lives of millions of Bay State residents,” Bump said. “In recent years, we’ve seen what can happen when DOR does not properly protect this information. It is my hope this audit will lead to action at the agency.”

During the audit period, DOR faced a series of incidents that inappropriately exposed sensitive data. A data breach exposed the private information, including tax payment records and tax identification numbers, of approximately 39,000 business taxpayers. Additionally, computer problems delayed child support payments to approximately 1,500 parents. A different computer issue resulted in the agency accidentally sending out approximately 6,100 mailings related to child support payments, which includes Social Security numbers, to the wrong address.

Additionally, the audit calls on DOR to establish an IT strategy committee to oversee agency-wide technology services. It also encourages the department to update its interdepartmental service agreement with the Executive Office of Technology Services and Security (EOTSS) to clarify IT-related roles and responsibilities between the agencies.

In its response, DOR indicates it is taking steps to address the issues identified by the audit.

The audit notes DOR has designed and implemented a training program to protect PII and has policies supporting protection of this data.

DOR is an agency within the Executive Office for Administration and Finance and has four main divisions: Tax Administration, Child Support Enforcement, the Division of Local Services (DLS), and the Underground Storage Tank Program. DOR is primarily responsible for tax collection and overseeing child support orders, but also helps cities and towns manage their finances, through DLS.

The full report is available here. welcomes thoughtful comments and the varied opinions of our readers. We are in no way obligated to post or allow comments that our moderators deem inappropriate. We reserve the right to delete comments we perceive as profane, vulgar, threatening, offensive, racially-biased, homophobic, slanderous, hateful or just plain rude. Commenters may not attack or insult other commenters, readers or writers. Commenters who persist in posting inappropriate comments will be banned from commenting on