For more than three years, the state Department of Administrative Services posted the Social Security numbers of individual contractors on a state Web site in violation of state law, exposing the state to lawsuits and monetary loss, according to a recently released state audit.
The audit also uncovered that the Social Security numbers of prospective nursing employees were accessible on an agency Web site for 19 months until a complaint was lodged.
State Auditor Robert G. Jaekle said that when personal information, such as Social Security numbers, falls into the wrong hands, it exposes people to the risk of identity theft.
“Social Security numbers — personal identifying information — was not appropriately protected,” said Jaekle, adding that the individuals affected were notified by the agency and access to the information had been removed from the Web.
“Whenever anybody gets personal identifying information, there is a responsibility to protect that information from falling into the wrong hands.
The agency didn’t properly protect the information,” he said.
“It was available for a long time and it shouldn’t have been available to anybody,” Jaekle added.
In the case of individual contractors, their Social Security numbers properly used as Federal Employer Identification Numbers — were available on the agency’s Agency Procurement Web site.
Although the DAS changed its policy to not show the employer identification numbers in 2003, the numbers continued to be available online for more than three years for some legacy contracts with the state, according to the auditors.
In another case, prospective nursing employee information, including Social Security numbers, was collected by the DAS’ human resources office and posted on a Web site maintained by a private firm for the state agency.
The DAS did not dispute the auditors’ findings and agreed to implement several recommendations made in the report.
“We continue to be vigilant about all of our data and to upgrade all of our security protocols as new technology becomes available,” said DAS spokesman John McKay.
“However, there will always be new technology and people out there looking to circumvent any Web site security safeguards,” he said.
McKay said the agency is moving forward to develop a formal, written personal data protection policy, as recommended by the auditors.
Other improvements based on the auditors’ recommentaions to improve DAS’ internal controls include:
• A person within the agency will develop and enforce the department’s compliance with a new personal data protection policy.
• The agency will increase controls over potentially sensitive confidential data.
• A formal risk management process will be developed.
