SACRAMENTO, Calif. (AP) - Many California state agencies are not complying with the state's information technology standards, leaving them vulnerable to a major security breach of sensitive data such as Social Security numbers, health information or tax returns, the state auditor reported Tuesday.
SACRAMENTO, Calif. (AP) — Many California state agencies are not complying with the state's information technology standards, leaving them vulnerable to a major security breach of sensitive data such as Social Security numbers, health information or tax returns, the state auditor reported Tuesday.
"Our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state's sensitive data vulnerable to unauthorized use, disclosure, or disruption," Auditor Elaine Howle wrote in the report.
She notes that the state is a prime target for information security breaches as government agencies keep extensive amounts of confidential data. Many agencies also have not sufficiently planned for interruptions or disasters, she found.
In June, the federal Office of Personnel Management announced a major hack that exposed personal information of about 20 million current and former federal employees and job applicants.
"Given the size of California's economy and the value of its information, if unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous," Howle wrote.
The auditor's report said the agency in charge of ensuring compliance with IT standards has failed to ensure agencies are complying; a voluntary "self-certification" of compliance was confusing and poorly worded, she wrote, leading many agencies to report that they were complying when they were not. She also criticized the department for its slowness in auditing agencies.
"At its current pace, it would take the technology department roughly 20 years to audit all reporting entities," she wrote.
The Department of Technology said in a written response to the audit that it is committed to improving oversight and to "improving the state's overall information security posture."
The department has already taken steps to better train staff on compliance reporting, updated its forms and is updating its internal procedures, Secretary Maribel Batjer wrote. A spokeswoman for the department declined to answer further questions about the findings.
To protect the state's security, the auditor's office left the names of agencies that responded anonymous. But it reported several major departments that did not comply with the auditor's request, including the California Air Resources Board, the Department of Forestry and Fire Protection, Department of General Services, California State Teachers' Retirement System and the Public Employees' Retirement System.