33 California offices put data at risk, auditor finds

A lack of oversight and failure to adopt comprehensive security standards has placed sensitive data that 33 California state offices collect and maintain at risk, State Auditor Elaine Howle revealed Tuesday.

The audit found that state entities not required by law to report compliance with the California Department of Technology’s data privacy and information security policies — in other words, any body outside of the governor’s direct control, such as the state judiciary and other elected offices — are far more likely to have incomplete or nonexistent information security measures. As a result, Howle wrote, external oversight over the information security practices of these agencies is likely to improve their practices.

Offices not required to report to CDT can choose to comply with a variety of data security standards issued by different bodies, including the state itself, the National Institute of Standards and Technology or the International Organization for Standards.

Of the 33 offices surveyed in the audit, however, only 29 performed a self-assessment or received an independent security assessment to measure their compliance with their chosen security standard, while four had never assessed their compliance with their chosen standard. Just five of those 29 offices qualified as “mostly compliant” with their chosen standards, and 21 had “high-risk deficiencies” in their information security policy, the audit found.

The findings are evidence that these state entities are unaware of the threats to their datasets, and have little insight into whether their existing information security measures are working as intended, the audit stated.

“Non-reporting entities may be unaware of other information security weaknesses because many of them have relied upon assessments that were limited in scope,” Howle wrote in a letter attached to the report.

Howle’s office also conducted in-depth reviews of 10 of the 33 non-reporting state entities. Of those, just five were found to have partially assessed their compliance with their chosen information security standard; one had not even selected a standard. The audit did not identify the 10 offices that were more closely scrutinized.

The result is that the state cannot ensure that the data these offices hold is protected from “unauthorized access, use, disclosure, disruption, modification, or destruction,” the auditor said.

The audit surprised some security professionals, such as Ben Sadeghipour, the head of hacker operations at bug bounty company HackerOne, who said California is usually a leader in IT security. The state passed a groundbreaking consumer data privacy act and an internet of things privacy law last year. California’s former chief information security officer, Peter Liebert, created a program last year designed to help state agencies under CDT’s purview assess their cybersecurity maturity for the purpose of showing agency leaders where improvement is needed.

“When you are a large government agency like the State of California dealing with the data of almost 40 million residents, it is absolutely critical to have consistency across information security policies, especially among the numerous government entities who are tasked with handling, storing and safeguarding personal data,” Sadeghipour told StateScoop in an emailed statement.

The audit recommended that each non-reporting entity adopt information security standards similar to those prescribed by CDT and followed by state agencies under the governor’s administration. Each non-reporting entity would be required to conduct a comprehensive information security assessment every three years, and submit certifications of compliance and corrective action plans to the state legislature’s Assembly Privacy and Consumer Protection Committee, if necessary.