Critical personal information of state residents and others — both in electronic and hard copy form — may be at risk of theft or unintentional exposure, the state’s watchdog agency reported Thursday.
“State agencies sampled by PEER were found to have records management practices that could lead to breaches of security and the release of personally identifiable information for which the state would be liable,” said James Barber, executive director of PEER, the Legislature’s watchdog arm, in a report released Thursday.
Information collected by various state agencies and found to be at risk include social security numbers, bank account statements, addresses, birth dates and other personal information, the report said.
The report urged several steps to be taken by the Mississippi Legislature to ensure that personal information collected by the state is kept secure.
The Legislature’s watchdog arm, commonly referred to as PEER, studied several state agencies’ records keeping systems and practices following an article published in the Sun Herald earlier this year about thousands of personal records found scattered on the Bay St. Louis bridge.
That incident inspired PEER to investigate data collection, retention and destruction practices of 13 state agencies this year to determine if information was at risk and to make recommendations to agencies and the Legislature for changes.
When compiling the report, PEER did not name specific agencies in which problems were discovered “to prevent abuse of the data in this report by individual readers who may wish to exploit the gaps in security.” Nevertheless, several specific alarms were raised in the report:
• Some agencies transmit personal data to other state agencies or to non-state entities using insecure methods, such as unencrypted emails.
• Some agencies didn’t know where all personal data was kept, such as on hard drives, copiers or other electronic devices.
• Some agencies requested and kept more personal data than is required for a given database.
• Most agencies reviewed have not updated their data retention schedules on a regular basis.
• A lack of uniformity was found in what data is shared with other state agencies and third-party entities and how it is shared.
• There have been failures to ensure that personal data is destroyed when other state agencies or third-party entities say they destroy it.
Two state agencies are responsible for retention and destruction of most personal data in the state: Department of Archives and History and Information and Technology Services. The PEER investigation zoned in on these two agencies, though practices of at least 13 state agencies were assessed.
PEER made several recommendations in its report:
• Adopt a statewide data privacy law similar to federal education and healthcare privacy laws.
• Take better care and ensure better oversight when agencies say they destroy personal data.
• Keep a close eye and specific log on electronic data storage, such as on computer hard drives.
• Streamline electronic data security guidelines so that all state agencies operate the same way.
Agency heads for both the Department of Archives and History and Information Technology Services wrote letters to the PEER committee, promising to work to meet the committee’s recommendations.
“As stated in the report, (Archives and History) is currently working to produce general records retention schedules that apply to all state agencies, to address the lack of uniformity often found in agencies’ policies on the management and storage of their paper and electronic records,” Katie Blount, executive director of Archives and History, wrote in a letter to the PEER committee.