Virginia agencies have “generally inadequate” programs in place to protect data files, according to a report released this month from a state auditor.
After a broad review of information security programs, the Auditor of Public Accounts found 66 state agencies and institutions were lacking, and 17 had no program in place at all. Only 21 ranked as “adequate.”
“These agencies not having adequate information security programs could place the entire commonwealth system at risk,” the report said. “An independent group should assume responsibility for the information security programs and have the authority to implement them within the agencies and institutions.”
Lemuel Stewart, Virginia’s Chief Information Officer, said he “couldn’t agree with the auditor more.”
“I don’t know that there is any security system that’s ever perfect, but ours needs improving, and we are working on that,” he told The Examiner on Wednesday.
Some of the larger agencies have been quicker to improve than smaller ones, Stewart said.
Almost all of the agencies that accumulate information from citizens,such as the Department of Taxation, do have adequate security programs, according to the report.
Among the recommendations, the auditor called on agencies and institutions to develop “a mutual comprehensive security program” with the Virginia Information Technology Agency, and that VITA develop a plan “to communicate infrastructure information and standards” to the agencies it supports.
The review of Virginia’s agencies follows a string of high-profile data breaches outside of the commonwealth, including the theft of a Veteran’s Affairs laptop that contained information on millions of veterans.
Virginia Sen. Jeannemarie Devolites-Davis, R-Vienna, told The Examiner she plans to file legislation next month that would place tighter security requirements on data files.
“There would have to be more security requirements so that, if a laptop with a lot of personal information is stolen, the thief could not access it,” she said.
