Audit of the Committee for Public Counsel Services Overview of Audited Entity

The Committee for Public Counsel Services (CPCS) was established by Chapter 673 of the Acts of 1983.

According to its website, CPCS is governed by a 15-member committee “appointed by the Governor, the Speaker of the House of Representatives, the President of the Senate, and the Massachusetts Supreme Judicial Court.” The committee is responsible for planning, overseeing, and coordinating criminal and non‑criminal legal services to people who cannot afford an attorney in the Commonwealth.

CPCS senior staff comprises the chief counsel, the director of administration and operations, the general counsel, the chief financial officer, the chief information officer, the chief human resources officer, the equity and inclusion director, and the communications director. In addition, the chief counsel is assisted by five deputy chief counsels, who oversee the legal divisions listed below.

CPCS is composed of five legal and five operations divisions. The legal divisions are Children and Family Law, Mental Health Litigation, Private Counsel, Public Defender, and Youth Advocacy. The operations divisions are Administration and Finance, General Counsel, Human Resource, Information Technology, and Training.

According to CPCS, in addition to the main office at 75 Federal Street in Boston, there are 20 regional offices in 17 communities¹ in the Commonwealth. During our audit period, CPCS had approximately 868 employees² and 16 unpaid interns.

There were 664,761 new cases assigned to CPCS public defenders and private attorneys in calendar years 2019, 2020, and 2021, which encompass four fiscal years.

CPCS Public Defender New Cases

CPCS Private Attorney New Notices of Assignment of Counsel Issued

CPCS uses over 15 types of software for public attorney billing, case management, office space reservation, customer service, employee expense management, information technology project management and help desk, data storage, private counsel billing, and court costs.

According to CPCS management, on February 27, 2019, CPCS suffered a cyberattack. The agency was able to restore its data in 10 business days. The attack was contained, and the system was cleared of any remaining infected technology. CPCS shut down its intranet and email servers for those 10 business days, but this did not affect court cases.

During these 10 business days, CPCS worked in conjunction with the Office of the Comptroller of the Commonwealth (CTR) and hired a consultant to determine the impact of the attack and provide recommendations. CPCS also hired another consultant to perform a vulnerability assessment.

Based on the consultants’ recommendations, CPCS applied new protective measures for patching, detecting breaches of, and monitoring their data centers and network. Information security awareness and training were improved for all employees.

According to CPCS’s internal control plan (ICP), dated June 30, 2020, regarding cybersecurity awareness, CPCS follows the Enterprise Information Security Policies and Standards established by the Executive Office of Technology Services and Security’s (EOTSS’s) Enterprise Security Office, which are available and recommended for all Commonwealth agencies to use for guidance.

CPCS requires its employees to sign a Certification of Receipt Personnel Policies Manual form. Section 5.2.2 of CPCS’s “Personnel Policies Manual” is its acceptable use policy. An acceptable use policy documents the responsibilities of personnel and that employees must comply with the applicable code of conduct when using Commonwealth-owned IT systems to preserve the confidentiality, integrity, and availability of CPCS’s information assets.

CPCS uses KnowBe4 software to administer cybersecurity awareness training and phishing tests.³ This software retains CPCS employees’ test results. Newly hired employees receive cybersecurity awareness training during orientation. However, interns do not attend orientation and, as of May 2021, CPCS started requiring interns to watch a cybersecurity awareness training video and email the Human Resource Department once they have watched the video.

According to CPCS’s ICP, dated June 30, 2020, regarding its business continuity and disaster recovery plan, CPCS follows the Enterprise Information Security Policies and Standards established by EOTSS’s Enterprise Security Office, which are available and recommended for all Commonwealth agencies to use for guidance.

EOTSS’s Business Continuity and Disaster Recovery Standard IS.005 requires an agency to “establish procedures for the continuation of critical business processes in the event of any organizational or information technology (“IT”) infrastructure failure and define the related controls and acceptable practices.”

On September 30, 2020, CTR provided guidance for state agencies in response to the 2019 coronavirus (COVID-19) pandemic. The guidance helped state agencies that were experiencing significant changes identify their goals, objectives, and risks associated with the COVID-19 pandemic. Objectives included telework, return-to-work plans, changes to business processes, and safety protocols for staff members and visitors.

The American Rescue Plan Act of 2021, signed on March 11, 2021, was a federal stimulus bill to aid public health and economic recovery from the COVID-19 pandemic. On December 17, 2021, CPCS received a total of $4,500,000 in American Rescue Plan Act of 2021 funds, allocated by Chapter 102 of the Massachusetts Acts and Resolves of 2021.

Chapter 102 stipulates $2,000,000 to address pandemic-related backlogged cases in CPCS’s Public Defender Division; $1,000,000 to temporarily fund staffing levels to address an increased need for legal representation in CPCS’s Children and Family Law Program; and $1,500,000 for the modernization of CPCS’s billing system. As of the conclusion of the audit period (which was December 31, 2021, two weeks after the funds were received), CPCS had not expended any of the $4,500,000.