Cape and Islands District Attorney’s Office - Finding 1

During the audit period, the Cape and Islands District Attorney’s Office (CIDAO) did not promptly revoke former employees’ access rights to the Track-Kit system. Specifically, of the 14 active user accounts for the Track-Kit system, 10 of these users were former employees. Additionally, CIDAO did not complete certain data fields (i.e., the assignment of CIDAO’s contact information in the system), despite this being part of the office’s role within the Track-Kit system, as defined by the system’s user manuals.

If CIDAO does not promptly revoke former employees’ access rights to the Track-Kit system, then there is a risk of unauthorized access to sensitive case and survivor information. Additionally, if CIDAO does not assign its contact information to SAECKs, then the Track-Kit System is not being used as intended under statute. Having CIDAO contact information assigned to SAECKs allows survivors to have an informed single point of contact and can streamline outreach and reduce confusion.

Section 18X(g) of Chapter 6A of the General Laws states, “District attorney offices shall participate in the statewide sexual assault evidence kit tracking system established in this section for the purpose of tracking the status of all sexual assault evidence kits.”

The Track-Kit User Manual states that the role of the prosecuting attorney includes the following:

• Review cases referred by law enforcement, if enabled.
• Assign [CIDAO contact information] to a kit.
• Performing searches for kits available in the prosecuting attorney’s jurisdiction.

The Executive Office of Public Safety and Security’s (EOPSS’s) “Policies and Procedures for Sexual Assault Evidence Collection Kit Tracking,” dated January 2020, requires district attorneys’ offices to develop the following:

A policy to authorize access for new users of the system and to remove authorization from users who no longer require access, including users who have ended their employment, have been suspended, or terminated.

Further, Section 6.1.6. of the Executive Office of Technology Services and Security’s (EOTSS’s) Access Management Standard IS.003, dated July 15, 2020, states that access privileges should be removed “upon a transfer, termination or other significant change to a user’s employment status or role.”

CIDAO did not have documented policies and procedures regarding the use of the Track-Kit system or the revocation of user access to the system upon termination of a user’s employment.

1. CIDAO should assign its contact information to each SAECK within its jurisdiction in the Track-Kit system and should train its employees on how to use the system.
2. CIDAO should develop, document, and implement policies and procedures for Track-Kit system access authorization for new users and the revocation of access upon termination of users. These policies and procedures should include periodic access reviews at least semiannually to ensure that users’ access rights are limited to their job requirements.

Section 18X(g) of Chapter 6A of the General Laws states that the District Attorney office “shall” participate in the state tracking system which is further defined by the Executive Office of Public Safety as developing policy to authorize access for new users of the system and to remove authorization from users who no longer require access. The Cape and Islands District Attorney’s Office has no knowledge of whether such a policy existed under the previous administration. Once my administration took office, we worked to hire an additional member of the Information/Technology (IT) team as the department consisted of one individual previously. The second staff member was hired in January 2024, leaving 5 months of the audit period to have a fully staffed IT department and to start identifying and addressing Federal, State, and Local laws and regulations for our agency. After the audit period, the Cape and Islands District Attorney’s Office has reached out to the Executive Office of Public Safety regarding the tracking program and has engaged in meetings to schedule appropriate training for our staff.

Regarding the recommendation to assign [CIDAO contact information] to each SAECK within our jurisdiction in the Track-Kit system, as I am sure you are aware, SAECK kits are collected at the time of a forensic physical exam of a sexual assault victim. The District Attorney’s Office is not made aware of the existence of a kit until criminal charges have been filed. There are many reasons why charges might not issue at the time the SAECK kit is collected. When this occurs, there is no mechanism for the District Attorney’s Office to assign SAECK kit with no corresponding criminal case. As mentioned above, the Cape and Islands District Attorney’s Office has already reached out to obtain training for our staff on the Track-Kit system, but that would be limited to kits that were connected to pending criminal cases.

I remain committed to working with my staff and yours to ensure we remain compliant.

In its response, CIDAO focuses on developing a policy to authorize access for new users of the system and to remove authorization from users who no longer require access. Section 18X(g) of Chapter 6A of the General Laws requires district attorneys’ offices to participate in the Track-Kit System “for the purpose of tracking the status of all sexual assault evidence kits.”

As a first step, we applaud CIDAO for reaching out to EOPSS and, as part of these conversations, we encourage CIDAO to work with EOPSS to clearly define and standardize CIDAO’s role in the Track-Kit system. We note for context that we have recently audited multiple district attorney offices and are currently auditing others. The issue of these offices’ responsibilities under Section 18X(g) of Chapter 6A of the General Laws appears to be broadly misunderstood relative to the plain language reading of the law, making this additional definition and standardization valuable to multiple agencies of the Commonwealth.

Regarding the training of employees in the use of the Track-Kit system, CIDAO appears to be taking steps to address some of the issues raised in this finding. We will follow up on this matter in approximately six months, as part of our post-audit review process.

We understand that CIDAO cannot assign its contact information to a kit unless criminal charges have been filed. We urge CIDAO to assign its contact information to a survivor’s kit as soon as possible once those criminal charges have been filed, in order to comply with the law.