Office of Consumer Affairs and Business Regulation - Finding 3

OCABR management revealed to us in interviews that they did not have procedures for information disposal and that they did not identify and dispose of information that exceeded retention periods on a quarterly basis in accordance with Section 6.4.2.4 of EOTSS’s Asset Management Standard IS.004.

OCABR migrated its data to the cloud in 2021 and did not assess whether it is storing unnecessary data. Keeping information for longer than necessary also wastes valuable storage space and leads to additional costs for the agency and the Commonwealth, as large quantities of data can be stored longer than needed in the cloud environment at a financial cost to the agency. Not reviewing information at specified intervals and disposing of it when appropriate forces OCABR to keep information for longer than it should, creating additional security risks such as theft, mismanagement, and unauthorized access of data in its custody. Additionally, any Massachusetts residents who use the services OCABR offers are at greater risk of having their data compromised, as their information is retained, and therefore potentially vulnerable, long after they engaged with OCABR.

EOTSS’s Asset Management Standard IS.004 states,

6.4.2.4     Identify and securely delete stored information that exceeds defined retention periods on a quarterly basis.

The Massachusetts Statewide Records Retention Schedule states,

B06-26:  Data Breach Records

Retain 6 years.

Documents data breach notifications sent to the Attorney General as required by statute. Includes data breach notifications directed to the Attorney General and copies of data breach notifications directed to the Office of Consumer Affairs and Business Regulation, copies or samples of data breach notifications directed to Massachusetts consumers, copies of Written Information Security Programs, implemented pursuant to [Section 17.03 of Title 201 of the Code of Massachusetts Regulations], and related correspondence. Also documents civil and criminal investigations of data breaches pursuant to [Chapter 93H and Chapter 93A of the Massachusetts General Laws], including complaints, investigative notes and reports, civil investigative demands, substantive support materials, and related correspondence.

OCABR management stated that the absence of procedures was due to a lack of resources caused by the transition of the Executive Office of Economic Development’s IT employees to EOTSS over the last two years. This transition left areas like information disposal without dedicated resources or attention. OCABR management stated that their new “Information Asset Policy” will establish new operational procedures to comply with the EOTSS policy. Additionally, the Executive Office of Economic Development’s new chief information security officer, who joined the agency in October 2024, has identified the need to focus attention on security areas, including information asset inventory, disposal, and control.

1. OCABR should implement policies and procedures for information disposal to ensure that information is properly disposed of in accordance with Commonwealth retention schedules.
2. OCABR should designate an information custodian responsible for ensuring compliance with data disposal policies.
3. OCABR should implement an internal policy which includes the retention schedules and the procedures necessary to dispose of information, in no event before the expiration of its retention period.
4. OCABR should implement a process in which it justifies the business need for archiving information kept past retention schedules. 

OCABR developed a written OCABR Record Retention Schedule after the audit period and effective October 2024 and designated its General Counsel as Information Custodian. The policy requires OCABR’s Information Custodian/General Counsel to submit requests to the Record Conservation Board (“RCB”) for the disposal of hard copy information that is past the designated record retention schedule.

This written policy details that OCABR must log the disposal of restricted and/or confidential information to maintain an audit trail; verify that the information assets containing any restricted and/or confidential information have been removed or securely overwritten prior to disposal or reuse; render media unusable (e.g., degaussing), unreadable or indecipherable prior to disposal; use acceptable industry best practices and standards for information erasure to ensure information is unrecoverable; use a third-party service that specializes in information or media disposal; identify and securely delete stored information that exceeds defined retention periods on a quarterly basis (such information shall be identified by each Information Owner who provides said information to the General Counsel who, in turn, shall send a request to the RCB for destruction permission); ensure that hard copies of information will only be generated when necessary; obtain a disposal certificate or other written attestation from the third-party confirming proper disposal; and, identify any business needs for archiving information kept past retention schedules.

In addition, OCABR works with [Executive Office of Economic Development] IT and partners to delete electronic information on a quarterly basis.

Based on its response, OCABR is taking measures to address our concerns regarding this matter.