Some Department of Telecommunications and Cable Staff Members did not Receive Required Training on Personal Information

We identified 11 people who were assigned to the Department of Telecommunications and Cable’s (DTC’s) Consumer Division and had access to personal information but had not received the required information security training. These 11 staff members were student interns, and as part of their responsibilities, they had access to personal information in DTC’s consumer contact database. Effective information security training programs ensure that employees understand the responsibilities of securing and maintaining the confidentiality of personal information and what must be done to limit, if possible, further exposure if a breach of confidentiality is identified. Information security training programs are a critical first step in safeguarding personal information. Because DTC does not ensure that everyone who has access to this information receives the proper training, there is a higher-than-acceptable risk that the information may be misused.

According to Section 6 of the state’s Executive Order 504, all state employees must attend mandatory information security training that provides guidance regarding how to identify, maintain, and safeguard records and data that contain personal information:

All agency heads, managers, supervisors, and employees (including contract employees) shall attend mandatory information security training. . . . Such training shall be part of the standardized orientation provided at the time they commence work. Such training shall include, without limitation, guidance to employees regarding how to identify, maintain and safeguard records and data that contain personal information.

Although DTC does have policies and procedures requiring all regular employees to receive the training required by Executive Order 504, the policies and procedures do not require student interns to have the same training.

DTC should amend its policies and procedures to ensure that all employees, including student interns, receive the training required by Executive Order 504.

The DTC recognizes the importance of protecting personal information and ensuring that all staff receive appropriate training to safeguard such information. We wish to note that prior to the commencement of this audit, DTC began to ensure that all student interns received Executive Order (“EO”) 504 training in two ways. First beginning in July 2017, DTC began to require student interns to have access to this system in order to certify their completion of the mandatory EO 504 training. Second, EO 504 awareness and instruction is included as part of the Consumer Division’s extensive training program that all new interns and Division staff are required to complete prior to performing any job related duties.

The DTC’s Consumer Division complaint process does not necessitate or involve the collection of any personal information nor does the Division make it a practice to obtain or maintain personal information as it is defined in M.G.L. c. 93H §1, which includes social security numbers, driver’s license numbers, state-issued identification card numbers or any type of financial account information.

Although we found that, during our audit period, 11 DTC student interns had not received the mandatory information security training, DTC's response indicates that it is taking measures to address our concerns in this area.