The Department of Criminal Justice Information Services Does Not Perform Audits of Non–Law Enforcement Criminal Offender Record Information Requestors To Ensure That This Information Is Properly Stored and Safeguarded.

The Department of Criminal Justice Information Services (DCJIS) does not perform audits of non–law enforcement Criminal Offender Record Information (CORI) requestors to ensure that this information is properly stored and safeguarded.

If DCJIS does not audit these CORI requestors, there is a higher-than-acceptable risk that an individual’s personally identifiable information may be used for such things as identity theft or fraud.

Section 2.21 of Title 803 of the Code of Massachusetts Regulations (CMR), which was effective during the audit period, states,

(1)  Requests for CORI are subject to audit by the DCJIS. . . .

(4)  During an audit, DCJIS audit staff shall assess the requestor’s compliance with statutory and regulatory requirements, including, but not limited to: . . .

(d)  if the requestor is properly storing and safeguarding CORI;

DCJIS does not have policies and procedures that require its audit team to perform audits to assess whether non–law enforcement requestors have properly stored and safeguarded CORI.

1. DCJIS should require its audit team to perform audits to assess whether non–law enforcement requestors properly store and safeguard the CORI they obtain from DCJIS.
2. DCJIS should develop and implement policies and procedures that require its audit team to perform audits to assess whether non–law enforcement requestors have properly stored and safeguarded CORI.

The Office of the State Auditor’s (“SAO”) first audit finding notes that DCJIS does not perform audits of non‑law enforcement CORI requestors to ensure that this information is properly stored and safeguarded. The finding also recommends that DCJIS redirect its small staff of six assigned to audit the approximately 650 criminal justice agencies, to perform non-criminal justice audits. Respectfully, DCJIS believes that its current approach to ensuring compliance is more effective and does not find the recommendations provided by the SAO to be feasible given the current DCJIS staff and resources.

DCJIS is a small state agency with [a fiscal year] 2023 budget of $5.9M and fewer than forty employees, and yet it performs many important functions, and in doing so, it generates approximately $16 million in annual revenue for the Commonwealth of Massachusetts.

In accordance with the SAO’s engagement letter, dated July 29, 2021, the audit time period for the audit spanned from July 1, 2020, to June 30, 2021 (the “Audit Period”). It is worth noting that the Audit Period selected by the SAO falls entirely within the period of the [2019 coronavirus pandemic] and the resulting state of emergency declared by Governor Baker from March 10, 2020, to June 15, 2021. . . . 

DCJIS’s performance during the pandemic demonstrates its effectiveness in serving the people of the Commonwealth. The ongoing health crisis required DCJIS to adapt immediately to drastic changes in work life. These changes affected not only DCJIS’s own employees but also the requestors and subjects of CORI. To ensure the provision of CORI to those employers and others entitled by law to receive it, DCJIS implemented emergency regulations and then permanent regulations which permitted remote verification of identity under certain circumstances. Throughout the pandemic, DCJIS seamlessly continued to process CORI requests which assisted the onboarding of new employees and the provision of housing across the Commonwealth.

The SAO’s audit findings demonstrate the success of these efforts. As the SAO’s audit revealed, DCJIS processed 1,019,600 iCORI requests during the Audit Period. All but nine requests—about 0.0000088% of the total—were processed within ten business days, the timeframe described on DCJIS’s website. All but five requests were processed within eleven business days. Each of these five requests required additional research or was otherwise subject to manual review.

The SAO finds that DCJIS should perform random audits of organizations using iCORI. In particular, the SAO wants DCJIS to perform random checks of how CORI reports are stored and safeguarded by non‑criminal justice iCORI users. DCJIS appreciates the SAO’s recommendation but respectfully disagrees that random audits of iCORI users are the most effective way to police the system. It is simply not feasible for DCJIS to conduct random audits of the 181,179 individual iCORI accounts and 32,091 organization accounts that are registered for DCJIS’ iCORI service. Rather, DCJIS believes its multi-tiered approach to promoting the security of CORI is both more effective and comports with the intent of the legislature when it passed the CORI Reform Law in 2010.

As an initial matter, it is unclear what standard the SAO is auditing to when it makes this recommendation. The CORI laws and regulations do not require DCJIS to perform random audits of iCORI users. On the contrary, [Section 172 of Chapter 6 of the Massachusetts General Laws] and 803 CMR 2.23 both state that CORI requests are “subject to audit” by DCJIS, language which conveys that such audits are discretionary.

Moreover, the sheer number of organizations using iCORI makes random audits impractical and inefficient. There are 181,179 individual accounts and 32,091 organizational accounts in the iCORI system. This broad access to CORI was part and parcel of the legislature’s CORI Reform Law. As just one example, in [Section 172(a)(3) of Chapter 6 of the General Laws], the legislature made CORI available to any employer.

As a result of this broad access, it is more efficient for DCJIS in policing the iCORI system to focus on areas where there are real questions of inappropriate use. And that is what DCJIS does.

This approach is consistent with the legislative intent of the CORI Reform Law. In passing CORI Reform, the legislature provided a mechanism for policing the system: self-audits. [Section 172(g) of Chapter 6 of the General Laws]. With these self-audits, an individual can see anyone outside of law enforcement who is checking his or her CORI. DCJIS provides these self-audits to any individual who requests them, as described in 803 CMR 2.25. And where a self-audit shows someone that his or her CORI has been accessed inappropriately, the person can file a complaint. 803 CMR 2.27. DCJIS investigates complaints regarding any violation of the CORI laws and regulations, and it also investigates complaints about inaccurate CORI. 803 CMR 2.26, 2.27. Where the investigations reveal a violation of the CORI laws and regulations, then DCJIS prosecutes the matter before the Criminal Record Review Board, which is empowered to impose civil penalties. [Section 168 of Chapter 6 of the General Laws]; 803 CMR 2.28.

DCJIS also uses technological tools to police the system. Rules within the iCORI system flag potential violations of the CORI laws and regulations and the iCORI Terms of Service. In particular, the system can detect login and password sharing and upon detection, the iCORI account at issue is automatically disabled.

Even with all these protections in place, DCJIS does not rest upon its efforts to police violations but proactively trains large numbers of iCORI users. In calendar year 2022 alone, DCJIS trained 1,544 individuals in the proper use of the iCORI system and in applying the laws and regulations governing CORI access. . . . Since 2019, DCJIS has trained 2,753 individuals. In addition to formal training, DCJIS responds to calls every day from members of the public about proper use of the iCORI system.

DCJIS chooses to police its system with this combination of proactive formal and informal training, technological tools, and the policing mechanisms determined by the legislature. DCJIS’s approach flows from and is consistent with the intentions of the legislature manifested in the language of the CORI laws. Moreover, as a practical matter, it would be inefficient to divert time and resources from efforts to educate and from efforts to investigate known problems. It is entirely unclear what additional benefit would be conferred by diverting these resources toward randomly auditing what would necessarily be an insignificant fraction of the over 200,000 existing iCORI accounts.

Therefore, while DCJIS appreciates the SAO’s efforts and is grateful for the SAO’s audit, it respectfully finds that SAO’s finding is simply not feasible based on staff and resources available to DCJIS as this time.

The Office of the State Auditor acknowledges that the use of auditing as stated in 803 CMR 2.23 is discretionary; however, in our review, we found that this control measure had not been used one single time, and we were informed that it has been rarely used, if at all, because of the noted staffing constraints. We recognize and agree that staff members and their time is a concern to ensure accountability; however, we believe that there exists a need to select random non–law enforcement CORI requestors, based on risk level determined by DCJIS, to ensure that information is securely stored. To accomplish this, we encourage DCJIS to consider seeking adequate funding through the Legislature and administration to allow for the appropriate qualified staff levels so as to perform these tasks. By doing so, DCJIS would reduce the possibility that personally identifiable information would be accessed or compromised by individuals who are not authorized to access it.