Press Release  Auditor Bump Recommends Solutions for Stronger Protection of Data, IT Systems at Merit Rating Board

Boston — Auditor Suzanne M. Bump today released an audit of the Merit Rating Board (MRB) that provides recommendations to improve the security of the agency’s IT infrastructure, which contains sensitive information about Massachusetts' drivers including names, home addresses, birthdates, and driver’s license numbers. The MRB’s primary mission is to maintain and update driving records and report driving record information to auto insurers and other transportation and public-safety government agencies.  

“New technologies provide agencies with more efficient ways to conduct their work. These opportunities, however, also bring new challenges related to protecting the data contained within the IT infrastructure,” Bump said of the audit. “This audit provides the Merit Rating Board with important steps it can take to improve the security of its IT assets to ensure that the personal data of Massachusetts’ residents is protected.”

In the audit, Bump calls on MRB to take specific steps related to access, training, and protection of its IT assets. She encouraged the agency to:

• develop processes to ensure employees no longer employed at MRB immediately lose access to its IT systems;
• review employee access to those systems quarterly to ensure appropriate permissions were granted;
• improve protections of personally identifiable information by establishing policies and procedures for data classification and inventory;
• ensure employees receive security awareness training before being granted access to sensitive IT systems; and
• develop and routinely test its plans to continue serving residents of the Commonwealth in the event of a loss of data or systems, or data breach.

In response to the audit, MRB noted that many of its IT systems are administered by the Massachusetts Department of Transportation (MassDOT). However, Bump noted that while MassDOT may administer these functions, it remains the responsibility of MRB to collaborate with them to ensure adequate protections are in place.

The audit released to the public is abridged because of the sensitivity of the information contained in the full audit. Consistent with government auditing standards and the Massachusetts public records law, only the Merit Rating Board will receive a full, unabridged copy of the report.

The Merit Rating Board was established in 1976 as a subdivision of the Massachusetts Department of Transportation’s Registry of Motor Vehicles. This audit was conducted as part of Bump’s efforts to help state agencies efficiently and effectively modernize government. It examined activities of MRB from July 1, 2014 through June 30, 2016.

The abridged audit of the Merit Rating Board is available here.

###