On February 22, 2018, State Auditor Suzanne M. Bump submitted the following letter to members of the Legislature encouraging them to pass House Bill 4061 following a recent data breach at the Massachusetts Department of Revenue.\n\nDear Members of the Legislature:\n\nHow did you feel when you read today\u2019s Boston Globe headline \u201cData breach was twice as large as Department of Revenue said\u201d? \u00a0Disbelieving? Mad? Helpless? While there may be nothing to assuage those first two reactions, there is something you can do to help reduce the risk of future data breaches at the Department of Revenue \u2013 pass House Bill 4061, currently sitting in House Ways and Means. This bill would remove a statutory prohibition against the viewing of tax records by the State Auditor\u2019s Office and would thereby enable this office to conduct audits of DOR\u2019s policies and procedures, including the adequacy of its data security controls. \n\nIn each session since taking office in 2011, I have filed legislation that would lift this restriction. In each session, organizations representing business interests have thwarted passage of the bill, expressing the view that business tax information was too sensitive to be viewed by auditors\u2019 eyes. How ironic it is that this data breach exposed the private tax information of some 39,000 businesses not to auditors who would be acting to protect taxpayers, and would be prohibited from disseminating such information to others, but to other businesses that could use it for a variety of nefarious purposes?\n\nMassachusetts is among only a handful of states that deny access to information on tax records to the State Auditor\u2019s Office. It is a mistake to retain this prohibition since it hampers the Office\u2019s ability to audit not just the DOR but the processes of any agency, including those distributing public assistance benefits, that is supposed to use tax information in the performance of its responsibilities.\n\nThis DOR breach is now being reviewed by the Attorney General, the Secretary of State, the Executive Office of Technology Services and Security, and the Office of Consumer Affairs and Business Regulation. Doesn\u2019t it make you mad to see so much effort being expended after a breach when an audit before a breach could have detected an IT deficiency?\n\nYou are not helpless. You can pass H. 4061.\n\nThank you for your consideration. \n\nSincerely,\n\n\u00a0\n\nSuzanne M. Bump\n\nAuditor \n\n\u00a0\n\nBump\u0027s letter is available here.