- Office of State Auditor Suzanne M. Bump
Media Contact for Auditor Bump Submits Letter Encouraging Legislators to Pass H. 4061
Mike Wessler, Communications Director
Boston — On February 22, 2018, State Auditor Suzanne M. Bump submitted the following letter to members of the Legislature encouraging them to pass House Bill 4061 following a recent data breach at the Massachusetts Department of Revenue.
Dear Members of the Legislature:
How did you feel when you read today’s Boston Globe headline “Data breach was twice as large as Department of Revenue said”? Disbelieving? Mad? Helpless? While there may be nothing to assuage those first two reactions, there is something you can do to help reduce the risk of future data breaches at the Department of Revenue – pass House Bill 4061, currently sitting in House Ways and Means. This bill would remove a statutory prohibition against the viewing of tax records by the State Auditor’s Office and would thereby enable this office to conduct audits of DOR’s policies and procedures, including the adequacy of its data security controls.
In each session since taking office in 2011, I have filed legislation that would lift this restriction. In each session, organizations representing business interests have thwarted passage of the bill, expressing the view that business tax information was too sensitive to be viewed by auditors’ eyes. How ironic it is that this data breach exposed the private tax information of some 39,000 businesses not to auditors who would be acting to protect taxpayers, and would be prohibited from disseminating such information to others, but to other businesses that could use it for a variety of nefarious purposes?
Massachusetts is among only a handful of states that deny access to information on tax records to the State Auditor’s Office. It is a mistake to retain this prohibition since it hampers the Office’s ability to audit not just the DOR but the processes of any agency, including those distributing public assistance benefits, that is supposed to use tax information in the performance of its responsibilities.
This DOR breach is now being reviewed by the Attorney General, the Secretary of State, the Executive Office of Technology Services and Security, and the Office of Consumer Affairs and Business Regulation. Doesn’t it make you mad to see so much effort being expended after a breach when an audit before a breach could have detected an IT deficiency?
You are not helpless. You can pass H. 4061.
Thank you for your consideration.
Sincerely,
Suzanne M. Bump
Auditor