LANSING ? Michigan’s Department of State and Department of Information Technology have not adequately secured both the qualified voter file and the digital drivers license system, potentially exposing Michigan residents to “an unknown level of risk” that confidential data could be stolen and expose residents to identity theft, Auditor General Thomas McTavish said in an audit.
But a spokesperson for the Department of State said most the issues raised in the audit have been addressed and handled. The department takes the security of its systems very seriously, Kelly Chesney said, and is constantly reviewing and updating its security guidelines. In fact, when it comes to the qualified voter file, the federal government considers Michigan’s system a model for other states.
And while no system can be completely free of risk, Chesney said there have been no breaches of the state’s systems, especially since they are not online systems.
The audit, which looked at the two systems operations from September 30, 1997, to June 30, 2004, was released at a time when sensitivity to concerns about identity theft is particularly acute nationwide. Last month, Atlanta-based ChoicePoint, which catalogs and sells consumer information, acknowledged that its system had been broken into and data on as many as 140,000 people – several thousand in Michigan – may have been stolen.
Legislation is being introduced by both Republicans and Democrats in the Legislature calling for mandatory notice of consumers if security systems have been breached.
According to the audit, the two departments were not effective in controlling access to QVF, therefore not guaranteeing that confidential voter information could not be breached.
“We identified numerous and, in some cases, very significant vulnerabilities in the configuration of the QVF operating system and database that preclude management from preventing or detecting unauthorized access,” the audit said, some of which had been initially discovered in 2002.
The audit also said the two departments had raised some concerns about system functionality if additional security were added.
But Chesney said the system the QVF was built on was state of the art when it was completed, and that overseeing security upgrades to it and the drivers license system are regularly tested.
Transfer of data in the QVF is a closed system, requiring local clerks to send data in batches once a day in a 15-minute window, she said. And the audit did say it found the transmission of data was generally secure.
The audit also criticized the security of the digital drivers license system, saying the departments had not overseen security procedures in place from the outside contractor that oversees the system.
But Chesney said the contractor conducts similar operations in 30 states, and has never had a security problem. While security requirements had not been written into the contracts with the vendor previously, she said, ongoing security checks had taken place and security requirements are now being written in with the vendor.
The story was provided by content partner Gongwer News Service. To subscribe, click on Gongwer.Com




