September 30, 2010 – In the last 12 months, various breaches in data security were common at state agencies, according to a survey of CIOs and IT heads at state governments and organizations held by Deloitte and the National Association of State Chief Information Officers (NASCIO).

The report also revealed that unlike private enterprises, most states don’t have a central leader for the massive amounts of private information it collects. And sophistication of attacks is on a crash-course with stagnant funding and strained personnel.

The report, entitled “State Government at Risk: A Call to Secure Citizen Data and Inspire Public Trust,” includes 49 of 50 states, and opens with former Department of Homeland Security Secretary Tom Ridge issuing a warning about growing problems from information and funding barriers with the already “daunting task” of collecting personal identifiable information.  

The study gave the wide-lens view that state governments are on the right path, but remain lagging in departmental strategy and data security investment. Researchers implored state governments and related agencies to “do more to secure citizen data and maintain the public trust.”

State CIOs were asked to report on the various types of security breaches and were permitted to give multiple answers as appropriate in the survey. Fifty-five percent of state CIOs noted an accidental breach of information, such as from a lost laptop or hard drive, 40 percent recorded a breach from a virus or spyware and about one-third reported that an employee abused their privileges in looking into personal data. Only 21 percent said they had marked no breach of information, while 6 percent stated they “did not know.”  

While data security funding was not generally cut from budgets, it remained flat from past years and now takes up about half of IT budgets, which overall are threatened along with much of government spending during the recession. The report quoted a statement from the National Board of Governors, which remarked that failure to update and stay vigilant with data security oversight and funding has “serious implications” for everyone from taxpayers to first-responders.

“State (Chief Information Officers) and CIOs recognize the threats and realize all government leaders need to be better informed on the risks,” Doug Robinson, executive director of NASCIO, said in a statement. “It’s clear CISOs have tough jobs without adequate resources.”

Although nearly every state has enacted laws regarding the sensitive personal information they collect – from medical records to tax information – just 18 percent identified a chief privacy officer (or the equivalent) in control of this information. Nearly two-thirds had no one designated in that role, and 9 percent registered that they either didn’t know or the title wasn’t applicable.

In contrast, a separate study by Deloitte from this year found that 77 percent of private corporations had an employee with the stated role of privacy chief. At the state level, most of those duties were guided by a chief information security officer, who also deals with many other aspects of IT and non-personal data, the report stated.

But, regardless of budgetary and personnel issues, there is a growing trend to deal with data security, the report found. In a choice of the top security initiatives underway this year (with respondents choosing five options), 60 percent included data protection, 58 tackled risk assessment and 54 percent made training and awareness a priority. The report also noted that the Department of Homeland Security is offering cybersecurity funding and upgrade opportunities to state and local governments.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access