Audit finds cybersecurity issues with Florida Department of Revenue

by | May 15, 2024

A recent audit of the Florida Department of Revenue revealed the need for significant improvements in data safety and privacy measures, including better management of public records, enhanced oversight of ex-employee access to accounts, and proper sanitization of surplus IT equipment.

A recent audit of the Florida Department of Revenue showed that improvements were needed to ensure the safety and privacy of data.

The Florida Auditor General found a handful of issues with the department’s operations, including not appropriately maintaining public records, a lack of oversight around ex-employee access to certain accounts and not properly clearing data from surplus information technology equipment.

The Department of Revenue has three main functions: Collecting and distributing state taxes and fees, overseeing Florida’s property tax system and providing child support enforcement services. The department was allocated over $717 million in last year’s budget.

According to the report, it was found that department management’s internal controls for ensuring that text and multimedia messages were not retained in accordance with state law. Communications are statutorily required to be retained for a period of three years for administrative correspondence and five years for policy development correspondence.

The auditor general recommended that the department make or obtain independent, periodic assessments, test the effectiveness of relevant internal controls and strengthen existing controls to ensure department devices with messaging capabilities are retained according to Florida statutes.

The audit also found that department controls over employee access to several different data systems — including the Florida Accounting Information Resource Subsystem, the Contract Accountability Tracking System and the Child Support Enforcement Automated Management System — needed to be improved to prevent unauthorized or improper use of access privileges.

Several instances occurred where ex-employees did not have their access removed immediately upon leaving the department. Further, some access reviews did not have supporting documentation to prove they had been carried out per statutory requirements.

The auditor general recommended that IT user access privilege controls be enhanced and that employee access privileges be deactivated upon leaving the department.

Lastly, department records between July 2021 and January 2023 showed that 1,871 items were identified as surplus IT equipment with data storage. Of the 25 selected for the audit, five iPhones, one iPad and a laptop computer lacked evidence to show they had been properly sanitized and wiped of potentially confidential information.

It was recommended that the department better document evidence that surplus items are sanitized or physically destroyed appropriately to ensure sensitive information is not disclosed.


%d bloggers like this: