Michigan unemployment agency did not restrict access to sensitive data, audit finds
Michigan’s Unemployment Insurance Agency failed to properly restrict access to sensitive information contained in state systems used to collect, pay and receive unemployment benefits, Auditor General Doug Ringler said in an audit report on Tuesday.
The agency’s failure to ensure effective access and security controls in the Michigan Integrated Data Automated System and Michigan Web Account Manager came as the state paid record unemployment benefits during the COVID-19 pandemic. 19.
During the period examined in the audit – March 15, 2020 to June 28, 2021 – the state processed $36.5 billion in unemployment benefits.
The record payouts were accompanied by record problems at the Unemployment Insurance Agency, as the department juggled huge increases in claims, relentless attempts at fraud, months-long delays in awarding the unemployment and state-induced errors in determining eligibility.
Overall, Tuesday’s audit found the Unemployment Insurance Agency was not effective in ensuring adequate access controls for employees during the pandemic and noted three material conditions – the findings of most serious audits – that the agency had to deal with.
Tuesday’s audit report overlaps to some extent with a March staff audit from the Office of the Auditor General that highlighted the Unemployment Insurance Agency’s failure during the pandemic to conduct background checks on more than 5,500 employees. Of these, the audit found that 169 workers had previously committed crimes that included financial crimes.
Agency director Julia Dale said in a statement on Tuesday that the agency had made significant changes over the past six months to address “more than a decade of divestment” at the agency and address the gaps identified during the pandemic.
“The UIA is taking decisive action to strengthen our security practices that protect personal information about applicants and companies,” Dale said.
Ringler’s Tuesday report noted three key areas of shortcoming in limiting access to sensitive information within the agency, including a lack of training and background checks, the delayed removal of access for terminated employees and inadequate documentation ensuring that employees had the least amount of access necessary to perform the duties of their jobs.
The Internal Revenue Service requires that all federal or state employees with access to federal tax information receive training on how to handle the information and complete a background check that includes Federal Bureau of Investigation fingerprints, validation of residency and verification with local law enforcement.
The Auditor General sampled 45 of 330 people with access to federal tax information through the Unemployment Insurance Agency and found that the agency had failed to perform required background checks on 36, or 80 % of 45, of these people. The audit report also says that 27, or 60% of the 45, did not receive the required training and 16, or 36%, were not on the agency’s tracking sheet of people with access to information.
The agency agreed that better safeguards should be put in place and noted that it enacted a criminal background and fingerprint check policy on April 12. information.
“Criminal background checks will be conducted in 2022 on all UIA personnel, DTMB personnel and contractors who have access to personally identifiable information and/or FTI (federal tax information),” the lender replied. agency in the report, referring to staff in the Department of Technology, Management and Budget.
In another important condition, the auditor said the agency often failed to remove access to state unemployment software in a timely manner when an employee leaves.
The audit sampled 61 terminated MIDAS system users between January 2021 and August 2021 and found that 42 or 69% had not had access to MiDAS revoked within 72 hours of departure and the agency also delayed notices to the Department of Technology and Budget Management for revocation. two other levels of access for various employees.
A total of 12 of the 61 sampled users had continued access to three levels of verification from four to 39 days, or an average of nine days, after leaving.
The agency, the audit concluded, had no process for relocating or leaving contract employees, a problem exacerbated by the COVID-19 pandemic and the record hiring of contract employees to help cope. to the increase in the number of complaints.
The agency accepted the findings and said it was implementing a quality control process to ensure terminated users have access to the removed system in a timely manner.
A third material condition revealed that the UIA failed to properly document or manage access to user accounts to ensure that employees received the least possible access to sensitive information needed to perform their job duties. The agency said the problem resulted in part from the number of employees that had to be recruited over a short period during the pandemic.
As part of a system upgrade that will take effect on July 5, user access rights will be based on job-specific requirements to ensure employees have the least privilege needed to do their jobs, a said the agency.
“During this process, incompatible functions and excessive access rights will be identified and addressed appropriately to ensure effective segregation of duties,” the agency responded in the report.