Minnesota's Department of Public Safety did not adequately protect some of its most sensitive equipment and inventory, leaving confidential information open to compromise.
Minnesota's chief law enforcement agency failed to adequately safeguard non-public information in its computers and did not keep an accurate inventory of some of its most critical property, such as its laptops and cell phones, an audit found on Thursday.
The Department of Public Safety deals with sensitive issues such as homeland security and statewide criminal investigations.
A report from the Legislative Auditor released Thursday showed that as late as May of this year, nearly 950 of the department's laptops were not encrypted, despite specific state policy requiring it. In addition, about 300 of the department's laptops had no physical security, such as cable locks.
The audit also found that the department did not adequately review employee security profiles for excessive or unnecessary use of the department's computer system. As of April of this year, five employees had access to the department's system even though they no longer worked for Public Safety.
Without proper controls over the laptops, confidential non-public information could be compromised, the audit warns.
Audit manager David Poliseno said he considered the Public Safety findings "quite significant." The department, he said, lacked the proper supervisory review and had left itself open to exploitation and possible fraud.
"We don't believe any of that has happened," Poliseno said, "but we found serious weaknesses in the system."
When auditors asked why hundreds of laptops with sensitive non-public data were not encrypted, Poliseno said, "we were told it was because they hadn't gotten around to it yet." That coupled with the department's inability to track its physical inventory, he said, leaves the state open to inadvertent disclosure of data.
Public Safety officials said there were no instances where confidential or secure data was compromised because of any issues in the audit's findings.
The department said it is conducting mandatory inventory training and all divisions will be required to complete a physical inventory by June of next year. In addition, the department said that it has attempted to implement encryption for its laptops but that it has required extensive planning, testing and financial investment.
The department asked for about $6 million for the next two budget years for disaster recovery and to upgrade its security system, but the Legislature provided less than half of what was asked for.
"We have absolutely no indication that there was any private or sensitive data that was compromised. It's an issue of the schedule of getting everything encrypted so that if something was lost it wouldn't be compromised," Deputy Commissioner Mary Ellison said.
The audit said the department did not adequately protect some of its most important assets, including equipment costing over $5,000 and sensitive property defined as such things as portable computers, cell phones and other items that can be easily stolen. There was no indication that dangerous inventory such as firearms and other weapons were not adequately protected, department officials said.
Staff writer Patricia Lopez contributed to this report Mark Brunswick 651-222-163