SACRAMENTO – Although protecting personal data and improving information security systems are staples of California’s current legislative session, a new report released Tuesday says more than 20 state agencies risk cyberattacks due to lax IT protocols.

Of the 33 agencies surveyed, state auditors pinned 21 as having high-risk security deficiencies. The report says the security flaws could both open residents up to identify theft and hurt the state’s finances.

“Given the amount of data the state maintains, the financial cost of a data breach and the damage to its credibility and reputation could be significant,” the audit warns. “The consequences of a data breach highlight the importance of information security in both the public and private sectors.”

The report comes one year after California lawmakers passed a landmark consumer privacy bill that gives Californians the right to know when a business has collected and/or sold their personal information, the power to forbid a business from selling their information to third parties and the ability to demand a business delete stored information.

Over the current legislative session, lawmakers have proposed a horde of changes to the privacy act which goes into effect on Jan. 1, 2020.

While businesses are scrambling to comply with the new privacy laws, State Auditor Elaine Howle says state agencies also have work to do on the cybersecurity front.

Under California law, agencies under the governor’s direct authority are required to follow the Department of Technology’s security guidelines. But the auditors focused on nonreporting state agencies that fall outside of the governor’s purview, such as constitutional offices and the judicial branch.

According to Howle, not only have nonreporting agencies adopted weak security standards, many are not in compliance with the failing standards in the first place. Others aren’t conducting self-assessments and are “placing some of the state’s sensitive data at risk of unauthorized use, disclosure or disruption.” Howle found one agency couldn’t prove it had ever performed a formal assessment of its IT policies.

The 24-page audit, which doesn’t name any of the 33 surveyed agencies, highlights a case where an agency under the military refused a recommendation to change its default password for nearly 16 months. Another reviewed agency hadn’t fixed security flaws first identified in 2013.

Howle previously blasted the state’s IT security in 2013, but she said Tuesday that the state agencies under the governor’s umbrella have made significant strides. She suggests the Legislature require nonreporting agencies to adopt security standards similar to those created by the technology department and perform security assessments every three years.

“Without assessing their compliance with security standards, nonreporting entities are likely unaware of the full extent of their information security weaknesses,” the audit concludes.

— By Nick Cahill