By: Jameson Miller, CPA, CISA, CISSP, CCSFP, CHQP, Partner
Local governments often run into trouble by failing to recognize legally mandated audit and reporting obligations.
Driver’s license data is useful for a wide variety of purposes, from verifying addresses to issuing citations. As such, it’s quite common for cities, counties, municipalities, and other governmental entities to seek access to the Driver License System maintained by Florida’s Department of Highway Safety and Motor Vehicles (DHSMV).
Whatever their reason for pursuing the information, governments and other organizations must execute a legally binding contract with DHSMV before they can gain access to the system. Driver’s license information is federally protected under the Drivers Privacy Protection Act so this multi-page contract is an important tool for safeguarding the sensitive personal data of millions of state residents.
Officially designated as a Memorandum of Understanding for Driver’s License and/or Motor Vehicle Record Data Exchange, it can make a typical reader’s eyes glaze over. But glazed or not, those who request access to the system should pay close attention to the contract’s fine print because it sets out several regulatory obligations related to cybersecurity – including the requirement that a Risk Management IT Security Professional approve the requesting party’s data security procedures and policies.
Data security and audit requirements
By signing the memorandum of understanding (MOU), local governments are agreeing to develop and implement strong internal controls and broad data security protocols that comply with FL Administrative Code Rule 74-12 (which has recently moved to Rule 60GG-2).
Rule 60GG-2 describes the Florida Cybersecurity Standards (FCS) established to secure the state’s information technology resources. FCS are based on the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity; they cover five broad security functions (Identify, Protect, Detect, Respond and Recover) to manage IT risk and contain specific controls related to each function and its multiple subcategories.
In addition, the MOU states in Section VI that the requesting party “must submit an Internal Control and Data Security Audit from a currently licensed Certified Public Accountant” within one year of the date the MOU is executed or within 120 days of a request from DHSMV for such an audit.
The audit report must include an evaluation of the internal controls that govern use, disclosure, access, distribution, or modification of data in the state driver’s license system, and confirmation that the controls in place are adequate to protect personal data and maintain a secure data environment. If the audit identifies any deficiencies or issues of concern, the auditor must certify that corrective actions have been completed as well as appropriate measures taken to prevent the issue from happening again.
Following the initial audit report, local governments must submit an annual certification statement that specifies:
- they have evaluated data security systems and processes
- they have adequate controls in place to protect the data
- they are fully compliant with all the requirements of the MOU
An Internal Control and Data Security Audit is not required each year, but if one is available for the current year then it can be submitted in place of the annual certification statement.
Noncompliance carries significant consequences
Unfortunately, many of the cities and counties that enter into these agreements with DHMSV are unaware that they are required to do this extra reporting annually, or at all. They unknowingly ignore this feature of the contract, risking the consequences of noncompliance.
Organizations that fail to provide the required audit reports are subject to follow-up actions from DHSMV. The first step is a letter letting the entity know that they are out of compliance and must submit a corrective action plan (CAP) within ten days.
Creating and implementing a satisfactory CAP can wreak havoc on previously planned schedules and budgets. Personnel must drop everything so they can devote time to this urgent need, and completing mandatory IT audits at the last minute can be costly and inconvenient.
The alternative, however, is worse: the MOU clearly states that the contract can be terminated immediately for noncompliance. If the local government is deemed to be out of compliance with the terms of the MOU, the DHSMV can also impose liquidated damages – a fee of up to $25.00 per individual record.
Expert help can reduce risk exposure
A NIST Cybersecurity Assessment by the experienced IT professionals at Mauldin & Jenkins allows you to maintain compliance by meeting Administrative Rule 60GG-2 and the MOU requirement for an Internal Control and Data Security examination. This comprehensive evaluation also helps you identify vulnerabilities and implement best practices to maintain a secure operating environment, thereby minimizing the serious risks of cybercrime that exist today. Contact your M&J advisor to learn more and schedule your assessment.