Unemployment agency failed to limit access to sensitive information, audit says
The Michigan Unemployment Insurance Agency failed to properly limit access to sensitive information contained in the state systems used to collect, pay and receive unemployment payments, Auditor General Doug Ringler said in a Tuesday audit report.
The agency’s failure to secure effective access and security controls in the Michigan Integrated Data Automated System and Michigan Web Account Manager came as the state paid out record unemployment benefits during the COVID-19 pandemic.
During the time period reviewed in the audit — from March 15, 2020 through June 28, 2021 — the state processed $36.5 billion in unemployment payments.
The record payments were accompanied by record problems within the Unemployment Insurance Agency, as the department juggled huge increases in claims, relentless attempts at fraud, months-long delays in awarding unemployment and state-induced errors in determining eligibility.
Overall, the Tuesday audit found the Unemployment Insurance Agency was not effective in securing adequate access controls for employees during the pandemic and noted three material conditions — the most serious audit findings — that the agency needed to address.
Tuesday’s audit report overlaps to some degree with a March personnel audit from the Office of Auditor General that highlighted the Unemployment Insurance Agency’s failure during the pandemic to conduct background checks for more than 5,500 employees. Of those, the audit found 169 workers had prior offenses that included financial crimes.
Agency Director Julia Dale said in a Tuesday statement that the agency had made significant changes over the past six months to address “more than a decade of disinvestment” at the agency and address shortcomings identified during the pandemic.
“UIA is taking decisive steps to bolster our security practices that protect personal information about claimants and businesses,” Dale said.
Ringler’s Tuesday report noted three key areas of deficiency on limiting access to sensitive information at the agency, including a lack of training and background checks, delayed removal of access for terminated employees and inadequate documentation ensuring employees had the least access needed to fulfill the duties of their jobs.
The Internal Revenue Service requires all federal or state employees with access to federal tax information to receive training on how to handle the information and complete a background check that includes Federal Bureau of Investigation fingerprinting, validation of residency and a check with local law enforcement.
The auditor general sampled 45 of the 330 individuals with access to federal tax information through the Unemployment Insurance Agency and found the agency had not conducted the required background check for 36, or 80% of the 45, of those individuals. The auditor report also said 27, or 60% of the 45, failed to receive required training and 16, or 36%, weren’t included on the agency’s tracking sheet of individuals with access to the information.
The agency agreed that better safeguards should be put in place and noted it enacted a criminal history and fingerprinting check policy on April 12. The agency said it also planned to stay on top of training requirements and keep better track of logs noting access to federal tax information.
“The criminal background checks will be conducted in 2022 on all UIA staff, DTMB staff, and contractors who have access to personally identifiable information and/or FTI (federal tax information),” the agency responded in the report, referring to staff from the Department of Technology, Management and Budget.
In another material condition, the auditor said the agency often failed to remove access to the state’s unemployment software in a timely manner upon an employee’s departure.
The audit sampled 61 users of the MIDAS system terminated between January 2021 and August 2021 and found 42 or 69% were not revoked access to MiDAS within 72 hours of departure and the agency also delayed notices to the Department of Technology Management and Budget for the revocation of two other access levels for various employees.
In total, 12 of the 61 users sampled had continued access at three verification levels from four to 39 days, or an average of nine days, after their departure.
The agency, the audit concluded, did not have a process for offboarding or the departure of contract employees, an issue exacerbated by the COVID-19 pandemic and record hiring of contract workers to help with the increased load of claims.
The agency agreed with the findings and said it was implementing a quality control process to ensure terminated users have system access removed in a timely manner.
A third material condition found the UIA did not properly document or manage user account access to ensure employees received the least access to sensitive information needed to accomplish their job tasks. The agency said the issue was in part a result of the number of staff that needed to be brought on board over a short period of time during the pandemic.
As part of a system upgrade to take effect July 5, user access rights will be based on specific job requirements to ensure employees have the least privilege needed to do their jobs, the agency said.
“During this process, incompatible functions and excessive access rights will be identified and addressed appropriately to ensure effective segregation of duties,” the agency responded in the report.