A second report has been released by the Office of the State Auditor of the Information Systems Audit of the Department of Public Safety (DPS) Driver License Division (DLD).
The audit of the system was first announced in January 2019 and is divided into two reports. The first report was released at that time concerning the data-sharing practices of the DLD, which was scrutinized in two months ago following an article by The Washington Post that detailed how agencies, including Immigration and Customs Enforcement (ICE), run facial recognition software through driver’s license databases to match criminal suspects.
Utah officials disputed some of the article's claims that stated federal agencies are allowed to freely search photos and information from Utah's driver’s license database.
DPS Spokesperson Marissa Cote clarified DLD's database access with 2News in July 2019 saying that when it comes to sharing facial recognition information for criminal cases, that data is provided by the Utah Statewide Information and Analysis Center (SIAC) and not the driver's license division or DMV.
While records originally obtained by Georgetown Law’s Center on Privacy and Technology showed that Utah’s DPS ran more than 1,000 searches of its database between 2015 and 2017, Cote again clarified that the state’s database is only used when the requesting agency provides a criminal case number or intelligence report.
State Auditor John Dougall said in a prepared statement:
The security of sensitive data held in state databases should be a high priority. The Department of Technology Services developed security policies to guide state agencies. We appreciate the Department of Public Safety’s efforts to update their security practices to comply with agency requirements as a result of this audit.
Because of security restrictions, the second report by the state auditor's office was embargoed to allow the agency time to correct any issues identified by the audit, a press release stated.
The second report included four key findings:
- Password requirements for database administrators do not conform to the required Department of Technology Services policy.
- Several individuals retained database user accounts after being terminated from DPS employment.
- Database user accounts are not periodically reviewed for appropriateness.
- Insufficient monitoring of testing documentation for application changes prior to deployment.