Oct. 13--An audit of a 2007 data breach of state taxpayer's personal information on a stolen laptop shows the state took too long to address the situation but has since made strides to prevent future incidents.

Two years ago, some 106,000 Connecticut taxpayers' names and Social Security numbers were compromised when an employee, now identified as Jason Purslow of the Department of Revenue Services, the state's tax-collection agency, left a laptop computer in a parked car on Long Island.

The laptop was stolen Aug. 17, but steps to address the problem were not taken until five days later, and all potential victims were not alerted until Aug. 31, according to the report.

The investigation was conducted by Attorney General Richard Blumenthal and Robert G. Jaekle and Kevin P. Johnston, auditors of public accounts.

While no identity thefts have resulted from the breach, Blumenthal said when releasing the report Tuesday that the delay and other problems in handling it were unacceptable.

"DRS botched its initial response to the theft," Blumenthal said in a statement. "Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets."

Other lax conditions included the agency not tracking where sensitive data was stored, not securing it with encryption technologies and allowing employees to "casually roam electronic files with little consequence" or reliable record of their visits, he said.

At the same time, Blumenthal praised DRS for taking multiple steps to rectify the situation and prevent future occurrences.

Some of these steps include: imposing stronger restrictions and controls on access and storage of taxpayers' information; introducing procedures for data breaches and toughened policies protecting sensitive data; and encrypting laptops and mobile storage devices, he said.

The investigation also resulted in several recommendations, including training all employees to spot data breaches and what to do if they occur, holding employees accountable if procedures are not followed. The department also should continue efforts to track and secure confidential taxpayer information and study how other states and federal agencies handle such data, the audit states.

According to the report, in August of 2007, Purslow was on a family trip when he took the laptop with him to complete critical testing of a new department system due to be activated that Monday. The testing did not involve the taxpayer information, which had been unknowingly transferred to Purslow's laptop.

Stolen on Aug. 17 between 5 and 9 p.m., the laptop was reported missing by Purslow the next day. By the following Monday, Purslow had formally reported the theft, but until Aug. 23, the department took no steps to determine whether confidential information was compromised.

In October of 2007, Purslow was suspended 30 days without pay. The laptop has not been recovered.

-----

To see more of The Day, or to subscribe to the newspaper, go to http://www.theday.com.

Copyright (c) 2009, The Day, New London, Conn.

Distributed by McClatchy-Tribune Information Services.

For reprints, email tmsreprints@permissionsgroup.com, call 800-374-7985 or 847-635-6550, send a fax to 847-635-6968, or write to The Permissions Group Inc., 1247 Milwaukee Ave., Suite 303, Glenview, IL 60025, USA.

A service of YellowBrix, Inc.