Letters: Commissioner of revenue changes story on data breach

Data security is a critical responsibility of the office of the commissioner of the revenue. The current commissioner, Jenefer Hughes, seems more interested in hiding behind excuses than in using the tools at her disposal to ensure that citizens’ personal data is protected.

Last year, the Chesterfield County commissioner of the revenue exposed the Social Security numbers of nearly 2,300 taxpayers. According to an Observer article [“After data breach, commissioner of the revenue declines county audit,” Nov. 14, 2018] Hughes refused an offer from the county internal auditor to review the incident because she had already “handled the matter internally and put in place procedural controls to ensure it doesn’t happen again.”

Now, almost a year after the data breach and less than two months before Election Day, Hughes has changed her story.

In her Sept. 4 letter [“Commissioner of the revenue welcomes independent audit”], she claimed that her decision to refuse the offer of an internal audit was based on a 1993 attorney general’s (AG) opinion. Hughes never referenced the AG opinion previously; and now, she is incorrectly using that opinion to support her refusal of an internal audit. She ignores a critical distinction that the AG drew between financial audits and operational audits.

Financial audits look at the financial accounts of the office and of the county as a whole. This is the type of audit that the opinion says cannot be done by an internal auditor. Operational audits, however, review policies and procedures to ensure compliance and adequate controls. This is the type of audit offered by the county’s internal auditor, and the AG opinion specifically addresses this type. “Nothing in [the law] suggests that a constitutional officer must submit to a management or performance audit by his locality…. You are not required to agree to the county administrator’s request to conduct a management or performance audit of your office.” The key words here are “must submit” and “not required to agree.”

A commissioner cannot be forced to submit to an operational audit, but there is nothing prohibiting her from agreeing to it, or even requesting it, as Virginia Code section 58.1-3.1 addresses. Hughes could have allowed the audit. And she should have.

First, the audit would have provided clarity on how the breach occurred. Soon after the breach, Hughes gave multiple excuses for the error. An Observer article dated Oct. 17, 2018, stated that an “electronic MailMerge file had been corrupted.” On Oct. 24, 2018, WRIC- 8News reported that Hughes wrote to taxpayers that the incident was “due to a desktop hardware failure.”

Second, the audit might have confirmed that proper procedures were in place to protect the data going forward. Hughes squandered this opportunity by refusing the audit.

Jenefer Hughes cannot be trusted to maintain confidential taxpayer data.

Tim M. McPeters
CANDIDATE FOR CHESTERFIELD COUNTY
COMMISSIONER OF THE REVENUE

Comments are closed.