The city of Austin is not doing enough to protect the personal information of city employees — or city residents who provide private data for city services such as utility bills and park programs, an audit has found.

The private information that the city keeps, in paper form and electronically, includes Social Security numbers, personal email addresses, driver’s license numbers and personal medical information.

More than half of the 33 city departments that responded to a survey from city auditors do not have written policies for the collection, storage and disposal of personal information, according to the audit, which was presented by City Auditor Ken Mory’s office late last month.

Forty-five percent of the city’s departments have employees who do not receive training on how to handle personal data. And more than a third of city departments have no person who is responsible for keeping personal information secure.

City auditors warned that not protecting personal data could have dire consequences.

“Numerous public and private organizations have faced issues resulting from the unauthorized disclosures” of personal information, the auditors wrote. “Such disclosures could lead to serious harm, such as identity theft, for citizens or employees. The city could also face significant financial costs, negative publicity and a loss of public confidence.”

For example, in 2011, private data for 3.5 million people that was held by the Texas Comptroller’s Office was inadvertently placed on a server that could be accessed by the public. The comptroller’s office paid more than $1.5 million to create a call center to notify affected individuals and more than $20 million for credit monitoring for those residents, according to a summary in the city’s audit. The breach also resulted in a $3.5 billion class action lawsuit.

City auditors surveyed 40 departments, and 33 responded. Of those, 29 said they collect some form of private information from residents, employees or both. Auditors did not identify which departments collect such data or the specific types of data they collect.

According to city rules, the office of City Clerk Jannette Goodall is responsible for “protecting the privacy and confidentiality of city records,” auditors said. However, Goodall said in a written response to the audit that her office has traditionally been responsible for storing physical records, but not explicitly for protecting personal information.

“Without an effective and efficient privacy program there is an increased risk for unauthorized disclosure” of private information, the audit said. “Such a disclosure could cause serious harm to individuals and the city. Citizens or employees could have their identities stolen, be blackmailed with sensitive personal information, or face physical harm if medical information is altered.”

A study this year by the Symantec Corp. and Ponemon Institute looked at 54 companies that had experienced a data breach in the past eight years. The average breach involved 29,000 records and cost $5.4 million — or $188 per record.

Austin’s auditors did not find any citywide effort to protect personal data or a plan to respond to the loss or misuse of such data.

The auditors recommended that Goodall lead a team of people from several city departments to write a plan to ensure that private information collected and stored by the city is protected.

Goodall said in a written response to the audit that her office could lead the stakeholder group and help the group write an “action report” by mid-2016 about how to best store and protect personal information. But she said her office shouldn’t be the only one responsible for the security of personal data.

“The development of a (personal information) protection program is a complex undertaking,” she wrote. “A significant level of … collaboration will be required and the City Clerk’s Office cannot assume sole responsibility for the development and implementation of such a program if it is to succeed.”

© 2013 Austin American-Statesman, Texas