Testifying at a recent hearing of the Assembly Committee on Privacy and Consumer Protection and Select Committee on Cybersecurity, Howle said 73 of the 77 agencies she reviewed had inadequate or worse safeguards against hacking. Her three biggest concerns: the state’s court system, the Board of Equalization and the California Public Utilities Commission.

Howle’s remarks were countered by a representative of the Brown administration. The state Department of Technology’s chief information security officer, Michele Robinson, said Howle had exaggerated the state’s problems.

But lawmakers didn’t appear to accept Robinson’s defense of the state’s efforts. Assemblywoman Jacqui Irwin, D-Thousand Oaks, told Sacramento TV station KCRA after the hearing that she considered Howle’s warnings “very disturbing. …  We have 160 departments that are holding your private information. So Social Security numbers, addresses, medical information — yes, there is a risk for the typical Californian.”

Here is the key summary of Howle’s 2015 audit:

In the past few years, retailers, financial institutions, and government agencies have increasingly fallen victim to cyber attacks. Most recently, in June 2015 the federal Office of Personnel Management announced that a cybersecurity intrusion had potentially exposed the personal information of approximately 20 million current and former federal employees and other individuals. Given the size of California’s economy and the value of its information, the state presents a prime target for similar information security breaches. Its government agencies maintain an extensive range of confidential and sensitive data, including Social Security numbers, health records, and income tax information. If unauthorized parties were to gain access to this information, the costs both to the state and to the individuals involved could be enormous. However, despite the need to safeguard the state’s information systems, our review found that many state entities have weaknesses in their controls over information security. These weaknesses leave some of the state’s sensitive data vulnerable to unauthorized use, disclosure, or disruption.

But Howle didn’t just offer this general conclusion. She also specifically criticized the Brown administration:

Despite the pervasiveness and seriousness of the issues we identified, the technology department has failed to take sufficient action to ensure that reporting entities address these deficiencies. In fact, until our audit, it was not aware that many reporting entities had not complied with its requirements. To determine whether reporting entities have met the security standards, the technology department relies on a self-certification form it developed that the reporting entities must submit each year. However, the poor design of this form may have contributed to many reporting entities incorrectly reporting that they were in full compliance with the security standards when they were not. Specifically, we received complete survey responses from 41 reporting entities that self-certified to the technology department that they were in compliance with all of the security standards in 2014. However, when these 41 reporting entities responded to our detailed survey questions related to specific security standards, 37 indicated that they had not achieved full compliance in 2014. … The technology department was unaware of vulnerabilities in these reporting entities’ information security controls; thus, it did nothing to help remediate those deficiencies.

According to KCRA, a state task force created last year could turn in the first draft of a state government cybersecurity initiative this month.

The Howle audit knocking the state government’s failure to worry enough about hackers was one of six harsh reports she issued in a three-month span last summer, as CalWatchdog reported. Perhaps the most alarming report found that the state did a poor job tracking mentally ill gun owners, despite a previous 2013 audit that warned about the shortcomings of the state’s efforts.

And as for retirement benefits, increase those by 79 percent total, or 53 percent per individual employee.

These are figures for the California Department of Technology, which again finds itself the butt of a fault-finding audit.

The report is one big bad report card. It notes that 73 of 77 state departments have not met standard safeguards for their information, for which the department is supposed to be the guardian.

Prone to Hackers

The newly discovered trouble involves the security of state-held information, including the news that the state’s data centers are subject to thousands of hacker attempts every month.

“The California Department of Technology does not provide adequate oversight or guidance to state entities under the direct authority of the governor (reporting entities) for which it has purview,” the audit finds.

Auditors were so troubled by lapses in information security at the state’s Department of Corrections that they issued a separate memo to that agency outlining the problems — the details of which were “too sensitive to release publicly.”

State agencies possess reams of information, from the bank account numbers on income tax forms to the birth dates of victims of crime and the Social Security numbers of people applying for food stamps.

The Department of Motor Vehicles alone holds more than 27 million records.

There are committees (“the Select Committee on Cybersecurity” in the statehouse) and task forces (the “California Cybersecurity Task Force”) in place to help protect data and info from intruders. But it’s the tech department that has responsibility for ensuring departments’ info is secured. To do so, it requires three annual reports. Last year it even offered a one-day seminar to teach info management people what’s up with data safeguarding.

Who’s at Fault?

In one regard, it’s not all on the department; the report found that 90 percent of select departments queried said that they had met the mandates for security when they really hadn’t.

Still, when four in 10 departments reported they had not achieved full compliance, “we expected that the technology department would have followed up. … However, when we reviewed the 2014 correspondence between the technology department and a selection of eight noncompliant reporting entities, we found that the technology department did not conduct any follow‑up.”

In addition, there are no policies on how to enforce the security requirements.

One more interesting element of the audit: Twenty agencies declined to be monitored or assessed and were therefore not measured for cybersecurity compliance. Among them were the Office of the Inspector General, California Department of Resources Recycling and Recovery and the Public Employees’ Retirement System.

The auditing team recommends that state lawmakers require the tech department to do an independent, comprehensive security assessment of each reporting entity at least every other year.

Auditors also ask legislators to allow the department to ask for money upon any finding of security flaws. The technology department should follow up on any troubled agency and how that agency intends to make its information more secure, the report says.

Then a final scold from the auditors: “As a result of the outstanding weaknesses in reporting entities’ information system controls and the technology department’s failure to provide effective oversight and assist noncompliant entities in meeting the security standards, we determined that some of the state’s information, and its critical information systems, are potentially vulnerable and continue to pose an area of significant risk to the state.”

The Department of Technology didn’t answer questions, but gave the Associated Press a written statement, saying that it is committed to improving oversight and to “improving the state’s overall information security posture.”

A Continuing Pattern

The report is the second in the last six months to beat down the department. The last one upbraided tech department officials for wasting tens of millions of dollars due to computer troubles and aborted projects that cost taxpayers up to $1 billion.

Some lawmakers are trying to throw more money at the agency.

One measure would allow the technology department to size up contractors with an evaluation scorecard that would cost  $350,000.

“There is no guarantee that they will implement the evaluation system in a long term capacity,” Assemblywoman Autumn Burke, D-Los Angeles, told a Senate committee earlier this month. “In fact, a simple change of leadership with CalTech could put the evaluation system in jeopardy.”

Also noted in the conversation was something as scary as a data breach: “Currently the state has 44 IT projects under development that are reported to cost more than $4 billion,” Burke told her colleagues.