Seal of the Commonwealth of Massachusetts
Massachusetts Audit Explorer - what the State Auditor found

← all audits

Audit of the Office of Consumer Affairs and Business Regulation (May 5, 2025)

May 5, 2025 · Office of Consumer Affairs and Business Regulation · Read the full official report on mass.gov ↗

Published May 5, 2025 Audit covers July 1, 2022 – June 30, 2023 Under Diana DiZoglio · 2023–present

In plain English
The audit found that OCABR had problems with website accessibility and several data-security practices, including classifying data, disposing of old information, assessing system risk, and limiting access to personal information.
source
“Below is a summary of our findings, the effects of those findings, and our recommendations, with links to each page listed.”
Read the plain-English breakdown
What is this?

This is a Massachusetts State Auditor performance audit of the Office of Consumer Affairs and Business Regulation, covering July 1, 2022 through June 30, 2023.

“In accordance with Section 12 of Chapter 11 of the Massachusetts General Laws, the Office of the State Auditor has conducted a performance audit of the Office of Consumer Affairs and Business Regulation (OCABR) for the period July 1, 2022 through June 30, 2023.”
Why was it audited?

Auditors checked whether OCABR’s website was accessible and whether the agency had basic IT and data-protection controls in place.

“The purpose of this performance audit was to determine whether OCABR’s website adhered to the accessibility standards established by the Web Content Accessibility Guidelines (WCAG) 2.1 for user accessibility, keyboard accessibility, navigation accessibility, language, error identification, and color accessibility.”
Why it matters

These issues matter because residents use OCABR services and may rely on its website for consumer help, licensing information, and other government resources.

“Ensuring that all website components function properly and meet accessibility standards is essential for providing transparent and inclusive government services to all residents.”
What's in it for me?

If OCABR fixes these problems, residents should have easier access to its online services and better protection for personal information they provide to the agency.

“Limiting access to PII helps protect the privacy of Massachusetts residents and reduces the risk that their information may be accessed by someone who may mismanage or steal it.”
The bottom line

The auditor found five main problems: the website was not fully accessible, OCABR had not classified its data, lacked information-disposal procedures, had not assessed system risk, and did not always document approval before giving staff access to personal information.

“OCABR did not ensure that access to PII was limited to personnel members with business needs to access it.”
What happens next

The report recommends that OCABR create and follow policies for accessibility, data classification, data disposal, system-risk review, and access approval; OCABR said it has begun taking steps to address the findings.

“Based on its response, OCABR is taking measures to address our concerns regarding this matter.”
Why it's significant

The findings are significant because weak accessibility and data controls can make it harder for residents to use services and can increase the risk that sensitive personal information is exposed or misused.

“Improper management of data can not only harm OCABR, but it could also lead to increased risk and security vulnerabilities for Massachusetts residents who have used OCABR’s services.”
Jargon, unpacked

PII means personal information that can identify someone; IT governance means the rules and processes an agency uses to manage technology and data responsibly.

“IT governance refers to the processes that state agencies use to manage their IT resources.”

What the Auditor checked

What the Auditor found

OCABR’s website had broken hyperlinks and was not fully accessible for users.
recordkeeping/documentationinternal controls

Why it matters: Broken hyperlinks can prevent users, including people with disabilities, from accessing consumer protection resources, regulatory information, licensing forms, and other services.

Standard: WCAG 2.1 Success Criterion 2.4.5 requires more than one way to locate a webpage within a set of webpages, except for process steps. ( WCAG 2.1 Success Criterion 2.4.5 )

4 recommendations
  • OCABR should implement a policy to review its webpages periodically for WCAG 2.1 compliance.agency: already implemented
  • OCABR should collaborate with EOTSS to establish a link validation system using automated tools that regularly scan for broken hyperlinks and incorrect redirects.
  • OCABR should collaborate with EOTSS to develop a web maintenance schedule to review and update outdated or incorrect links on a periodic basis.
  • OCABR should assign designated staff members to oversee accessibility compliance and website updates.
Agency response & Auditor reply
Agency: "OCABR implemented an Enterprise Information Technology Accessibility Policy after the audit period and effective March 27, 2025, requiring quarterly accessibility reviews."
Auditor: "Based on its response, OCABR is taking measures to address our concerns regarding this matter."
OCABR did not have an information classification policy and did not classify its data.
cybersecuritydata privacyrecordkeeping/documentationinternal controls

Why it matters: Without information classification, sensitive data may be more vulnerable to unauthorized access, theft, misuse, legal liabilities, regulatory violations, and security risks for Massachusetts residents.

Standard: EOTSS Asset Management Standard IS.004 requires classification or sensitivity levels for all information. ( EOTSS Asset Management Standard IS.004, Section 6.2 )

2 recommendations
  • OCABR management should develop and implement an information classification policy to comply with EOTSS’s Asset Management Standard IS.004 and should assign an information custodian in this policy.agency: already implemented
  • OCABR should conduct a data inventory and classification assessment of information based on sensitivity, criticality, and regulatory requirements.
Agency response & Auditor reply
Agency: "OCABR developed a written Information Asset Policy after the audit period and effective October 2024."
Auditor: "Based on its response, OCABR is taking measures to address our concerns regarding this matter."
OCABR did not have procedures to dispose of information that exceeded retention periods.
recordkeeping/documentationinternal controlsdata privacycybersecurity

Why it matters: Keeping unnecessary data increases storage costs and creates security risks such as theft, mismanagement, unauthorized access, and potential compromise of residents’ information.

Standard: EOTSS Asset Management Standard IS.004 requires quarterly identification and secure deletion of stored information exceeding retention periods; the Massachusetts Statewide Records Retention Schedule requires certain data breach records to be retained for six years. ( EOTSS Asset Management Standard IS.004, Section 6.4.2.4; Massachusetts Statewide Records Retention Schedule, B06-26: Data Breach Records )

4 recommendations
  • OCABR should implement policies and procedures for information disposal to ensure that information is properly disposed of in accordance with Commonwealth retention schedules.agency: already implemented
  • OCABR should designate an information custodian responsible for ensuring compliance with data disposal policies.agency: already implemented
  • OCABR should implement an internal policy which includes the retention schedules and the procedures necessary to dispose of information, in no event before the expiration of its retention period.agency: already implemented
  • OCABR should implement a process in which it justifies the business need for archiving information kept past retention schedules.agency: already implemented
Agency response & Auditor reply
Agency: "OCABR developed a written OCABR Record Retention Schedule after the audit period and effective October 2024 and designated its General Counsel as Information Custodian."
Auditor: "Based on its response, OCABR is taking measures to address our concerns regarding this matter."
OCABR did not perform a business impact analysis or risk assessment to classify its information systems.
cybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Without system classification, OCABR may not properly protect vital systems from cybersecurity threats, natural disasters, or fraud, and may struggle to prioritize IT resources during emergencies.

Standard: EOTSS Asset Management Standard IS.004 requires agencies to conduct a business impact analysis or risk assessment to determine information system classifications. ( EOTSS Asset Management Standard IS.004, Section 6.6.2 )

2 recommendations
  • OCABR management should implement a policy to periodically conduct a business impact analysis or risk assessment in order to classify its information systems.
  • OCABR should review these classifications at least annually or anytime a significant system change occurs.
Agency response & Auditor reply
Agency: "A more comprehensive and detailed iteration is currently underway."
Auditor: "Based on its response, OCABR is taking measures to address our concerns regarding this matter."
OCABR did not ensure that access to personally identifiable information was limited to approved personnel with business needs.
data privacycybersecurityinternal controlsrecordkeeping/documentation

Why it matters: Granting access to PII without formal approval increases risks of data breaches, identity theft, reputational damage, legal liability, and harm to people whose information is compromised.

Standard: EOTSS Asset Management Standard IS.004 requires confidential information, including PII, to be restricted to personnel with a business need. ( EOTSS Asset Management Standard IS.004, Section 6.2.1; EOTSS Asset Management Standard IS.004, Section 6.2.1.1 )

3 recommendations
  • OCABR should ensure that every user requiring access to PII has their business need reviewed and approved before access is granted.
  • OCABR should implement role-based access aligned with least privilege.
  • OCABR should periodically review users’ access to determine whether users have appropriate approval.
Agency response & Auditor reply
Agency: "Prior to full implementation of the ServiceNow system in 2023, access to PII was provided in several controlled ways that did not consistently document approval, including verbal or e-mail requests from appropriate leadership."
Auditor: "Based on its response, OCABR is taking measures to address our concerns regarding this matter."

More audits of this entity

Other Office of the State Auditor reports on Office of Consumer Affairs and Business Regulation .

See this entity's page with all 2 audits →