Keystroke monitoring to protect the public

The Massachusetts Dept. of Revenue knows more than most government agencies about monitoring employees' activities for illegal behavior. The department is profiled in a CSO Online article about keystroke monitoring. The Bay State's tax department started a program to protect the confidentiality of famous sports figures' tax returns 1992 but eventually realized they needed a comprehensive way to protect everyone's returns.

Eventually, Moynihan—and his boss, the commissioner—realized the DoR had to monitor every access of every taxpayer's personal information on the database. Integrity of the process was not only an ethical matter—a public-sector breach could lead to major political ramifications. "If at any time a confidentiality problem hit the papers and taxpayers felt the system was not protecting their information, it could impact voluntary [income tax] compliance. The consequences could be immeasurable," he says.

In 1997, the Department of Revenue spent $300,000 (out of an overall IT budget of $25 million) to custom develop its Transaction Tracking system based on a Unisys mainframe. The system captures every access of taxpayer data in Massachusetts and creates audit trails for future reference. Once auditors monitoring the database identify a potential violation of the data access policy, such as an anomaly in the audit trail, they give the employee a chance to explain. If there is no reasonable explanation for the data access, the case is referred to internal investigators for further analysis and an interview with the employee. Disciplinary actions that could follow include firing an employee for a first offense.