The comptroller’s December 2009 audit report can be found here. ACS collects a lot of PII on many children in NYC, including medical information, complaints of child abuse, etc.
The most significant audit findings included inadequate password security for the local network and Blackberry devices. With respect to the former, the audit found 15 instances (out of 64) where terminated employees still had access to the network, that passwords were not of required strength, and employees were not changing their passwords every 90 days as required by policy. The audit also found that ACS had not complied with requirements to classify information by its degree of sensitivity and need for protection.
By the end of the audit period, ACS reports that it was fully or partially in compliance with all recommendations.