Wednesday, April 18, 2007

IRS Not Adequately Protecting Sensitive Data

IRS Not Adequately Protecting Sensitive Data
By Eric Sinrod

First, the IRS takes your money, and now it seems that the IRS may not be adequately protecting your private information, according to a recent report by the Treasury Inspector General for Tax Administration. Curious? You should be.

The IRS processes in excess of 220 million tax returns per year. These returns contain personal financial data and personally identifiable information that includes social security numbers. The report concludes that hundreds of IRS laptops and other computer devices have been lost or stolen, employees have not properly encrypted data on the devices, and password controls for the laptops have not been adequate. As a consequence, it is "very likely" that sensitive data for a "significant number" of taxpayers has become available for potential identity theft and other fraudulent schemes. Not a pretty picture.

In terms of hard numbers, the report reveals that at least 490 IRS computers were lost or stolen between January 2, 2003 and June 13, 2006. While all such incidents cannot be prevented, the report suggests that the number would have been lower had IRS employees locked laptops in cabinets at work when away from the office, locked them in the trunks of their vehicles when unattended, and locked them up at home when not in use.

Problematic is the report's conclusion that lost or stolen devices open up the possibility for the revelation of sensitive data because IRS employees do not always follow encryption procedures because they were either unaware of security requirements, were inattentive, or did not know that personal data is considered sensitive. Yikes.

Not only have there been problems with laptops and other portable devices, but the report shows that the security of backup data at offsite facilities is not necessarily safe. At four such sites, for example, backup data has not been encrypted and adequately protected. Gulp.

Not surprisingly, the Treasury Inspector General for Tax Administration has some recommendations when it comes to the IRS and protection of sensitive taxpayer information. These recommendations include reminding employees of their responsibilities for protecting computer devices, purchasing locks for laptops, imposing penalties for negligence, and summarizing violation statistics and disciplinary actions.

The recommendations also embrace providing proper instructions on encrypting sensitive information, checking of encryption by employees, conducting annual inventory validation of backup media, and performing physical checks of offsite facilities used to store media.

The report indicates that the IRS has agreed with all of its findings and most of its recommendations. Let's just hope that going forward, the IRS does not take a "good enough for government work" attitude. The IRS as part of is mission has no trouble taxing you - now, let's hope that your money is put to work to ensure that your private information that is provided as part of the tax process is protected properly.