Personal data at risk in lost IRS laptops

[Dissent <Dissent () pogowasright org>]

http://www.usatoday.com/money/perfi/credit/2007-04-05-irs-usat_N.htm?csp=34

At least 490 IRS computers have been stolen or lost since 2003 in 
security breaches that potentially jeopardized the personal 
information of more than 2,000 taxpayers, a government audit reported 
Wednesday.

The computers were lost in 387 incidents, most of which were not 
reported to the IRS computer security office as required, according 
to the report by the Treasury Inspector General for Tax Administration.

The audit also found that IRS laptops lacked adequate password 
controls and encryption software that would protect taxpayer 
information and other data.

"This is a serious concern," said Inspector General J. Russell 
George, whose findings quantified one of several recent computer 
security breaches involving federal agencies. "The American public 
relies on the IRS to protect the personal information they provide."

IRS Commissioner Mark Everson said the agency was unaware of any 
identity thefts stemming from the loss of the laptops. The IRS has 
"moved aggressively" since last summer to strengthen protection of 
taxpayer data, he said.

The audit focused on computer security incidents from January 2003 to 
June 2006 involving IRS personnel authorized to take electronic files 
outside their offices. Some of the incidents were previously made 
public in media or government reports. The IRS has assigned more than 
52,000 laptops to its workers.

While acknowledging that the IRS can't completely avoid computer 
thefts or losses, auditors found that many of the laptops had been 
stolen from vehicles, homes or other locations where the units had 
been left unattended or not locked up.

Personal data on at least 2,359 individuals were lost in the 
incidents, auditors found. Based on an examination that showed other 
IRS computers had unencrypted taxpayer and employee data, plus 
inadequate password protection, auditors reported it's "likely that a 
large number of the lost or stolen IRS computers could be accessed by 
unauthorized individuals."

IRS rules require employees to report lost or stolen computers to the 
agency's computer security office and the inspector general. Auditors 
determined that 76% of the incidents were not reported to IRS 
security personnel, who "could have helped negate the risk to taxpayers."

The auditors recommended that the IRS improve its response to 
computer security breaches by assessing the risk to taxpayers whose 
data could be threatened. The IRS should also periodically remind 
workers about security rules and provide instructions for encryption 
software, the audit said.

"Protection of taxpayer data is a top priority," said Everson, who 
said IRS laptops are now encrypted before they're issued to 
employees. Also, the agency now assesses the potential threat to 
taxpayers in all computer losses and stresses security training, he said.

--
Main site: http://www.pogowasright.org
Main RSS feed: http://www.pogowasright.org/backend/pogowasright.rss
Breaches RSS feed: http://www.pogowasright.org/backend/breaches.rss 

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 203 million compromised records in 609 incidents over 7 years.