April 18, 2007 4:00 AM PDT
Perspective: Is the IRS putting your private data at risk?See all Perspectives
Curious? You should be.
The IRS processes more than 220 million tax returns per year. These returns contain personal financial data and personally identifiable information that includes Social Security numbers. But a recent report by the Treasury Inspector General for Tax Administration concludes that hundreds of IRS laptops and other computer devices have been lost or stolen, employees have not properly encrypted data on the devices, and password controls for the laptops have not been adequate.
The conclusion: It is quite likely that sensitive data for a "significant number" of taxpayers has become available for potential identity theft and other fraudulent schemes. Not a pretty picture.
In terms of hard numbers, the report reveals that at least 490 IRS computers were lost or stolen between January 2, 2003 and June 13, 2006. While all such incidents cannot be prevented, the report suggests that the number would be lower had IRS employees locked laptops in cabinets at work when away from the office, locked them in their vehicles' trunks when unattended, and locked them up at home when not in use.
The report's conclusion is problematic. Lost or stolen devices open up the possibility for the revelation of sensitive data because IRS employees do not always follow encryption procedures. During the time period covered by the report, IRS staff were unaware of security requirements, were inattentive, or somehow did not know that your personal financial information is considered sensitive data. Yikes.
Not only have there been problems with laptops and other portable devices, but the report shows that the security of backup data at offsite facilities is not necessarily sound. At four such sites, for example, backup data was revealed to be inadequately encrypted and protected. Gulp.
Not surprisingly, the Treasury Inspector General for Tax Administration has some recommendations when it comes to the IRS and protecting sensitive taxpayer information. Employees are reminded of their responsibilities for protecting computer devices and purchasing locks for laptops. The report summarizes violation statistics and makes provisions for imposing penalties and disciplinary actions for negligence.
Recommendations also embrace providing proper instructions on correct encrypting procedures for sensitive information, annual validation of backups, and physical checks of offsite record-storage facilities.
According to the analysis, the IRS has agreed with all findings and most recommendations. Let's just hope that going forward, the IRS does not take a "good enough for government work" attitude. As part of its mission, the IRS has no trouble taxing you; now, it needs to put your money to work and ensure that private information provided as part of the tax process gets appropriate protection.
is a partner in the San Francisco office of . His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to email@example.com with "Subscribe" in the subject line. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
1 commentJoin the conversation! Add your comment