Treasury OIG Audit Reveals Taxpayer Data Not Adequately Protected on Laptops and Portable Media
Treasury Inspector General for Tax Administration – Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices. March 23, 2007. Reference Number 2007-20-048.
“IRS employees reported the loss or theft of at least 490 computers and other sensitive data in 387 separate incidents between January 2, 2003, and June 13, 2006. During this period, the IRS computer security organization was made aware of only 91 (24 percent) of the 387 incidents. TIGTA determined 176 incidents likely did not involve any loss of taxpayer data, but 126 incidents involved the loss of personal information for at least 2,359 individuals. TIGTA was unable to determine the effect on taxpayers for 85 incidents due to a lack of details in the incident documentation. A separate test of 100 laptop computers currently in use by employees determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data. In addition, 15 of the 44 laptop computers had incorrect settings that would allow anyone to bypass the password controls and access the contents on the laptop computer. Consequently, it is very likely that a large number of the lost or stolen IRS computers contained unencrypted data that could be easily accessed and read by persons gaining possession of the computers. Also, backup tapes were not encrypted and adequately protected at non-IRS offsite locations reviewed.”