Report: Lost IRS laptops put taxpayer data at risk

Thousands of taxpayers are potentially at risk of identity theft because the Internal Revenue Service has lost or experienced the theft of 490 laptops over the last three years, a government report concludes. The agency has compiled a list of 387 data breach incidents among the missing computers due to inadequate encryption of taxpayers’ personal data and weak password controls, said the Treasury Inspector General for Tax Administration (TIGTA). TIGTA determined that at least 24 of those incidents that involved 480 individuals could have been prevented if employees had followed IRS policies and procedures, TIGTA said in a recent report. The IRS reported the computers went missing from 2003 to 2006, many stolen from vehicles and homes and some from IRS facilities. The devices included flash drives, CDs and DVDs. TIGTA reported similar findings in 2003, but said the IRS did not thoroughly correct the problems. “As a result, it is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and/or other fraudulent schemes,” said Michael Phillips, TIGTA’s deputy inspector general for audit. For its audit, TIGTA tested 100 laptops currently in use and determined that 44 still contained unencrypted sensitive data. Fifteen of the 44 were found to have weak security controls that were easy to bypass and gain access. “Employees did not follow encryption procedures because they were either unaware of security requirements, did so for their own convenience, or did not know their own personal data were considered sensitive,” Phillips said. TIGTA sought detailed information in June 2006 on data incidents for the previous 12 months. The IRS expanded the data collection because Rep. Tom Davis (R-Va.), then chairman of the House Government Reform Committee, requested information from all agencies on all data breaches since 2003. Davis sought the governmentwide data in the wake of the Department of Veterans Affairs' loss of sensitive data on millions of veterans last year. Before TIGTA’s request for information, employees had reported only 24 percent of the incidents to the IRS' Computer Security Incident Response Center. The IRS counts 47,000 laptops among its employees. Because taxpayer data can be taken outside of the IRS -- for example for revenue agents to make onsite visits to business taxpayers -- more security controls are needed. Those controls center on physically protecting computers and devices, encrypting taxpayer data on those devices, using software controls to limit access to computers and reporting incidents. The IRS has said it has no evidence of identity theft as a result of the missing laptops. The agency tightened reporting for data breach incidents in response to guidance from the Office of Management and Budget after the VA data breach. All data incidents must be reported to TIGTA, in addition to the IRS Computer Security Incident Response Center and to front-line managers. Since TIGTA’s audit, IRS has implemented several of the auditor’s recommendations and corrective actions, the agency said. Those include deploying full disk encryption and physical cable locks on all laptops used by employees and the capability to encrypt sensitive files and e-mails on their computers, said IRS Chief Information Officer Richard Spires.