Aiding and abetting identity theft
Saturday, April 07, 2007
Is the IRS contributing to identity theft? Possibly.
Over the last few years, the tax agency has lost or had stolen nearly 500 laptop computers that contained taxpayer data. To be fair, the IRS isn't alone when it comes to lax laptop security, as noted in this previous post.
But when it's the IRS you're talking about, some seriously personal financial data is floating around. That's exactly what a recent investigation by the Treasury Inspector General for Tax Administration (TIGTA) discovered.
In a report issued March 23, TIGTA says at least 490 IRS laptop computers and other computer devices were lost or stolen, from workers' homes, cars and even from their offices, between Jan. 2, 2003, and June 13, 2006.
Wait. There's more. The inspectors looked at another 100 machines still in IRS possession and found many instances where the data on the computers were not properly encrypted or password controls were not adequate.
"As a result, it is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and/or other fraudulent schemes," according to TIGTA inspectors.
Yikes!
Unfortunately, the only recourse we taxpayers have is to complain to the IRS and our members of Congress about these security breaches. That plus regularly checking on our credit reports. One free report a year is available from each of the three major credit bureaus via AnnualCreditReport.com.
Stepping up security: On the good news side, the feds are making some positive noises about the situation. TIGTA made several recommendations on how to improve IRS computer security and reports that the tax agency was very responsive to the suggestions.
Now the bad news. The oversight group says it made such suggestions back in 2003 when it found other similar lapses, but the IRS did not taken "adequate corrective actions." You think?
This time, TIGTA says the corrective measure include the IRS agreeing to regularly announce disciplinary penalties it imposes when security measures are not followed. This should help remind employees to be vigilant in protecting personal info, both of IRS personnel and taxpayers, and agency equipment. I know shame used to work when I was a kid, but we'll just have to wait and see how effective it is on IRS employees.
TIGTA says the agency also has implemented mandatory information protection training to remind IRS workers of their responsibilities in this area. All IRS employees took the training last November.
And the IRS has instituted periodic inspections of laptops to ensure encryption protocols are being used. Sort of the IRS version of random data drug testing.
Here's hoping this latest round of wrist slapping helps get the IRS on the proper property data security track.
Secure yourself: I just wrote a story on tax terrors, those fears that crop up every filing season, and one of them involved sending data electronically to the IRS. One of the ways to reduce this fear is to make sure you're taking the appropriate computer security steps. You can read about that fear and the six others here.
Other enhancements: PC World says that while the IRS may not be doing a very good job of encrypting data on its laptops, it does have a way to recover its lost equipment.
"In fact, thieves looking to steal from the U.S. Department of the Treasury may find themselves behind bars, thanks to tracking software used by the IRS to contact investigators whenever a laptop is stolen," according to this story.
The article cites TIGTA's semiannual report to Congress late last year, which discussed some of the high-tech security tricks the IRS uses (details begin on page 6 of the report). They include combining video technology with specialized software to keep track of some PCs; video-over-Internet technology to remotely operate surveillance cameras on its premises; and special software that lets IRS PCs notify government agencies if the computer goes missing.
In addition, the Integrated Data Retrieval System (IDRS) routinely generates reports to identify unauthorized access to taxpayer accounts. This is primarily an internal security measure, used to catch employees who violate the Taxpayer Browsing Protection Act of 1997.
Unfortunately, TIGTA's report notes that during the period the oversight group was investigating IRS security, it found that fewer than half of the IDRS reports were reviewed by IRS managers. No follow-through means agency employees likely are browsing taxpayers' information with little chance of detection. TIGTA says the agency "has not sufficiently emphasized the importance of these reports and has not held managers accountable for reviewing them."
The report's final analysis: "The IRS is making steady progress toward improving computer security; however, much work needs to be done."
Amen.
Comments
You can follow this conversation by subscribing to the comment feed for this post.