By Kevin McCoy - USA Today
At least 490 IRS computers have been stolen or lost since 2003 in security breaches that potentially jeopardized the personal information of more than 2,000 taxpayers, a government audit reported Wednesday.
The computers were lost in 387 incidents, most of which were not reported to the IRS computer security office as required, according to the report by the Treasury Inspector General for Tax Administration.
The audit also found that IRS laptops lacked adequate password controls and encryption software that would protect taxpayer information and other data.
"This is a serious concern," said Inspector General J. Russell George, whose findings quantified one of several recent computer security breaches involving federal agencies. "The American public relies on the IRS to protect the personal information they provide."
IRS Commissioner Mark Everson said the agency was unaware of any identity thefts stemming from the loss of the laptops. The IRS has "moved aggressively" since last summer to strengthen protection of taxpayer data, he said.
The audit focused on computer security incidents from January 2003 to June 2006 involving IRS personnel authorized to take electronic files outside their offices. Some of the incidents were previously made public in media or government reports. The IRS has assigned more than 52,000 laptops to its workers.
While acknowledging that the IRS can't completely avoid computer thefts or losses, auditors found that many of the laptops had been stolen from vehicles, homes or other locations where the units had been left unattended or not locked up.
Personal data on at least 2,359 individuals were lost in the incidents, auditors found. Based on an examination that showed other IRS computers had unencrypted taxpayer and employee data, plus inadequate password protection, auditors reported it's "likely that a large number of the lost or stolen IRS computers could be accessed by unauthorized individuals."
IRS rules require employees to report lost or stolen computers to the agency's computer security office and the inspector general. Auditors determined that 76% of the incidents were not reported to IRS security personnel, who "could have helped negate the risk to taxpayers."
The auditors recommended that the IRS improve its response to computer security breaches by assessing the risk to taxpayers whose data could be threatened. The IRS should also periodically remind workers about security rules and provide instructions for encryption software, the audit said.
"Protection of taxpayer data is a top priority," said Everson, who said IRS laptops are now encrypted before they're issued to employees. Also, the agency now assesses the potential threat to taxpayers in all computer losses and stresses security training, he said.
http://money.aol.com/news/articles/_a/personal-data-at-risk-in-lost-irs/20070405071309990001
Printer-friendly format
Email this thread to a friend
Bookmark this thread
(1000+ posts)
Send PM |
Profile |
Ignore
