IRS Data Security Still a Concern

Lucas123 writes "Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK's recent mishap. According to one World Bank executive, it could have already happened, 'and we don't know about it.' While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury's progress in that arena is dubious. [PDF]"

Why take data out of office?

[rueger]

...more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices.

It seems to me that most of the data breaches from large corporations and government come from just this - employees taking data files out of the office and losing them. Why of why don't employers simply insist that data stays on the premises? Surely keeping data in a secure physical location is the first step to safeguarding it.

Re:Why take data out of office?

[dbIII]

In my case I had to take things as far as two members of the board to stop an accountant taking the laptop with the only functioning copy of the application that handles most of the financial information on holiday to Bahrain of all places (at the start of the recent Iraq war). People really think these things are their own personal possessions and are convinced that they will not be stolen even if they leave it unattended on a beach in another country.

Re:Ron Paul...

[Harmonious+Botch]

Parent presumably means removing the IRS.

Traveling laptop your #5 problem ...

[AHumbleOpinion]

In my case I had to take things as far as two members of the board to stop an accountant taking the laptop with the only functioning copy of the application that handles most of the financial information on holiday

I hope your board members recognized the four more important problems as well. Your top five problems:
(1) Management allowed (2), (3), (4), and (5).
(2) The accountant allowed (3) and (5).
(3) You have one and only one system capable of running a critical application.
(4) This critical application is not being run on enterprise grade hardware.
(5) The accountant wanted to take the system on holiday.

If your board only addressed the laptop/holiday add:
(0) Board allowed (1), (2), (3), (4), or (5) as appropriate.

The devil is in the e-file

The biggest risk is not the IRS itself, but rather the e-file cabal of the IRS plus the companies that process and reformat your data for submission to the IRS. For instance, the TurboTax privacy statement and full text both promise certain steps, but there are gaping holes. Intuit keeps a copy of an e-filed return for at least three years, yet does not promise that the storage is encrypted. Data transmission from you to Intuit is encrypted (via 128-bit SSL), but some returns sent from Intuit to various agencies are NOT encrypted during transmission. Intuit claims that other companies providing services to Intuit may not use your data, but that does not prevent a breach if some employee does not follow the rules.

And of course any subpoena, court order, or National Security Letter presented to Intuit has full access to all your data, including aggregation (database "join" on SSN, phone, address, etc.) with various data brokers who market their services aggressively to Department of Homeland Security, etc. With the IRS itself you have some protection; with the e-file cabal you nave none.

Re:Ron Paul...

[darjen]

If the income tax was also abolished, there wouldn't be a need for administration and inforcement.