IRS Data Security Still a Concern

Lucas123 writes "Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK's recent mishap. According to one World Bank executive, it could have already happened, 'and we don't know about it.' While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury's progress in that arena is dubious. [PDF]"

Ron Paul...

[GradiusCVK]

Seems like the best way to solve this problem would be to remove any and all possible chance that the IRS might mishandle our data...

Re:Direct deposit

[Clomer]

I used to work for a check printing company, and I can tell you that the most common type of check fraud is where someone orders checks with someone else's routing and account information. If you have a person's income tax statement complete with name, address, and bank account information, then you have all you need to order fraudulent checks. Heck, you could even have your name printed on them, but have the fraudulent account number info on the checks. You'd be surprised how easy it would be to cash such a check.

Not that I would recommend it: we, at the check company, were taught certain red flags, things to watch for that may indicate a fraudulent order (and a good CSR won't let it on that they suspect you), and I won't go into those details here. And the penalties are pretty stiff if you are caught.

Re:Why take data out of office?

[Artifakt]

I don't doubt that it can be needed. IRS agents have to appear in court sometimes, either tax office courts that are not in their work locations or regular courts. The also have to contact some clients in the field, i.e. going to a business to look at its records. Often, tax law actually says a business must forward certain records automatically, but must retain other records on site for inspection. Plus the IRS is responsible for checking to see if retained copies match transmitted copies if there's doubt there.
      How else can the IRS deal with a fairly common scenario such as this? (They get a dozen or so cases of this each year). The IRS receives a W-2 that has a mistake in social security withholding or some similar thing. The taxpayer claims that's what the company he works for sent him, but it doesn't match the copy the company sent the IRS. Both copies in the IRS's hands are photocopies. Close examination reveals faint indications of whiteout on the originals used to prepare both copies, in different places! Now imagine this has come up with half a dozen employees of the same company.
      Dragging a whole business records department down to the IRS is doable, but the owners usually complain to their congressman, and have some clout. If they are really up to something, catching them by surprise is a lot better than giving them time to further fix the records. So, the IRS investigator travels with PDF copies of the documents in a laptop. The original paper is locked up, the better to maintain evidence accountability. The alternative is the agent travels with paper copies of the original copies. There's no way to encrypt those, of course. While most of these cases involve small business with only a handful of employees, it could also get pretty bulky. Sometimes, the agent might need multiple years tax records for a whole business branch of a medium sized corporation and all its employees, plus some records for the corporation's headquarters if that's separate.
      (Megacorps do a better job of covering their tracks than this scenario assumes, so an office visit to Disney or IBM or Walmart is unlikely at best, and if it ever happened, the IRS would have to split the work between dozens of agents, each presumably carrying only a small part of the records.
      You're right, doing this should always involve very good encryption. It shouldn't ever involve a million+ people's records either, which is what the Social Security Administration and the Veterans Administration losses have entailed each time. It could make sense for 50 or so people's records though.

Re:Direct deposit

[jonbryce]

You can set up a fraudulent direct debit with just the account number and sort code. I had someone do that to me once - 86p to Carphone Warehouse. It did get refunded immediately when I complained.