IRS Data Security Still a Concern

Lucas123 writes "Computerworld has a story about the possibility and the potential ramifications of an IRS data loss similar to the UK's recent mishap. According to one World Bank executive, it could have already happened, 'and we don't know about it.' While the IRS does offer data encryption to its workers, more than half of its 94,000 employees have permission to take taxpayer information to locations outside the IRS offices. In the 2007 filing season, roughly 128 million individual tax returns were filed. In addition to the basic personal information on those forms, an IRS breach could also jeopardize the banking information of the 46% of filers who requested direct deposit refunds. This is not the first time that IRS security has been called into question, and the Department of Treasury's progress in that arena is dubious. [PDF]"

Traveling laptop your #5 problem ...

[AHumbleOpinion]

In my case I had to take things as far as two members of the board to stop an accountant taking the laptop with the only functioning copy of the application that handles most of the financial information on holiday

I hope your board members recognized the four more important problems as well. Your top five problems:
(1) Management allowed (2), (3), (4), and (5).
(2) The accountant allowed (3) and (5).
(3) You have one and only one system capable of running a critical application.
(4) This critical application is not being run on enterprise grade hardware.
(5) The accountant wanted to take the system on holiday.

If your board only addressed the laptop/holiday add:
(0) Board allowed (1), (2), (3), (4), or (5) as appropriate.

Scare Reporting

[Grech]

Full Disclosure: I work for the IRS, and have a business need to take OUO or SBU data outside of the campus where I work from time to time.

Glossary:

• OUO: [O]fficial [U]se [O]nly.- This is a class of information
• SBU: [S]ensitive [B]ut [U]nclassified This is the category into which all identifiable taxpayer data falls, and falls under the protection of IRC 6103 (with consequences defined in IRC 1203)

The article here is pure scaremongering, though it does at least touch on some of the procedures the Service used to secure taxpayer data. The article makes the following points.

1. The IRS has lots of sensitive data
2. If individual people tasked with protecting sensitive information do stupid things, it will defeat any security measure.

When a laptop is issued, it gets whole disk encryption that can't be turned off by the user. Similarly, when the IRS issues other portable devices, they get the same. The rule, of course, is that you don''t hook up anything the IRS doesn't own to anything it does, so personal thumb drives and home networks should not be an issue, and we make the point every time we issue hardware. Similarly, the article talks about unencrypted drives on Campus machinery, but if someone has penetrated the physical security of the Campus and actually swipes one of these hard drives, things have already gone horribly wrong.

If the IRS lost a great whacking load of SBU data, of course it would be a disaster, this is nothing new, and is obvious. The article makes it seem like it's inevitable or in immediate danger of happening, and this just isn't true.