Treasury Inspector General for Tax Administration
September 14, 2009
Contact: Li-Yun Chien
The Treasury Inspector General for Tax Administration (TIGTA) today publicly released its review of whether the Internal Revenue Service (IRS) is adequately protecting sensitive data on laptop computers and other portable electronic media devices.
The IRS has effectively implemented encryption technologies on laptop computers and other portable storage devices. These systemic encryption solutions have strengthened the protection of taxpayer data and personally identifiable information (PII) and have reduced the chance of unauthorized disclosure of sensitive data when laptop computers and other portable electronic media devices are lost or stolen. The IRS has also taken actions to assist employees with securing laptop computers and sensitive data by purchasing cable locks for laptop computers, implementing a comprehensive training strategy that instructs employees on the process for reporting lost or stolen items, and informing employees of their responsibilities for securing sensitive data.
Although the IRS has made significant improvements relating to controls over electronic media devices and protection of sensitive data, TIGTA identified two areas where continued diligence is needed. First, processes for tracking security incidents could be enhanced to ensure that all incidents are properly handled. Second, the IRS needs to enforce controls for protecting backup data from unauthorized disclosure and ensuring its availability in the event of a disaster.
TIGTA recommended that 1) the IRS collaborate with TIGTA in order to ensure that all incidents involving unauthorized disclosure of PII in electronic or hard copy form are properly reported and shared between the IRS Computer Security Incident Response Center and TIGTA's Office of Investigations, and 2) IRS offices take steps to ensure that all backup data are properly protected from unauthorized access and disclosure.
IRS management agreed with TIGTA's recommendations.
"The IRS annually processes more than 220 million tax returns containing personal financial information and personally identifiable information such as Social Security numbers. If lost or stolen, taxpayer data can be used for identity theft and other fraudulent purposes," commented J. Russell George, the Treasury Inspector General for Tax Administration.
To view the report, including the scope, methodology, and full IRS response, go to: http://www.treas.gov/tigta/auditreports/2009reports/200920120fr.pdf
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.