United States: Perspective: Is The IRS Putting Your Private Data At Risk

Reprinted with permission from CNet.com

The Internal Revenue Service already takes your money. As if that weren't painful enough, it also seems that the IRS doesn't adequately protect your private information, according to a recent report by the Treasury Inspector General for Tax Administration.

Curious? You should be.

The IRS processes more than 220 million tax returns per year. These returns contain personal financial data and personally identifiable information that includes Social Security numbers. But a recent report by the Treasury Inspector General for Tax Administration concludes that hundreds of IRS laptops and other computer devices have been lost or stolen, employees have not properly encrypted data on the devices, and password controls for the laptops have not been adequate.

The conclusion: It is quite likely that sensitive data for a "significant number" of taxpayers has become available for potential identity theft and other fraudulent schemes. Not a pretty picture.

In terms of hard numbers, the report reveals that at least 490 IRS computers were lost or stolen between January 2, 2003 and June 13, 2006. While all such incidents cannot be prevented, the report suggests that the number would be lower had IRS employees locked laptops in cabinets at work when away from the office, locked them in their vehicles' trunks when unattended, and locked them up at home when not in use.

The report's conclusion is problematic. Lost or stolen devices open up the possibility for the revelation of sensitive data because IRS employees do not always follow encryption procedures. During the time period covered by the report, IRS staff were unaware of security requirements, were inattentive, or somehow did not know that your personal financial information is considered sensitive data. Yikes.

Let's just hope that going forward, the IRS does not take a "good enough for government work" attitude.

Not only have there been problems with laptops and other portable devices, but the report shows that the security of backup data at offsite facilities is not necessarily sound. At four such sites, for example, backup data was revealed to be inadequately encrypted and protected. Gulp.

Not surprisingly, the Treasury Inspector General for Tax Administration has some recommendations when it comes to the IRS and protecting sensitive taxpayer information. Employees are reminded of their responsibilities for protecting computer devices and purchasing locks for laptops. The report summarizes violation statistics and makes provisions for imposing penalties and disciplinary actions for negligence.

Recommendations also embrace providing proper instructions on correct encrypting procedures for sensitive information, annual validation of backups, and physical checks of offsite record-storage facilities.

According to the analysis, the IRS has agreed with all findings and most recommendations. Let's just hope that going forward, the IRS does not take a "good enough for government work" attitude. As part of its mission, the IRS has no trouble taxing you; now, it needs to put your money to work and ensure that private information provided as part of the tax process gets appropriate protection.

Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. To receive his weekly columns, send an e-mail to ejsinrod@duanemorris.com with "Subscribe" in the subject line. The views expressed in this column do not necessarily reflect those of Sinrod's law firm or its individual partners.

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, among the 100 largest law firms in the world, is a full-service firm of more than 600 lawyers. In addition to legal services, Duane Morris has independent affiliates employing approximately 100 professionals engaged in other disciplines. With offices in major markets, and as part of an international network of independent law firms, Duane Morris represents clients across the United States and around the world.