IRS Loses Laptops; Your Data Exposed?
CBS News correspondent Peter Maer has covered the White House and executive branch agencies for more than 20 years.
The nation's tax collector is being called to task for lax security that could compromise personal information on thousands of taxpayers.
"Hundreds of IRS laptop computers" and other devices have been lost or stolen, according to a report (.pdf) by the Treasury Department inspector general's office. Many were swiped from employees' vehicles and homes, but investigators also learned that more than a fifth of the devices were stolen from IRS offices.
"It is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft" and other fraud, the report warns. "The Internal Revenue Service is not adequately protecting taxpayer data on laptop computers" and other devices.
The report also uncovered faulty encryption and password controls. The IRS annually processes more than 220 million tax returns. As any taxpayer knows, those returns include personal financial information and Social Security numbers. The IRS insists there have been no reports of identity theft linked to the missing laptops.
Investigators called for tighter security measures. The report noted the IRS has agreed to take "corrective actions."
The IRS is the latest federal agency to confront laptop security issues. Government investigators have found similar problems at other departments and offices, including the nation's top law enforcement agency, the FBI.
In February, the Justice Department's inspector general reported three or four FBI laptops are lost or stolen each month. The inspector general said it was "most troubling" that the FBI could not determine in many cases whether the lost or stolen laptops contained sensitive or classified information."
Last year, the Bush administration issued new recommendations for laptop encryption and other standards following computer security issues at a number of departments.
Earlier this year, a private group, the Cyber Security Industry Alliance, urged the government to increase efforts to improve information security. The group says that except for the Department of Veterans Affairs, "the federal government still has no requirement to notify individuals if their sensitive personal information has been compromised."
By Peter Maer