TREASURY
INSPECTOR GENERAL FOR TAX ADMINISTRATION
The Internal Revenue Service Is Not Adequately
Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic
Media Devices
March 23, 2007
Reference Number: 2007-20-048
This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.
Redaction Legend:
3(d) = Identifying Information - Other Identifying Information of an Individual or Individuals
Phone Number |
202-927-7037
Email Address | Bonnie.Heald@tigta.treas.gov
Web Site |
http://www.tigta.gov
March 23, 2007
MEMORANDUM FOR CHIEF INFORMATION OFFICER
CHIEF,
FROM: Michael R. Phillips /s/ Michael R. Phillips
Deputy Inspector General for Audit
SUBJECT: Final Audit Report – The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other Portable Electronic Media Devices (Audit # 200620001)
This report presents the results of our review to determine
whether the Internal Revenue Service (IRS) is adequately protecting sensitive
data on laptop computers and portable electronic media devices. The audit focused on the security of laptop
computers and the encryption of sensitive data maintained on laptop
computers. We also evaluated the storage
methods for backup tapes at non-IRS offsite facilities.
Impact on the Taxpayer
The IRS annually processes more than 220 million tax
returns containing personal financial information and personally identifiable
information such as Social Security Numbers.
We found hundreds of IRS laptop computers and other computer devices had
been lost or stolen, employees were not properly encrypting data on the computer
devices, and password controls over laptop computers were not adequate. As a result, it is likely that sensitive data
for a significant number of taxpayers have been unnecessarily exposed to potential
identity theft and/or other fraudulent schemes.
Synopsis
IRS employees reported the loss or theft of at least 490 computers between January 2, 2003, and June 13, 2006. No organization is impervious to theft or loss of computers, especially an organization as large as the IRS with approximately 100,000 employees. Many incidents cannot be prevented, but employees can reduce the risk by taking precautions. For example, because a large number of laptop computers were stolen from vehicles and employees’ residences, employees may not have secured their laptop computers in the trunks of their vehicles or locked their laptop computers at home. Further, because 111 incidents occurred within IRS facilities, employees were likely not storing their laptop computers in lockable cabinets while the employees were away from the office.
IRS procedures require employees to report lost or stolen computers to the IRS Computer Security Incident Response Center (CSIRC) and to the Treasury Inspector General for Tax Administration (TIGTA) Office of Investigations. Employees reported the loss or theft of at least 490 computers and other sensitive data in 387 separate incidents. Employees reported 296 (76 percent) of the incidents to the TIGTA Office of Investigations but not to the CSIRC. In addition, employees reported 91 of the incidents to the CSIRC; however, 49 of these were not reported to the TIGTA Office of Investigations. Coordination was inadequate between the CSIRC and the TIGTA Office of Investigations to identify the full scope of the losses.
We found limited definitive
information on the lost or stolen computers, such as the number of taxpayers
affected, when we conducted our review. However,
we conducted a separate test on 100 laptop computers currently in use by
employees and determined 44 laptop computers contained unencrypted sensitive
data, including taxpayer data and employee personnel data. As a result, we believe it is very likely a
large number of the lost or stolen IRS computers contained similar unencrypted
data. Employees did not follow
encryption procedures because they were either unaware of security
requirements, did so for their own convenience, or did not know their own
personal data were considered sensitive.
We also found other computer devices, such as flash drives, CDs, and
DVDs, on which sensitive data were not always encrypted. We reported similar findings in July 2003,
but the IRS had not taken adequate corrective actions.
In addition to
encryption solutions to protect sensitive data on its laptop computers, the IRS
requires controls, such as usernames and passwords, to restrict access to
laptop computers. However, 15 of the 44
laptop computers with unencrypted sensitive data had security weaknesses that could
be exploited to bypass these security controls.
We believe system administrators either incorrectly configured the
computers upon deployment or did not correctly reset the controls after working
on the computers.
We also evaluated the security of backup data stored at four offsite facilities. Backup data were not encrypted and adequately protected at the four sites. For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media. Envelopes and boxes with backup media were open and not resealed. At another site, one employee who retired in March 2006 had full access rights to the non-IRS offsite facility when we visited in July 2006. Also, inventory controls for backup media were inadequate. We attributed these weaknesses to a lack of emphasis by management.
Recommendations
We recommended the Chief, Mission Assurance and Security Services, refine incident response procedures to ensure sufficient details are gathered regarding taxpayers potentially affected by a loss; coordinate with business units to better quantify past incidents; periodically remind employees of their responsibilities for protecting computer devices; consider purchasing computer cable locks for employees’ laptop computers; and periodically publicize an explanation of employees’ responsibilities for preventing the loss of computer equipment and taxpayer data, the penalties for negligence over these responsibilities, and a summary of actual violation statistics and disciplinary actions.
We recommended the Chief Information Officer include a reminder about encrypting sensitive information in the employees’ annual certification of security awareness, including instructions on using approved encryption software on electronic media devices, such as flash drives; require front-line managers to periodically check their employees’ laptop computers to ensure encryption solutions are being used by employees; consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees’ discretion as to what data to encrypt; require system administrators to check security configurations when servicing computers; implement procedures to encrypt backup data sent to non-IRS offsite facilities; and ensure employees assigned to oversee these facilities conduct an annual inventory validation of backup media and a physical security check of the offsite facility used to store the media.
Response
IRS management agreed with all of our findings and most of the recommendations. For Recommendations 5 and 7, the IRS offered alternative corrective actions that adequately addressed our findings. We concur with the planned corrective action for Recommendation 5 and encourage the IRS to consider publishing annual statistics on disciplinary penalties. We also concur with the alternative corrective action for Recommendation 7 because implementation of disk encryption no longer requires employee actions to encrypt sensitive data. Management’s complete response to the draft report is included as Appendix VI.
Copies of this report are also being sent to the IRS managers affected
by the report recommendations. Please
contact me at (202) 622-6510 if you have questions or Margaret E. Begg,
Assistant Inspector General for Audit (Information Systems Programs), at (202)
622-8510.
Physical Security Was
Not Adequate Over Computer Equipment
Sensitive Data Were
Not Encrypted on Laptop Computers and Other Electronic Media
Access Controls on
Laptop Computers Could Be Easily Circumvented
Backup Data Were Not
Encrypted and Adequately Protected
Appendices
Appendix
I – Detailed Objectives, Scope, and Methodology
Appendix
II – Major Contributors to This Report
Appendix
III – Report Distribution List
Appendix V
– Office of Management and Budget Memoranda
Appendix
VI – Management’s Response to the Draft Report
Abbreviations
|
CSIRC |
Computer Security Incident Response Center |
|
IRS |
Internal Revenue Service |
|
TIGTA |
Treasury Inspector General for Tax
Administration |
The Internal Revenue Service (IRS) annually processes more than 220 million tax returns containing personal financial information and personally identifiable information such as Social Security Numbers. If lost or stolen, taxpayer data can be used for identity theft and/or other fraudulent purposes. Identity theft refers to a crime in which someone wrongfully obtains and uses another person’s personal data in some way that involves fraud or deception, typically for financial or economic gain. According to the Federal Bureau of Investigation, identity theft is one of the fastest growing white collar crimes in the United States. The Department of Commerce estimates that more than 50 million identities were compromised in 2005.
Recently,
safeguarding personally identifiable information has received much
publicity. For example:
Most IRS employees use taxpayer information to carry out
their responsibilities within the protection of IRS facilities; however, some
employees are allowed to take electronic taxpayer data outside of the office
for business purposes. For example, revenue
agents may take electronic taxpayer records with them when conducting onsite
visits to business taxpayers. In
addition, as of July 2006, more than 25,000 IRS employees had the ability to
access the IRS network from outside of IRS facilities. Overall, the IRS has over 47,000 portable laptop computers assigned to its
employees.
Because taxpayer data are allowed
to be taken outside of IRS facilities, additional security controls are
required, such as:
·
Physically protecting
computer devices – Employees in possession of computer devices must adhere to
specific security policies and handling procedures to minimize the chance of
loss or theft of the device. For example,
when transporting a laptop computer in a vehicle, an employee should store the
computer in the vehicle’s trunk or a place that is not visible from outside of
the vehicle.
·
Encrypting[3] taxpayer data on computer devices – Even if a computer device
is lost or stolen, the data can be protected if the data are encrypted. Encryption ensures no one other than the
authorized user can access and view the data maintained on the computer device.
·
Using software
controls to limit access to computers – If a computer is lost or stolen, the
data can still be protected to some degree by requiring the user to enter a
valid username and corresponding password soon after starting up the
computer. This control can sometimes be
bypassed if the computer is not properly configured.
· Reporting incidents – Any employee who loses a computer must follow specific reporting instructions to ensure the proper authorities are notified. Actions should then be taken to disable user accounts and to look for clues, in case an attempt is made to use the computer to access the IRS network.
In addition, data that are backed
up and stored offsite so operations can be restored in the event of a disaster
may also be at risk.[4] If the backup
location is not within the organization’s control (e.g., a contractor’s site),
security policies and procedures must be implemented to ensure the data are
protected from unauthorized access and fully accounted for.
This review was part of our Fiscal Year 2006
Annual Audit Plan and was based on our findings from previous years of
noncompliance in safeguarding taxpayers’ data.[5] We
recognized the enormous risk of having taxpayer data outside of IRS offices and
the importance of establishing policies and procedures, implementing security
solutions to protect taxpayer data, educating employees on protecting taxpayer
data, and following up to ensure security solutions are working as
intended. As such, we had initiated this
review prior to the Department of Veterans Affairs theft incident. During our review, the Office of Management
and Budget
[6] issued several memoranda to Federal Government
agencies on the topic of safeguarding personally identifiable information. Appendix V provides a brief explanation of
these Office of Management and Budget memoranda.
This review was
performed at the Area Offices in New Carrollton, Maryland; Laguna Niguel,
California; Atlanta, Georgia; Cincinnati, Ohio; and Salt Lake City, Utah; the Campuses[7] in Fresno, California; Atlanta, Georgia;
Covington, Kentucky; and Ogden, Utah; and 4 non-IRS offsite facilities located fewer
than 40 miles from the 4 Area Offices (excluding the Area Office in New
Carrollton, Maryland) during the period April through December 2006. The audit was conducted in accordance with Government Auditing Standards. Detailed information on our audit objectives,
scope, and methodology is presented in Appendix I. Major contributors to the report are listed
in Appendix II.
Employees Reported the Loss or Theft of at Least 490 Computers and Other Sensitive Data in 387 Incidents From January 2003 to June 2006
On June 15, 2006, we requested that the IRS provide us information on all incidents relating to the loss or theft of computer devices since April 2005. To fulfill our request, the IRS researched its own records from the IRS Computer Security Incident Response Center (CSIRC)[8] and validated its information with the Treasury Inspector General for Tax Administration (TIGTA) Office of Investigations, the law enforcement organization for internal IRS affairs. On July 10, 2006, the Chairman of the House Committee on Government Reform sent a letter to the Secretary, Department of the Treasury, requesting information on all incidents since January 1, 2003, involving the loss or compromise of any sensitive personal information held by the Department of the Treasury. As a result of our request and the House Committee on Government Reform letter, the IRS compiled a list of 387 incidents, including the loss or theft of at least 490 computers[9] from January 2, 2003, to June 13, 2006.
IRS procedures require that, when computers are lost or stolen, employees must report the incident to the TIGTA Office of Investigations for further investigation and possible recovery efforts. In addition, employees must report the incident to the CSIRC for tracking actions, such as determining if anyone has attempted to use the computers to access the IRS network and follow-on actions such as canceling remote access accounts.
Employees did not properly report 76 percent of all incidents of lost or stolen computers and/or sensitive data to the IRS CSIRC.
Prior to our June 2006 request for information on all incidents relating to the loss or theft of computer devices and/or personally identifiable information, the CSIRC was made aware of only 91 (24 percent) of the 387 incidents. Of the 91 incidents reported to the CSIRC, 42 were also reported to the TIGTA Office of Investigations and 49 were not. The TIGTA Office of Investigations was aware of 296 (76 percent) of the 387 incidents, none of which had been reported to the CSIRC.
When computer equipment is lost or stolen, the primary concern is the data contained on the computer. In conjunction with the CSIRC, we evaluated all 387 incidents to determine how many involved the loss or compromise of personally identifiable information and to identify the impact to taxpayers.
We were unable to determine the full impact to the taxpayers for many of the incidents involving the loss or theft of computer equipment and/or taxpayer data.
We determined it was unlikely that 176 (45 percent) of the 387 incidents involved taxpayer data. For the remaining 211 incidents, we analyzed the incident writeups as of June 2006 and found 126 contained sufficient details to show that personal information for at least 2,359 individuals was involved with the incidents. We were unable to identify the nature of the data loss and the identities of taxpayers whose information may have been lost for the other 85 of 211 incidents due to lack of details in the incident writeups.
We believe IRS employees who reported incidents to the TIGTA Office of Investigations did not extend the reporting process to their own internal computer security organization. We surmised that employees were mainly concerned with the reporting of the incidents to law enforcement authorities and the investigation and recovery of the lost or stolen computer equipment. Managers of these employees and information technology support functions, who were involved with replacing computer equipment for the employees, did not ensure the CSIRC was notified of the incidents.
Prior to the Department of Veterans Affairs incident in May 2006, the CSIRC had not placed sufficient emphasis on identifying actual taxpayers potentially affected by lost or stolen computers. The TIGTA Office of Investigations did investigate many of these incidents, but its approach was from a criminal focus (e.g., identifying the perpetrator, recovering the stolen equipment). In addition, coordination between the CSIRC and the TIGTA Office of Investigations was inadequate to identify the full scope of the losses.
On July 7, 2006, the Chief, Mission Assurance and Security Services, issued a memorandum regarding Updated Guidance for IRS Computer Security Incident Reporting to all IRS heads of office. This memorandum reemphasized reporting requirements and stated that all computer security incidents shall be reported to the CSIRC and to front-line managers. In addition, any incident involving physical loss of equipment that could result in unauthorized access to IRS systems or information must also be reported to the TIGTA Office of Investigations. Prior to issuance of this memorandum, the IRS Commissioner had issued an email to all IRS managers, reminding them to safeguard personally identifiable information and to immediately report any security incidents to the CSIRC. The email message also stated that, for cyber-security incidents involving access to or disclosure of taxpayer data or possible incidents of identity theft, managers should work with the CSIRC to promptly notify the TIGTA Office of Investigations. As a final measure to ensure total coordination, the IRS is in the process of entering into an agreement with the TIGTA Office of Investigations to share all incidents relating to the loss or theft of information technology assets.
The above corrective actions taken by the IRS during our audit should sufficiently address the causes of the lack of full reporting by employees. However, on July 19, 2006, the Chairman of the House Committee on Government Reform introduced legislation to require Federal Government agencies to make public notifications in the event of data breaches involving sensitive information. The legislation, which would amend the Federal Information Security Management Act,[10] directs the Office of Management and Budget to establish policies, procedures, and standards for agencies to follow if sensitive personal information is lost or stolen. In anticipation of this legislation, we are making the following recommendations.
Recommendations
The Chief, Mission Assurance and Security Services, should:
Recommendation 1: Refine CSIRC
reporting and handling procedures to ensure sufficient details are gathered and
recorded in the incident writeups regarding taxpayers potentially affected by a
loss and the nature of the lost data.
Management’s Response: The IRS agreed with this recommendation. The Mission Assurance and Security Services organization has refined the incident handling and reporting procedures to ensure sufficient details are gathered and recorded regarding taxpayers potentially affected by the loss and the nature of the lost data. These refinements include the creation of a Personally Identifiable Information Incidence Working Group, which has developed an incident management policy; a personally identifiable information analysis template; and a risk analysis framework. These efforts have resulted in modification to the CSIRC intake process and a handoff of appropriate incidents to the core response group for disposition.
Management’s Response: The IRS agreed with this recommendation. Between July and September 2006, the Mission Assurance and Security Services organization launched two efforts to refine CSIRC reporting and handling procedures. First, for each of the business units that have reported lost or stolen computer devices since 2003, the Mission Assurance and Security Services organization has requested a quantification of the impact to taxpayers and a determination of the lost data. In addition, the CSIRC made modifications to reporting and handling procedures to capture details regarding the types of data elements, the encryption status of each affected asset, and the number of potentially affected individuals.
Second, the Office of Privacy and Information Protection established a cross-functional working group to ensure the appropriate focus on details involving the data and encryption status of each incident. At the same time, the group ensured the reporting and handling of incidents do not violate privacy requirements. The membership of the working group included subject-matter experts from across the IRS (e.g., the Office of Disclosure, the Office of Chief Counsel, the Office of Labor Relations, the CSIRC, and the Office of Privacy and Information Protection).
Physical Security Was Not Adequate Over Computer Equipment
No
organization is impervious to theft or loss of computers, especially an
organization as large as the IRS with approximately 100,000 employees and over
47,000 laptop computers assigned to its employees. To minimize the risk of theft or loss of
computer equipment, the IRS has established basic computer security procedures for its
employees. For example, employees are responsible for ensuring security
over their laptop computers when not in their possession by storing them in a locked
container or physically securing them to immovable furniture with a cable lock
when not in use. When in transit, on
business trips, or commuting to the workplace, employees shall secure the
laptop computer in a vehicle trunk. When
traveling by plane, bus, or train, employees shall retain possession of the laptop
computer under the seat in front of the employee rather than in an overhead
bin. Employees shall not check laptop
computers with luggage at airports, leave laptop computers unattended in public
places, leave laptop computers in plain view when leaving the hotel room, or
leave laptop computers at home where sensitive information can be easily seen.
Despite these security requirements, since 2003 the IRS has been averaging nine incidents per month relating to the theft or loss of computer equipment and/or taxpayer data. Many incidents cannot be prevented; however, because most losses of computer devices and data occur outside of IRS facilities, employees must be particularly cognizant of the risks. The total number of incidents has increased each year, as illustrated in Figure 1.
Figure 1:
Number of Incidents of Theft or Loss of Computer
Equipment and/or Taxpayer Data (2003 – 2006)
Figure 1 was removed due to its size.
To see Figure 1, please go to the Adobe PDF version of the report on the
TIGTA Public Web Page.
The projected volume of incidents for 2006 was based on doubling the known volume of 81 incidents from January to June 2006. We believe the recent attention to and current reemphasis on employee responsibility over safeguarding computer equipment and taxpayer data should raise the level of employee awareness, thus reducing the number of preventable incidents. However, understanding the nature and circumstances of the 387 reported incidents may provide insight into how to prevent future losses from occurring. We categorized the 387 incidents by item type, as shown in Figure 2.
Figure 2:
Number of Incidents of Theft or Loss of Computer
Equipment and/or Taxpayer Data Categorized by Item Type
|
Item Type |
Number of
Incidents[11] |
Actual Number of Items |
|
Laptop Computers |
345 |
477 |
|
Desktop Computers |
10 |
13 |
|
Peripherals |
30 |
36 |
|
ID Badges or Commissions |
26 |
26 |
|
Hardcopy Documents |
22 |
171 |
|
Tapes or Portable Drives |
10 |
11 |
|
Blackberrys or Cell Phones |
6 |
6 |
|
Other or Unknown Items |
8 |
69 |
Source: TIGTA analysis of CSIRC and TIGTA Office of Investigations data.
As Figure 2 illustrates, laptop computers overwhelmingly represent the largest category of lost or stolen items. Because of the portability and monetary value of laptop computers, they tend to be an attractive target for thieves. The lack of physical security provided to these and other computer devices increased the risk that taxpayer data could be lost or stolen and used for fraudulent purposes. For further perspective, we segregated the incidents by the location where the theft or loss occurred, as presented in Figure 3.
Figure 3: Location of Theft or Loss
|
Location of Theft/Loss |
Number of Incidents |
Percentage (Based on 387
incidents) |
|
IRS Facility |
111 |
29% |
|
Vehicle |
89 |
23% |
|
Volunteer Income Tax Assistance Site |
53 |
14% |
|
Residence |
35 |
9% |
|
Hotel |
11 |