Is the government putting data at risk?
Data protection is this month’s Special Focus. It was also the focus of yet another congressional hearing recently. Unfortunately, it is still not focused on sufficiently by the people charged with implementing protections, especially when it comes to information we entrust to government agencies.
The number of people reporting tax- and employment-related identity theft increased more than 200 percent from 2002 to 2007—rising to 56,000, according to the Federal Trade Commission. That likely understates the problem, however. The IRS only implemented tracking this year, and Nina Olson of National Taxpayer Advocate (NTA) noted at the congressional hearing that the information NTA looks at indicates “the problem is far more widespread than the available IRS data suggest.”
On the same day the hearing took place, The Washington Post reported another theft of government laptop computers with the Social Security numbers of individuals—this time it involved at least 1,200 participants in a National Institutes of Health (NIH) study.
One of those victims was Rep. Joe Barton (R-TX). I have nothing against Mr. Barton, but that theft may be good news in that nothing so inspires people to look for a cure as actually contracting the disease. If more members of Congress had their identities stolen, you’d see protection laws passed faster than earmarks can be added to an appropriations bill.
It is truly disgraceful that the IRS, to which citizens must hand over their most private and detailed financial information, remains, as Senator Charles E. Grassley (R-IA) said at the hearing, “vulnerable to outside hackers and rogue employees who seek to improperly access taxpayer data.”
Moreover, the IRS has been cavalier about the problem, not promptly notifying taxpayers victimized, ignoring red flags, and being generally slow to respond to the issue. While the agency reported on efforts to improve its performance, the inspector general (IG) noted that the IRS is nonetheless putting in a new computer system that gives it no ability to track who accesses taxpayer records, which the IG called “an unacceptable major control weakness.” A professional tax preparer who testified noted that a separate issue is “how easy it is to print anyone’s W-2 off the Internet.”
Grassley plans to introduce a bill to help individuals block illegal access to their Social Security numbers, and he recommends that the IRS implement an identity verification system to protect taxpayers from fraudulent tax returns.
It would also help if existing policies were enforced. In cases at the IRS and the NIH, it turns out that users weren’t following data protection procedures. It also came out in the NIH case that the government hasn’t approved any software that can encrypt data on the Macintosh computers favored by the agency’s scientists.
The problem will continue to escalate until it is given the focus it deserves.