Background. IRS employees reported the loss or theft of nearly 500 computers and other sensitive data in 387 separate incidents from 2003 through June 13, 2006. Many of these computers were laptops stolen from vehicles and employees' residences, but 111 computers were stolen at IRS offices. General Accounting Office (GAO) investigators believe that many of the computers contained unencrypted sensitive data, including taxpayer data and employee personnel data, because IRS employees failed to follow encryption procedures.
The GAO also found that backup data stored by the IRS at four offsite facilities were not encrypted or adequately protected. For example, at one site, non-IRS employees had full access to the storage area and the IRS backup media.
Relevance to church leaders. The GAO had several recommendations for the IRS, including the following: (1) refine incident response procedures to ensure sufficient details are gathered regarding persons potentially affected by a loss; (2) periodically remind employees of their responsibilities for protecting computer devices; (3) consider purchasing computer cable locks for employees' laptop computers; (4) periodically publicize an explanation of employees' responsibilities for preventing the loss of computer equipment and data; (5) require managers to periodically check their employees' laptop computers to ensure encryption solutions are being used; (6) consider implementing a systemic disk encryption solution on laptop computers that does not rely on employees' discretion as to what data to encrypt; (7) require system administrators to check security configurations when servicing computers; and (8) implement procedures to encrypt backup data sent to offsite facilities.