The Treasury Inspector General for Tax Administration (TIGTA) found through an audit that the IRS needs to do a better job of wiping sensitive taxpayer data on laptop and desktop hard disks.
In addition to not using an approved sanitation product to overwrite sensitive taxpayer data on hard disks, IRS isn’t annually testing its sanitization equipment and procedures at the Memphis Sanitization Site to verify the intended sanitization results are being achieved. Further, the IRS’ process to independently verify the sanitization of each laptop and desktop is ineffective.
“The IRS is required to protect the confidentiality of taxpayer information, including taxpayer information stored on laptops, desktops, and smartphones,” TIGTA wrote in an audit report. “Sanitization is a key element in assuring confidentiality. If an unauthorized disclosure of tax or Personally Identifiable Information occurred, it could result in substantial harm, embarrassment, and loss of public confidence in the IRS.”
Between January and March 2021, TIGTA did a statistical interval sample of 87 laptops and desktops from a population of 3882 sanitized computers. TIGTA found that one computer wasn’t sanitized and two others were missing hard disks. TIGTA projected the sample results to the total sanitized computer population and estimated that 45 computers may not be properly sanitized and 89 computers may be missing hard disks. There were also “six computers in the sample with bad sector error messages, which could potentially allow readable information to be recovered.”
TIGTA made six recommendations for the IRS CIO, including:
- Ensure that IRS only uses approved sanitization products;
- Test sanitization equipment and procedures annually;
- Ensure hard disks that weren’t sanitized or that had bad sector errors are degaussed or destroyed;
- Make sure hard disks separated from their respective computers are properly accounted for throughout the sanitization process;
- Clarify guidance to further define accounting for damaged or missing hard disks; and
- Ensure hard disk sanitization results are independently verified using an approved verification software tool.
IRS agreed with all the recommendations and plans to purchase and implement approved sanitization tools; implement annual testing of Memphis sanitization tools and procedures; degauss or destroy hard disks identified during the review that weren’t sanitized; implement procedures to account for hard disks separated from their computers; revise the standard operating procedures to clarify and further define procedures to account for damaged or missing hard disks; and evaluate the Memphis hard disk sanitization process.