The IRS has been slowly working to better protect your data for nearly ten years now. But they still haven’t implemented every protection that they said they would.
The IRS launched the Safeguarding Personably Identifiable Information Data Extracts Project back in 2010, and now nine years later, they’ve only completed the first phase.
The Treasury Inspector General for the Tax Administration (TIGTA) has subsequently filed a full report to both review the measures implemented so far, and the reasons why the remaining phases have not been taken care of.
This program was to be responsible for deploying a range of data loss prevention solutions, in recognition of the already prevalent rate of data breaches when the program was launched.
The first phase (so far, the only phase completed), is known as “Data-In-Motion”, a component that reviews unencrypted email and attachments, file transfers and web traffic for types of personally identifiable information used by the IRS. When it detects this type of data, it automatically blocks its “exfiltration”.
TIGTA’s review of this component found that it was a generally effective effort, helping to minimize both the accidental and malicious sharing of personal data by IRS employees.
Regardless of how effective the first phase has been, the IRS has encountered continued delays in attempting to launch other components of the project. This lack of progress has kept them from harnessing the data loss prevention capabilities originally expected of the project.
“The causes of the delays include technical, project management and administrative issues,” said the report. “Because of the delays, two key components involving data in repositories and data in use are still not operational more than eight years after the project started. Without these components, personally identifiable information continues to be at risk of loss. The delays have also resulted in the inefficient use of resources of approximately $1.2 million in software costs for the components that are not operational.”
While TIGTA has recommended that the Chief Information Officer of the IRS deploy the rest of the components outlined in the project, it appears that negotiations with the IRS labor union has slowed the process down.
Before they can move forward with the project, the IRS is required to reach a formal agreement with the National Treasury Employees Union. Progress was last made in 2014 when a memorandum of understanding was approved. It’s these negotiations that the IRS management claims caused the delays in implanting the project.
The IRS has also agreed to all of TIGTA’s recommendations outlined in their report. They claim that they will deploy the remaining components of the project – but they made the same claim back in 2010. Who’s to say when they will actually follow through?
There’s a lesson to be learned here – if even the IRS can’t make progress on their data loss prevention efforts, how can you be sure that anyone else in possession of your data is doing so?
It’s easy to assume that an organization as big as the IRS would have launched and maintained an effective data loss prevention program years ago. The reality? They tried, but haven’t made much progress on it in the past decade.
This just goes to show that you can’t make any assumptions when it comes to the protection of your personal information. No matter whether it’s how you’re protecting your personal information, or how your Denver IT company is protecting your business’ data.
You can never be too safe…
Unfortunately, you can’t opt-out of the IRS’ services, or have the expunge your data from their servers. No matter how bad a job they’re doing in protecting your personal information, you have to leave them to it.
But that doesn’t mean you can’t do more to protect your personal information elsewhere, where you have more control:
1. Use Strong Passwords
Passwords remain a common cybersecurity weakness because of the careless way employees go about trying to remember their login information. Unfortunately, many users often opt for a weak password that’s easy to remember, rather than a strong one they’ll forget.
The good news is that there is a way to get the best of both worlds – with a password manager. A password manager generates, keeps track of and retrieves complex and long passwords for you to protect your vital online information. It also remembers your PINS, credit card numbers and three-digit CVV codes if you choose this option.
2. Use A VPN
When you use a Virtual Private Network (VPN), your data is encrypted, or hidden, as it moves from your device to the VPN and then continues onto the Internet through what’s called an exit node.
That makes it harder for an attacker to identify you as the source of the data – no matter whether you’re on your mobile device’s data connection, or using an unsecured retail Wi-Fi network while you’re in line for coffee.
3. Don’t Overshare
Always double-check what you may be sharing on social media. With the wrong security settings, anyone can see what you post, including personal information that may make it easier for them to guess your passwords, answer your security questions, and pose as you online.
4. Stay Up To Date
Did you know that one of the most common ways that cybercriminals get into a network is through loopholes in popular software? Much of the software you rely on to get work done every day could have flaws — or “exploits” — that leave you vulnerable to security breaches.
To address this, developers regularly release software patches and updates to fix those flaws and protect users. This is why it’s imperative that you keep your applications and systems up to date
5. Don’t Trust Technology
Always be skeptical of technology you’re using. After all, it’s a product meant to be sold, and so, the top priority is often user experience, not user security.
Here’s an example – when it comes to Wi-Fi connectivity settings, would you prioritize security or convenience? On one hand, it’s much more convenient to users if the device in question is configured to automatically connect to open and available Wi-Fi hot spots.
But that’s not very secure, is it?
That’s why it’s your responsibility to make up the difference if you actually want to maintain a higher level of security.
Don’t forget – when it comes to your business data (private employee and client information), it’s your responsibility to make sure your IT company in Denver is up to the task. Find out what types of security measures they have in place, which best practices they follow and don’t settle for any excuses or delays.
Like this article? Check out the following blogs to learn more: