Inland Revenue laptops, some of which are expected to be among 106 computers that could not be accounted for in a department asset check, are not encrypted to protect any data they might contain.
An Inland Revenue spokeswoman says Hewlett-Packard provides the department’s laptops and these contain TPM (Trusted Platform Module) functionality. However, she adds the department is “currently considering implementing this improved encryption capability”, indicating it has not already done so.
TPM is a specification for storing secured information, including the secure generation of cryptographic keys.
The spokeswoman says Inland Revenue does have levels of security around its notebook computers.
“This includes power-on BIOS password and layers of authentication to protect access to sensitive information,” she says. “Our policy is not to store taxpayer information on local drives.”
National Party MP Gerry Brownlee asked questions in Parliament recently about the missing computers, asking what security was loaded on them and how much personal information was at risk. Revenue Minister Peter Dunne said he did not believe the computers had been stolen.
An asset check in April 2006 failed to account for the computers. The department says of the 106, 32 were considered obsolete. They may have been disposed of or destroyed but the asset register was not updated.
“Of the other computers, they could be laptops being used out of the office at the time the verification occurred or they could currently not be used and stored out of sight, or computers whose serial numbers have not been recorded correctly, or computers under repair,” IRD says.
The issue comes on the back of a report from the US that its Internal Revenue Service had lost or had stolen around 500 laptops, which may have exposed personal information of around 6000 taxpayers to identity thieves.
An audit found that between January 2003 and mid-June 2006, a “large number” of laptops were stolen from the vehicles and homes of IRS employees, while 111 were stolen from agency facilities.
Although auditors were unable to determine exactly what information was contained on the missing laptops, they did conclude that personal information of taxpayers is not adequately protected.
“We conducted a separate test on 100 laptop computers currently in use by employees and determined 44 laptop computers contained unencrypted sensitive data, including taxpayer data and employee personnel data,” the report says. The audit noted that similar findings were reported in July 2003. Since then, it said, “the IRS had not taken adequate corrective actions.”