Government scolded for data breach notification delays

The Obama administration in recent weeks has recommended that companies move more quickly to alert customers when their personal data is compromised. Now internal auditors are recommending the federal government listen to its own advice.

In a report released Thursday, the Treasury Inspector General for Tax Administration dinged the IRS for not notifying taxpayers in a timely fashion -- or at all -- when their personal information was inadvertently exposed.

Letters were sent out to victims 86 days after the fact in 20 percent of the breaches, among a sample of 100 incidents between July 2010 and February 2011. The inspector general considers 45 days to be an acceptable lag time. Under draft cybersecurity legislation the White House proposed this spring, companies would have to inform consumers whose personal information has been disclosed within 60 days.

In 5 percent of the IRS leaks evaluated, the agency could not alert taxpayers because agency employees failed to document the identities of the people whose information had been disclosed. Ten percent of the time, IRS officials did not inform affected individuals because the agency's definition of sensitive personal information did not cover the type of tax account information that was compromised.

Officials never told another 21 percent of the victims because the personal data was unintentionally given to state agencies, law firms, payroll processors or people with power of attorney that the IRS believed would not pose a threat.

"Another person's Social Security Number is the most valuable tool an identity thief can obtain to commit financial fraud, and the Social Security Number becomes even more valuable if it is linked to other personal data of the Social Security Number owner, such as information required to prepare a tax return," noted Michael R. Phillips, deputy IG for audit.

He recommended that the IRS adhere to "timeliness" metrics. The agency agreed.