Katy Independent School District (ISD) was randomly audited by the IRS on August 5th. In order to conduct the audit, the IRS auditor had a flash drive with the names, addresses, birth dates and Social Security numbers of almost 12,000 ISD employees and former employees on it. The problem? It was unencrypted and the auditor lost it. Actually, the reports say the auditor “misplaced” it. The IRS’ response? “The IRS takes the security of taxpayer information very seriously and actively works with the Treasurer Inspector General for Tax Administration when issues involving sensitive information arise.” How about an IRS protocol that prohibits taxpayer information on any mobile devices? How about basic security measures that ensure that an auditor doesn’t use an unencrypted flash drive with thousands of individuals’ SSNs on it? File this away in the “I don’t make this stuff up” category. The federal government needs to implement security best practices to protect our information if it is going to criticize and enforce best practices on the private sector. Who will protect the teachers of Katy ISD here?
The flash drive has not been recovered, and the ISD is offering the affected individuals with three years of credit monitoring. Very nice of the ISD to protect its employees when the incident wasn’t the ISD’s fault.