Attorney General, Auditors Conclude DRS Failed To Safeguard Tax Info, Contributing To Loss Of 106,000 Taxpayers' Private Financial Data In Laptop Theft

October 13, 2009

Attorney General Richard Blumenthal and Auditors of Public Accounts Robert G. Jaekle and Kevin P. Johnston today issued a report concluding the state Department of Revenue Services (DRS) failed to properly manage and safeguard taxpayer information, contributing to loss of 106,000 taxpayers' confidential data when an agency laptop was stolen in 2007.

Blumenthal and the auditors found that DRS at the time of the theft failed to properly track and secure electronic files containing sensitive taxpayer information and lacked policies and procedures for responding to data breaches.

The report also found that DRS employees could access taxpayer data with few restrictions and little oversight, failed to prohibit downloading of sensitive information onto laptops and desktop computers and failed to encrypt laptops. The agency treated employee snooping as a personnel matter instead of reporting it to police and affected taxpayers.

Blumenthal and the auditors concluded that DRS botched its initial response to the theft, failing to find out for five days after the laptop was reported stolen that it contained the personal financial information of 106,000 taxpayers.

Blumenthal said, "Commendably, DRS has fixed many of the deficiencies that caused this incident. It has spent more than $1 million addressing the breach and providing identity protection to affected taxpayers. No taxpayers have been reported victims of identity theft as a result of the data breach, but they may still be at risk, so all should be aware and alert to unexplained credit card charges and bank account withdrawals.

"DRS has addressed many shortcomings, but still needs to do more: improve training for employees to spot and address data breaches; continue to better secure electronically stored taxpayer data; further reduce use of taxpayer data to test new computer programs; and more promptly notify taxpayers and law enforcement if agency employees improperly access taxpayer data.

"Before learning hard lessons, DRS was cavalier and careless, creating conditions that contributed to loss of 106,000 taxpayers' highly confidential financial information. The agency neglected to know where sensitive data was stored or whether it was secure. Employees could causally roam electronic files with little consequence -- accessing other computers, with no reliable record of their visits. The agency failed to prohibit downloading of private financial information onto desktops and laptops and to encrypt sensitive data, causing potentially catastrophic loss when the computer was stolen.

"DRS botched its initial response to the theft, discovering five days after the fact that the computer contained private information of more than 106,000 taxpayers. Inexcusably, our tax agency exposed more than 100,000 taxpayers for nearly a week to possible plundering of personal assets.

"I am pleased that DRS heeded our calls for reform, introducing tougher and tightened policies and procedures to secure and safeguard taxpayer information. I applaud the agency's significant steps correcting failures and weaknesses identified by our report. More needs to be done. I will continue to vigilantly and vigorously monitor state agencies' protection of confidential consumer data, seeking to assure it is safely stored."

The report found that DRS employee Jason Purslow took an agency laptop with him during a weekend family trip to Long Island to test new software. DRS personnel had downloaded the contents of Purslow's desktop computer into the laptop, but neither they nor Purslow checked to see whether the downloaded information included personal financial data for 106,000 taxpayers.

On the evening of Friday, August 17, 2007, the laptop was stolen from Purslow's car in his hotel parking lot. The next day, Purslow informed senior DRS managers during a conference call.

Purslow and DRS officials, however, did not realize until Wednesday, August 23 that the laptop contained the confidential taxpayer information. By August 31, DRS had notified all affected taxpayers.

In October 2007, Purslow was suspended 30 days without pay.

Blumenthal and the auditors reviewed DRS' subsequent investigation of the incident and concluded that the agency handled it properly.

Since loss of the laptop, DRS has:

• Implemented stronger restrictions and controls on access and storage of taxpayers information;

• Introduced procedures for data breaches and toughened policies protecting sensitive data;

• Encrypted laptops and mobile storage devices.