Report: IRS protected taxpayer data during flood

A recent audit of the Internal Revenue Service's response to flooding last summer at its Washington headquarters found that while officials protected taxpayer data satisfactorily, it took several days for them to set up a system to track computers that were removed from the building.

From the start of the "rare tropical deluge" that soaked the agency's headquarters the evening of June 25, 2006, the building was adequately protected by security guards, the report from the Treasury Inspector General for Tax Administration stated. The storm left the building's sub-basement under more than 20 feet of water, and the basement under five feet.

Taxpayer data stored in the basement and damaged in the flooding was properly protected and disposed of, the IG found.

The IRS spent about $50,000 on overtime to quickly set up a temporary computer infrastructure for the 2,200 agency employees displaced after the flooding, the report stated. The building did not reopen until Dec. 6. All displaced employees had computer service a month after the disaster, and the IRS did not request additional funding, according to the IG.

But while auditors commended the IRS' overall efforts, they found that the agency did not begin tracking computers that were removed from headquarters in a timely manner.

Everyone entering the building after the flood to retrieve personal items, files or computers was required to sign in and out, but the agency's incident management plan did not include procedures for recording the location of computer equipment. It took five days for IRS officials to implement an asset-tracking process, the report noted.

On June 30, the IRS also mandated that computer equipment had to stay put unless officials moved the items such as desktop computers, laptops and servers under controlled and secure conditions.

But in the days before these procedures were established, there was the potential for mix-ups, the IG found.

For example, seven servers that the wage and investment division used were removed three days after the flooding began without the approval of the agency's Modernization and Information Technology Services organization, which was responsible for restoring the building's computer infrastructure.

After discovering that the servers were stored overnight in a non-IRS building, IT officials ordered them to be moved to an IRS facility.

On June 28 and June 29, the criminal investigation division's computer staff moved 41 computer servers from the building, using a rental truck. Division officials told the IG that computer assets were always under the division's control and were secure at all times.

The tracking policies established five days after the flood required employees to retroactively document the items they removed from the building, the IG said. That resulted in 148 employees reporting that they took 104 computers from the building between June 26 and June 29. In total, employees removed 627 computers, including 464 laptop computers.

An IRS records inventory for the building as of Aug. 15 showed that nearly half the servers assigned to the headquarters building had not been scanned or modified after the flood, the report stated. While it is likely that many of these servers remained inside the building, the auditors said they could not be sure because of the lag before the asset-tracking system was in place.

Officials with IRS' agencywide shared services division agreed with the findings and said they have implemented the auditors' only recommendation, which was to include an asset-tracking system in all IRS building incident management plans.

The audit is the first of three TIGTA reports requested by the Senate Finance Committee on this incident.