Every large organization loses laptops, but when those laptops contain the personal tax information of millions of Americans, it's a big deal. Big enough that the Treasury Department's Inspector General for Tax Administration looked into the problem, and released a report on the Internal Revenue Service's penchant for losing machines filled with unencrypted tax data. "As a result," writes the report's author, Michael Phillips, "it is likely that sensitive data for a significant number of taxpayers have been unnecessarily exposed to potential identity theft and/or other fraudulent schemes."

How bad is the situation? When inspectors looked into the matter, they found that 490 laptops had been reported stolen between January 2, 2003 and June 13, 2006. Unfortunately, because reporting procedures for stolen laptops were often not followed, there isn't a real way to know whether this number is accurate.

490 laptops sounds like a lot, but the IRS currently has more than 47,000 in operation, and has no doubt used many more than that over the last few years. The report does not suggest that the agency try to cut losses to zero, but instead that it take better precautions. When thefts do occur, taxpayer data should be protected. Instead, inspectors found that "a large number of the lost or stolen IRS computers contain similar unencrypted data," and that employees routinely used flash drives, CDs, and DVDs to cart unencrypted data around with them.

The report also points out that physical security is important. 111 laptops were stolen right out of IRS facilities; if these were stored in lockable cabinets while employees were out, theft could be reduced significantly. Many of the remaining laptops were stolen out of vehicles or employee homes, suggesting that "employees may not have secured their laptop computers in the trunks of their vehicles or locked their laptop computers at home."

The problems even extended to off-site data backups, where backup media were often unsealed and open to anyone in the building. In one case, "one employee who retired in March 2006 had full access rights to the non-IRS off-site facility when we visited in July 2006."

IRS management has agreed with the findings of the Inspector General and has pledged to implement the report's recommendations. The report does note, however, that the IRS was warned about unencrypted data back in 2003 but did not take "adequate corrective actions." Here's hoping that more is done this time around. Actually paying my taxes is painful enough; having my identity stolen because of it would be rage-inducing.