There’s an update on a breach first disclosed in March that involved an IRS employee who took data with home and uploaded it to his unsecured home network, where it was discovered by a security firm. It seems that the employee had subsequently been charged criminally in the breach, but has been found not guilty. Jim McElhatton explains:
A federal jury in Maryland found Carl Sheerer not guilty of misdemeanor charges, rejecting prosecutors’ effort to punish someone for a breach discovered by a private security firm last year.
Mr. Sheerer, an IT employee who handled identification badge computer systems in three states, stored backed-up IRS data on a thumb drive, then placed it on a file transfer protocol server at his house in Maryland, according to the evidence.
From there, the information was indexed by Google and made public, though there’s no evidence anyone other than a security firm researcher stumbled across the data.
Mr. Sheerer’s attorney, Daniel Wright, said in an interview after the trial last week that prosecutors couldn’t produce any evidence that the data breach was intentional.
“Prosecutors also did not produce evidence that anyone’s identity was stolen or that anyone other than the New York employee had ever accessed the data,” he said.
Read more on Washington Times.
If employees were charged with misdemeanors every time their failure to follow policy resulted in a breach or potential breach of personal information, our courts would be overwhelmed. Wouldn’t it be more effective to look at IRS’s controls for preventing this kind of downloading to portable devices?