I became more involved in security auditing and infrastructure hardening in the past 3 years. I understand there are US tax laws that say tax data should only be accessible by US personnel within the US.
Over the past year my company has hired thousands of India based employees and a few of them have access to all data in azure, which certainly holds PII and tax data. I've basically been told stand down, don't bring it up, this a sensitive topic. Is there an authority I can contact to report this outside of my organization anonymously? I don't even really care that this might not impact me on an audit as this is a company decision to allow it, and not a security concern that I can control, but I certainly do not enjoy being in meetings where we tell people you cannot access this you are outside of the US, while in that same meeting there 3 or 4 people in India with the access. It makes no sense and certainly violates tax data privacy laws right?
Maybe I don't understand the tax privacy data laws and this is an over reaction?