New report highlights security risks to taxpayer information
Washington, D.C.–A new report from the U.S. Government Accountability Office (GAO) highlights both new and longstanding unresolved security risks to the safety of confidential taxpayer information at the Internal Revenue Service (IRS). The report, requested by U.S. Senate Finance Committee Ranking Member Mike Crapo (R-Idaho) and U.S. House Ways and Means Committee Chair Jason Smith (R-Missouri), identifies dozens of security weaknesses at the agency, many of which have been known by the IRS for years, and makes recommendations aimed at safeguarding and protecting taxpayer information. The report was originally requested following the unauthorized disclosure of private, legally protected information from the IRS to ProPublica—an incident of which little has been revealed, despite it being more than two years since that leak.
“From serious breaches of confidential taxpayer data and document mismanagement to poor cybersecurity training and infrastructure vulnerabilities, the IRS has a decades-long and troubled history with adequately protecting American taxpayers’ information. Now, in addition to tax collector and enforcer, the agency wants to act as tax preparer, despite the evidence showing it is unprepared to be trusted with such responsibility,” said Crapo. “Instead of devoting time and resources to developing new federal programs that would collect and expose even more sensitive information from taxpayers, the IRS should instead focus on addressing the security weaknesses identified by the GAO and Treasury Inspector General for Tax Administration (TIGTA) and improving its woeful customer service.”
“As this report illustrates, the IRS has repeatedly squandered the public’s trust by failing to protect taxpayer privacy and in some cases willfully ignoring recommendations that would have increased taxpayer information security. President Biden’s solution is to reward the IRS with an $80 billion pay raise to increase audits on working families, while doing very little to shore up the vulnerabilities that put taxpayers at risk,” said Smith. “Meanwhile, as the IRS works to establish a new e-file system that would make the agency tax preparer, collector, and auditor, the public is no closer to learning who is responsible for the politically timed ProPublica leak of confidential taxpayer information. This report is further proof that the IRS does not need a raise; it needs a reckoning.”
Among the GAO report’s findings:
Since 2010, the IRS has failed to implement 77 GAO recommendations targeted at safeguarding taxpayer information, including multiple recommendations that have been open for more than seven years and two high priority recommendations that would “significantly improve” data protection.
Addressing GAO recommendations that the IRS has failed to resolve “could help IRS better manage system security risks, implement safeguards to ensure protected service delivery, and identify cybersecurity events and incidents.”
Despite having been repeatedly directed to do so by both GAO and TIGTA for a number of years, the IRS still lacks controls and logging and monitoring capabilities on all its systems containing confidential taxpayer data that would allow it to identify persons who have accessed such data without authorization, and its current plans will not have many key controls in place until July 2024 at the earliest.
Since 2009, the IRS has been operating a system used by one of its enforcement units focused on affluent taxpayers without having developed an authorization to operate or system security plan for it, “creating a risk of unauthorized access or disclosure to taxpayer information” for those taxpayers whose information is collected by this system.
Two IRS research and analysis systems with access to troves of taxpayer data and more than one thousand active users, including non-federal employee researchers, retain taxpayer information far longer than authorized by IRS Records Control Schedules, taking them out of compliance with National Archives and Records Administration recordkeeping requirements. Keeping these data longer than allowed exposes it to disclosure.
The IRS only recently implemented key safeguards to protect taxpayer information. For example, it was not until July 2022 that the IRS began limiting the functionality of its workstations and laptops to prevent employees from removing IRS data from its network by saving it to external devices.
The IRS did not begin requiring senior management approval to access certain sensitive information in one of IRS’s databases until April 2022.
Vast discrepancies exist between the rate of data protection training completed by IRS employees and contractors, largely due to the IRS not setting training completion goals for contractors.
In addition to highlighting the dozens of prior recommendations the IRS has thus-far failed to implement that could “significantly improve IRS’s ability to safeguard taxpayer information,” the GAO also makes 15 new recommendations to the IRS, including to: establish agency-wide training completion goals for contractors; maintain comprehensive inventory of systems that store taxpayer information; and risk-assess its methods of data transferals to contractors.
Subscribe to TaxConnections Blog
Enter your email address to subscribe to this blog and receive notifications of new posts by email.