The Internal Revenue Service (IRS) is not adhering to its own internal guidelines to safeguard sensitive tax information when it’s shipped between its tax processing centers, according to a new report.
The Treasury Inspector General for Tax Administration (TIGTA) released the report this week presenting the results of their review to assess IRS’s compliance with certain policies and procedures. The review studied IRS guidelines following employee requests for paper tax documents using a private delivery service to obtain tax information that is stored outside of their tax processing center. Those centers are in Kansas City, Missouri; Austin, Texas; and Ogden, Utah.
The overall objective was to assess the IRS’s delivery tracking procedures of federal tax information. The inspector general reviewed a sampling of 50 packages out of 599 instances of IRS employee-reported tax document losses during the period October 2019 to August 2022. They found that “the lack of documentation identifying the specific taxpayers whose tax information is included in a lost package has impacted the IRS’s ability to notify and protect taxpayers.”
The TIGTA shared this example:
During the period August to November 2022, TIGTA conducted on-site inspections of 31 incoming packages with large quantities of sensitive taxpayer information received via private delivery carrier at the Tax Processing Centers. Twenty-two of the 31 packages did not include copies of the completed Forms 3210 [tracking documents]. Further, TIGTA conducted inspections of 40 packages with large volumes of sensitive taxpayer information that were ready for shipment from the Tax Processing Centers via private delivery carrier. Thirty-nine of the 40 packages did not include copies of the completed Forms 3210. Further, Submission Processing Files function managers at the three Tax Processing Centers are not completing the required quarterly audits of the Forms 3210 Acknowledgment process to ensure compliance with internal guidelines.
The report also found that the Privacy, Governmental Liaison, and Disclosure Office (PGLD/IM) doesn’t “notify businesses or place a data breach indicator on business tax accounts when packages with sensitive business tax information are lost.”
IRS internal guidelines require agency “employees to immediately report, upon discovery, all instances of lost mailed packages to the IRS PGLD/IM Office as well as the Treasury Inspector General for Tax Administration (TIGTA).”
Once the reported loss is received, the PGLD/IM reviews the loss information and performs a “risk analysis that evaluates the likely risk of harm for all reported IRS data breaches, based on standardized factors and ratings criteria.” The results of the risk analysis are then assigned one of four recommended levels of response to determine when, what, how, and to whom notification of a data breach must be given:
- No Impact – The loss of confidentiality, integrity, or availability could be expected to have no adverse effect on organizational operations, organizational assets, or individuals.
- Low Impact – The loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.
- Moderate Impact – The loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.
- High Impact – The loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
The IRS only offers individual identity protection and monitoring services for lost sensitive tax information that is considered a high-impact loss.
The inspector general’s report concluded with recommendations including that Form 3210 be completed and included in all packages so actions can be taken to protect taxpayers when a shipment is lost. IRS management responded to the recommendations with plans to issue reminders that employees include the form with tax information shipments, as well as sending periodic email communications to ensure that tracking-document form reviews are being performed. The IRS also agreed to update its Data Breach Response Plan to reflect that losses associated with a business are not automatically categorized as low risk.
This report’s findings expose at the very least that the agency is incompetent and reckless. The results will most likely be additional ammunition for congressional Republicans to use as they seek to defund the IRS — if not abolish the agency altogether, with some reportedly wanting to replace the entire federal tax code with a national sales tax.