IRS Faulted on Taxpayer Bankruptcy Info Protection

The Internal Revenue Service needs to do a better job of safeguarding sensitive information about taxpayer bankruptcy petitions, even from its own employees, according to a new government report.

The report, by the Treasury Inspector General for Tax Administration, noted that the IRS learns of bankruptcy cases because taxpayers are required to list their creditors and liabilities whenever they file for bankruptcy protection. The IRS then enters the information into its Automated Insolvency System, which keeps tabs on the legal requirements for dealing with taxpayers, while trying to protect the federal government’s financial interests.

At the IRS’s request, TIGTA examined whether the IRS does enough to restrict employee access to the personal information of taxpayers in the AIS while also ensuring that the government’s interests are protected when taxpayers file for bankruptcy.

The report acknowledged that some access controls are in place on the system, including automatic lockout controls and password complexity settings. However, TIGTA found that several other required access controls have not been implemented or are simply not operating effectively.

TIGTA found that many IRS employees have too many security privileges on the system. IRS managers also did not ensure that the employees’ duties were adequately segregated to prevent and detect unauthorized activities. In addition, the AIS’s inadequate access control scheme caused managers to inadvertently grant unneeded, excessive privileges to employees, according to the report.

TIGTA also found that some significant actions taken by employees on taxpayers’ bankruptcy cases were not logged into the system. That prevents managers from determining which employee changed a taxpayer’s bankruptcy case and which changes were made.

“While TIGTA did not find errors or indications of fraud during its review, excessive employee privileges on the AIS increase the risks that errors, fraud or unauthorized activities could be performed by employees acting alone or in collusion with others,” said TIGTA Inspector General J. Russell George in a statement.

TIGTA made six recommendations to the IRS to limit employee access to the AIS to only those employees who have a business need. The IRS agreed with the recommendations and is taking corrective actions.

“We recognize that a more robust role-based access control scheme needs to be established in order to adhere to the concept of ‘least privilege’ and, to that end, we have begun developing these roles in coordination with our users,” wrote IRS Small Business/Self-Employed Division Commissioner Christopher Wagner.