The IRS's new Taxpayer Secure Email Program turns out not to be so secure.

J. Russell George

The Internal Revenue Service needs to do a better job of safeguarding sensitive taxpayer information when it communicates with people via email under a new pilot project that is actually called the Taxpayer Secure Email Program, according to a new government report.

The report, by the Treasury Inspector General for Tax Administration, noted that the IRS began using email to communicate with a small number of corporate taxpayers in 2007 and subsequently began sharing sensitive information with more than 200 corporate taxpayers.

Prior to 2007, the IRS prohibited sending sensitive but unclassified data in emails to taxpayers or taxpayers’ representatives. IRS procedures directed employees to not send sensitive data by email to parties outside of the IRS or the Treasury Department, even if the other party used encryption software. The IRS cited the risks to taxpayers’ privacy as the reason for the policy.
TIGTA reviewed whether the IRS’s controls, policies and procedures adequately protected taxpayers’ data, guarded against email threats to the IRS network, and ensured email practices were compliant with federal regulations.

TIGTA found that while the IRS has installed antivirus software on employees’ computers, it has not implemented other security controls, such as an automated tool to detect and prevent sensitive data in unencrypted emails from being transmitted outside the IRS. In addition, some employees and taxpayers are not encrypting their emails that contain sensitive data. Further, IRS procedures and training lack adequate guidance for employees to report violations.

“As electronic mail presents one of the highest security risks to an organization’s sensitive data and computer networks, the IRS must be extremely careful in implementing new programs that allow email communication with taxpayers,” said TIGTA Inspector General J. Russell George in a statement. “Employees and taxpayers must work together to ensure the security of all email messages. The risk to taxpayers’ sensitive data is simply too great to do otherwise.”

TIGTA made nine recommendations to the IRS, including developing additional procedures for employees to report secure email program violations and informing taxpayers of the specific risks associated with transmitting unencrypted email with sensitive data. The IRS agreed with six of the recommendations and partially agreed with three.