A number of Internal Revenue Service contractor employees who did not undergo the required background checks had access to taxpayer data, according to a new government report.
The report, from the Treasury Inspector General for Tax Administration, noted that IRS policy requires background investigations for contractor personnel who have or require access to Sensitive But Unclassified (SBU) information, including taxpayer information.
TIGTA found that taxpayer data and other SBU information may be at risk due to a lack of background investigation requirements in five contracts for courier, printing, document recovery and sign language interpreter services. For example, in one contract for printing services, the IRS provided the contractor a compact disk containing 1.4 million taxpayer names, addresses, and Social Security numbers. None of the contractors who worked on this contract were subject to a background investigation.
In addition, TIGTA found 12 service contracts for which employee background checks were required by the contract. However, some contractors did not have interim access approval or final background investigations before they began working on the contracts. In addition, TIGTA identified 20 contracts for which some contractors did not sign nondisclosure agreements. The IRS subsequently issued more explicit guidance requiring the execution of nondisclosure agreements.
“Allowing contractor employees access to taxpayer data without appropriate background investigations exposes taxpayers to increased risk of fraud and identity theft,” said TIGTA Inspector General J. Russell George in a statement.
The overall objective of TIGTA’s review was to determine the effectiveness of the IRS’s controls to ensure that background investigations were conducted for contractor personnel who had access to SBU information. TIGTA did not review whether unauthorized contractor employees obtained or misused taxpayer data.
TIGTA made five recommendations to the IRS, including ensuring that the types of service contracts identified in the report have appropriate security provisions and associated contractor employees have an appropriate interim access approval or final background investigation prior to beginning work on the contract. TIGTA also suggested the IRS implement enhanced policies and procedures for emergency procurements, and provide training for program office and procurement staff on contractor security requirements. The report also stressed the necessity for contractor employees to sign nondisclosure agreements prior to working on a contract.
Finally, TIGTA recommended that the IRS’s Office of Chief Counsel work with the Treasury Department’s Security Office to review the waiver currently in place that exempts contracted expert witnesses from background investigations and determine if the waiver is still appropriate in the current security environment.
The IRS agreed with four of TIGTA’s recommendations, but disagreed with the final recommendation to review a waiver that exempts expert witnesses from background investigations.
“After careful review of Recommendation 5, Chief Counsel is of the opinion that there is no need to revisit the waiver with regard to expert witnesses issued by the Treasury Security Office,” wrote J. Stuart Burns, chief of agency-wide services at the IRS. “These witnesses do not obtain staff-like access to IRS facilities and systems. Each expert signs a nondisclosure agreement (NDA) to make them aware of their responsibilities for maintaining confidentiality of taxpayer or SBU information. In addition to deter[ring] noncompliance, the consequences of unauthorized disclosure are outlined in the NDA. The SBU data to which they are exposed is limited and only relevant to the case in hand. The attorney responsible for the litigation carefully conducts an investigation to ensure that there is nothing in the expert’s background which could be damaging to his or her credibility.”
TIGTA nonetheless said it believes that waiving the background investigation requirement presents a security risk.