IRS Contractors Put Taxpayer Data at Risk

A government report found security weaknesses at the facilities operated by eight Internal Revenue Service contractors, placing confidential taxpayer information at risk of unauthorized access and disclosure.

The IRS regularly provides taxpayer data to contractors who store and process the data at contractor facilities outside of IRS offices, according to a report by the Treasury Inspector General for Tax Administration. However, TIGTA inspectors found that the IRS does not always ensure that contractors are complying with IRS security policies and procedures and protecting taxpayer information. Moreover, IRS procedures do not even identify all of the contractors who process, store or house confidential taxpayer information at their facilities.

In its review, TIGTA also found that security weaknesses identified by the IRS at contractor facilities were not corrected in a timely manner. TIGTA’s review of eight contractor site visits by the IRS officials found security weaknesses in all eight facilities, and the IRS was unable to provide monitoring documents for seven of these facilities.

“The IRS needs to improve its current processes and controls to identify all contractors who process, manage, or store IRS taxpayer data at contractor facilities and to ensure timely corrective actions are taken to correct security weaknesses,” said Treasury Inspector General for Tax Administration J. Russell George in a statement. “It is imperative that taxpayer data be protected from unauthorized access or disclosure at all times.”

TIGTA recommended that the IRS implement a better system to identify contractors receiving and using IRS taxpayer data at contractor facilities and that the IRS improve its system for monitoring and identifying security weaknesses at such facilities, to ensure the weaknesses’ timely correction.

In response to the report, IRS management agreed with TIGTA’s recommendations and stated that they plan to take appropriate corrective actions.