The Internal Revenue Service does not always promptly and properly notify taxpayers of inadvertent disclosures of their personal information, according to a new government report.
The
Millions of taxpayers entrust the IRS with sensitive financial and personal data when they file their tax returns each year, the report noted. TIGTA conducted an audit to determine whether the IRS promptly notifies taxpayers of inadvertent disclosure of their personally identifiable information so they can take the necessary steps to protect themselves from identity theft or other harm.
“It is troubling that although the IRS has many processes and regulations that protect taxpayer information, there are times when taxpayer information is inadvertently disclosed,” said TIGTA Inspector General J. Russell George in a statement. “Taxpayers need to be assured that the IRS will promptly notify them of inadvertent disclosures of their confidential information, so they can take appropriate steps to protect themselves from identity theft or other harm.”
TIGTA reviewed a statistical sample of 98 case files of incidents reported as inadvertent disclosures in fiscal years 2009 and 2010 and found that not all taxpayers were properly or timely notified of the disclosures’ occurrence. Of those 98 case files, TIGTA found that 35 cases involved a failure to notify the taxpayer or a failure to notify the taxpayer within 45 days of the incident.
In addition, TIGTA’s review of the IRS’s four systems used to capture disclosure incidents identified an additional 815 potential inadvertent disclosures, not previously identified by the IRS.
The IRS issued a statement to clarify the findings in the report. "It is important to note that this report analyzes the process that IRS utilizes to notify taxpayers in the very limited number of circumstances where personally identifiable information is disclosed incorrectly," said a statement e-mailed by IRS spokesperson Julianne Fisher Breitbeil. "While any inadvertent disclosure is of great concern, nothing in this report suggests any systemic vulnerability. Taxpayers can be confident that their data is secure with the IRS, and protection of taxpayer data is a top priority for the agency. It’s also important to note that there is no indication that these limited numbers of disclosures led to identity theft. Rather, as the report suggests, these are typically isolated incidents that involved letters addressed to an incorrect taxpayer or a letter for one taxpayer that was erroneously included in the same envelope with another taxpayer’s letter."
TIGTA made four recommendations in its report, calling for better employee education, procedure revision, and the introduction of new timeliness measures and controls. The IRS agreed to the recommendations.
“Recently a new data protection campaign was launched to keep IRS employees informed, prepared and practicing all aspects of data protection in their daily work activities,” wrote Beth Tucker, the IRS’s deputy commissioner for operations support, in response to the report. “By communicating the importance of data protection through multiple channels and from the highest levels of the organization, the IRS commitment to protecting sensitive data is communicated to all employees.”
She also noted that the IRS has an “established process for reporting a data incident, analyzing the loss, responding quickly to prevent further impact, determining the risk to the taxpayer or employee and, as appropriate, notifying the taxpayer or employee of the loss.”
