The Internal Revenue Service isn't doing enough to safeguard sensitive tax information when it's shipped between its tax processing centers, according to a new report.
The
For the report, TIGTA wanted to assess the IRS's compliance with its own policies and procedures when mailing tax information through a private carrier. It found the agency is not adhering to its own internal guidelines when sending large volumes of sensitive taxpayer information to and from its tax processing centers. The required tracking documents, Forms 3210, "Document Transmittal," are often not included with these shipments and/or not prepared properly.
Between August and November 2022, TIGTA did on-site inspections of 31 incoming packages with large amounts of sensitive taxpayer information received via private delivery carriers at the tax processing centers and found that 22 of the 31 packages didn't include copies of the completed Forms 3210. TIGTA also did inspections of 40 packages with large volumes of sensitive taxpayer information that were ready for shipment from the tax processing centers through a private delivery carrier. It found that 39 out of the 40 packages lacked copies of the completed Forms 3210.
What's more, managers of the IRS's Submission Processing Files function at the three tax processing centers aren't completing the necessary quarterly audits of the Forms 3210 acknowledgment process to comply with internal guidelines. Some packages get lost, but the IRS's Privacy, Governmental Liaison and Disclosure Office doesn't notify businesses or put a data breach indicator on their business tax accounts when packages with sensitive business tax information go missing.
"TIGTA is concerned that the IRS is not taking actions to properly account for and control sensitive tax information," said the report. "Therefore, the IRS is unable to identify, notify and offer protection to some taxpayers when their sensitive tax information is lost in the mail."
TIGTA offered five recommendations in the report, saying the IRS should make sure the Form 3210 is completed and included in all packages so actions can be taken to protect taxpayers when a shipment is lost; and ensure that Submission Processing Files function managers perform quarterly audits of the Forms 3210 acknowledgment process. The service also needs to change its internal guidelines to avoid having losses associated with a business automatically categorized as low risk and notify businesses when their data losses are categorized as high risk.
IRS officials agreed with four of TIGTA's recommendations and partly agreed with the other recommendation. The agency intends to issue a notice to remind employees to include a Form 3210 with shipments of large volumes of tax information. It also plans to send out a notice to remind employees to include the taxpayers whose information is shipped on the Form 3210. The IRS also intends to send periodic email communications to the Submission Processing Files functions to make certain the Form 3210 reviews are being done. In addition, the agency plans to develop a process for performing quarterly reviews in its files functions. It has also updated its Data Breach Response Plan so that losses associated with a business aren't automatically categorized as low risk.
"We recognize the risk associated with shipping documents containing sensitive information from one location to another and take steps to mitigate it," said Kenneth Corbin, commissioner of the IRS's Wage and Investment Division, in response to the report. "Sensitive information is protected during shipment through double packaging and labeling. The shipment contents are held in a sealed container that is labeled with the delivery information and that container is in turn enclosed in a separate sealed container that is also labeled for delivery. This practice provides an added degree of protection if a parcel becomes damaged during shipment and the outer container or envelope is breached."
He added that the IRS tracks all shipments and if a package is lost, procedures are in place to report the incident. Corbin believes the additional funding from the Inflation Reduction Act will help the IRS update its processes to more of a digital environment so it can substantially reduce the need to ship paper documents and fill out forms manually.
