IRS urged to improve oversight of cybersecurity at tax preparers and software vendors
The Internal Revenue Service needs to improve its oversight of third-party cybersecurity practices by tax preparers and tax software providers, according to a new government report.
The report, by the Government Accountability Office, evaluated the IRS’s information security requirements for the systems used by third-party providers, its monitoring processes for ensuring third-party providers’ compliance with the requirements, and the IRS’s requirements for third-party provider security incident reporting, as well as a description of IRS’s outreach efforts to third-party providers.
In 2018, the GAO noted, about 90 percent of people filed their taxes using either commercial tax software or a paid tax return preparer. If these "third parties" that handle tax information are hacked, taxpayers’ personal information could be exposed, leaving them vulnerable to identity theft. However, some of these third-party providers may not know how to keep personal information safe. Plus, the IRS doesn't have the same information security requirements for all software companies or for all paid preparers, so taxpayer information isn't consistently protected from hackers.
The GAO recommended that the IRS make its information security standards for third parties more consistent. The report found the IRS has not developed minimum information security requirements for the systems used by paid preparers or Authorized e-file Providers. According to the IRS’s Office of Chief Counsel, the IRS doesn’t have explicit authority to regulate security for these systems. Instead, the tax code gives the IRS broad authority to administer and supervise the internal revenue laws. The Treasury Department has previously requested additional authority to regulate the competency of all paid preparers, and the GAO has also suggested that Congress consider granting IRS this authority, but Congress hasn’t yet provided that authority. The IRS had tried to regulate tax preparers in 2012, but in the case of Loving v. IRS, a federal court ruled the following year that the IRS lacked the statutory authority to do so. Neither the Treasury request nor the GAO suggestion included granting IRS authority to regulate the security of paid preparers’ systems, but the report said that having such authority would enable IRS to establish minimum requirements. In addition, having explicit authority to establish security standards for Authorized e-file Providers’ systems could help the IRS better ensure the protection of taxpayers’ information.
In terms of tax software providers, as part of a public-private partnership between the IRS and the tax preparation industry known as the Security Summit, 15 tax software providers have voluntarily agreed to adhere to a set of about 140 information security controls developed using guidance from the National Institute of Standards and Technology . “However, these controls are not required, and these providers represent only about one-third of all tax software providers,” said the report. “Additionally, IRS established six security, privacy, and business standards for providers of software that allows individuals to prepare their own tax returns (as opposed to software that paid preparers use). However, IRS has not substantially updated these standards since 2010, and they are, at least in part, outdated. For example, IRS cites an outdated encryption standard that NIST recommends not using due to its many known weaknesses.”
The GAO said a key factor contributing to missed opportunities to address third-party cybersecurity is the IRS’s lack of centralized leadership. As a result, according to the GAO, the IRS is less able to ensure that third-party providers adequately protect taxpayers’ information, which could result in identity theft refund fraud.
“We disagree with the GAO’s conclusion that a lack of centralized leadership contributes to missed opportunities for ensuring that third-party providers adequately protect taxpayers’ information,” wrote Kirsten B. Wielobob, deputy commissioner for services and enforcement at the IRS, in response to the report. “Tax-related identity theft affects taxpayers in different ways, depending on the type and amount of personally identifiable information an identity thief has obtained and how they use that data.”
The GAO acknowledged that the IRS monitors compliance with its electronic tax return filing program requirements for those paid preparers who electronically file returns, but added that the IRS’s monitoring has a limited focus on cybersecurity issues. For example, the monitoring techniques mainly focus on physical security (such as locked filing cabinets) rather than verifying that preparers have an information security policy consistent with NIST-recommended controls. Without effective monitoring of cybersecurity controls, it said the IRS has limited assurance that those paid preparers’ systems have adequate controls in place to protect clients’ data.
The IRS recently began collecting information on high-risk security incidents, such as hackers infiltrating third-party provider systems, the GAO noted, and it found that reported incidents increased from 2017 to 2018, the only years for which the IRS has data. However, the IRS doesn’t have a full picture of the scope of incidents because of inconsistent reporting requirements, including no reporting requirements for paid preparers.