The IRS lacks the authority to inspect whether other federal agencies who receive taxpayer information are protecting that data as required by law, according to a new Government Accountability Office report.
The report, released publicly Monday, details how the tax agency shares and protects the data that taxpayers send to them following a number of high-profile incidents that resulted in leaks, unauthorized access or exposure.
Since the 1970s, Congress has required the IRS to ensure the data it shares with other agencies for non-tax administrative purposes are being protected and secured according to federal laws and regulations. The agency has sharing arrangements with the Departments of Education, Health and Human Services, Agriculture and Labor, as well as the National Archive and Records Administration, the Office of Personnel Management, the Social Security Administration and other federal agencies that are pursuant to IRS code section 6103, which authorizes the disclosure of such information.
Those agencies, in turn, are supposed to implement a number of proscribed data protection protocols and submit to inspections by IRS staff to ensure they’re implemented. However, in the case of agencies who receive IRS data under section 6103, that data is shared despite the IRS having no legal authority to conduct third-party inspections, something that potentially leaves sensitive tax data exposed or outside of the IRS’ oversight.
The only permanent solution to the problem would require a legislative update in Congress. Absent that, the agency is making due for now with voluntary memorandums of agreement between certain agencies that allow them to provide the kind of inspections and oversight over data security controls they’re authorized to carry out for other agencies.
“According to IRS draft planning documentation, beginning in fiscal year 2023, IRS plans to identify agencies receiving taxpayer information via certain subsections, including subsection 6103(c), and then determine an agency-specific course of action for IRS oversight. However, IRS’s planning documentation notes that identifying all such data sharing agreements may be difficult because IRS does not have a good system that identifies all these initiatives and did not include a date for full implementation.
The IRS took a number of actions last year meant to curb unauthorized access to taxpayer information, including a new policy requiring employees to seek “senior-level approval” to gain access to certain systems and implementing trainings for staff and its 14,000 contractors around cybersecurity awareness, insider threats and privacy and unauthorized data access.
However, there are inherent challenges in policing appropriate and inappropriate data access in an agency as large as the IRS.
Officials told auditors it is “challenging to identify all UNAX and unauthorized disclosure incidents because managers cannot monitor all of their staff all of the time” and that “depending on the nature of the work, it can be hard to identify suspicious accesses…when staff are accessing large amounts of data to do research.”
Last year, the IRS processed more than 260 million tax returns and doled out more than $600 billion in refunds and outlays. Previous audits performed last year by GAO and the Treasury’s Inspector General’s office found that the agency was falling short on a number of security system controls that are meant to protect taxpayer data, specifically encryption of data when it is at rest and configuration of security settings.
Some of those problems, like encryption, have yet to be addressed and in several cases across 2022 the IRS or another body discovered instances of sensitive taxpayer data exposed on the agency’s website and leaks to news outlets like ProPublica. The agency has also incurred privacy and data security concerns around efforts to implement facial recognition for users to access certain tax-related information.
While trainings around cybersecurity have been completed by more than 97% of full-time staff, training rates for contractors range from 66% to 74%. IRS officials said that unlike with full time employees, they do not have training goals in place for contractors, but that they work to disable access for those who have not completed their trainings until they are confirmed to have done so.
They are also standing up a new contract oversight center that will allow for further oversight and guidance around their contractor base.
Among the recommendations by GAO investigators are for Congress to give IRS new authority to audit the data security practices of systems and agencies that receive taxpayer data, conduct better monitoring of contractor access to tax data and put in place concrete training goals and metrics and ensure that the IT cybersecurity office maintains an up-to-date inventory on all IRS systems that store taxpayer information.
In a public note attached to the audit, Jeffrey Tribiano, deputy commissioner for operations support, said the agency concurs completely with 14 of the 15 recommendations made by GAO, and requested minor changes in language to another. While most agency responses include deadlines or timeframes for implementing recommended actions, Tribiano did not provide a timeline for estimated completion date or timeframe for any of the 15 proscribed actions.
“Ensuring adequate controls are in place to protect federal tax information is a continuous process. As you note in your report, analyzing and improving access controls to sensitive information is on-going,” he wrote.
