By Michael Carroll
Nearly half of 80 randomly chosen IRS employees put sensitive taxpayer records at risk by not encrypting emails, a recent U.S. Treasury department audit found, putting thousands of taxpayers at risk of identity theft.
The Treasury department audit found that employees failed to encrypt email communications containing sensitive personal information, likely including data from tax returns.
“It is critical that the Internal Revenue Service properly protect taxpayers’ personally identifiable and tax return information at all times,” said the Treasury inspector general for tax administration, J. Russell George, in a prepared statement. “Not only is this protection required by law; it is essential if taxpayers are to maintain a high level of confidence in the IRS’s mission.”
The audit involved a random sample of 80 IRS employees in the agency’s Small Business/Self-Employed Division during a four-week period during this past spring. A total of 39 of these employees sent 326 unencrypted emails containing the personal tax information of more than 8,000 Americans, the audit report said.
Of these emails, 275 were sent within the agency to other IRS employees and were protected by the IRS information system’s firewall, thus posing a reduced security risk. But 51 emails containing sensitive information were sent to email accounts outside the agency’s confines, the report said.
Because the audit was narrowly targeted, the email problem within the entire small business division may be much greater. Auditors estimate that all of the division’s employees – more than 11,000 – sent out more than 95,000 unencrypted emails containing sensitive taxpayer information during the four weeks covered by the audit.
If those numbers are extrapolated for a full year, the volume of unencrypted emails being sent by division employees would reach 1.1 million and contain the personal information of 28.2 million taxpayers.
"I think it's a matter of the culture (within the agency) and the availability of resources to properly communicate with security," John Pironti, an author and frequent speaker on electronic business and information security issues, told AMI Newswire.
The IRS needs to provide encouragement as well as tools and capabilities to get its workers to take issues of cyber security more seriously, said Pironti, who is president of IP Architects LLC.
The continuing news about security lapses by top officials, such as Hillary Clinton's use of a private email server while secretary of state, sends the wrong message to government employees, he said. Such lapses would normally result in sanctions or lost security clearances, Pironti said.
"They're supposed to be setting an example," he said.
Private industry has largely solved these problems through encryption and other technologies, so government should be able to apply the same principles, Pironti said.
The commissioner of the Small Business/Self-Employed Division, Karen Schiller, said the unit will work to improve privacy and security protections in electronic communications in response to the audit.
“While the title of this draft report refers to a risk of improper disclosure, it is important to note that your review did not identify any instances where Personally Identifiable Information that was sent unencrypted was sent to an unintended recipient,” Schiller said.
A system allowing the IRS employees to fax documents from their computers was also used to send sensitive taxpayer information, the audit report said. A total 193 unencrypted emails were routed through the fax system, which does not have an encryption capability
And six IRS workers were found to have sent 20 emails involving work-related business to their personal email accounts, the audit report said.
The inspector general’s report made several recommendations, including technology updates, disciplinary action where required and an update of guidelines about restrictions on the use of personal email accounts.
A second audit report released last week found that the agency had failed to protect sensitive taxpayer information when it transferred data to external partners, such as federal, state and local agencies, as well as financial institutions and contractors. Many of these transfers were done using insecure servers, the audit said.
The IRS email system has been the topic of congressional concern in recent months as well. In a letter to IRS Commissioner John Koskinen last month, Sen. Orrin Hatch and two high-ranking House members faulted the agency for wasting $12 million on subscriptions to an email records system that did not meet IRS security requirements.
“As a result of the IRS’s carelessness, the Service will not meet (the Office of Management and Budget’s) December 31, 2016, deadline to modernize its email system, wasting millions of taxpayer dollars and further delaying full IRS transparency and accountability,” the letter said.