IRS Struggles to Safeguard Taxpayer Data Handled by Contractors and Agencies

IRS Struggles to Safeguard Taxpayer Data Handled by Contractors and Agencies.A recent report from the Government Accountability Office (GAO) highlights a significant issue within the Internal Revenue Service (IRS): its inability to oversee how contractors and other federal agencies handle taxpayer data.

IRS Struggles to Safeguard Taxpayer Data Handled by Contractors and Agencies

This deficiency in authority has raised concerns about the security and protection of sensitive taxpayer information, particularly in light of past incidents involving data leaks and unauthorized access.

The Legal Framework

Since the 1970s, Congress has mandated that the IRS must ensure that the taxpayer data it shares with other federal agencies for non-tax administrative purposes adhere to federal laws and regulations governing data protection. This sharing involves various federal departments, such as Education, Health and Human Services, Agriculture, Labor, the National Archive and Records Administration, the Office of Personnel Management, and the Social Security Administration. These sharing arrangements are authorized under IRS code section 6103.

Oversight Challenges

While these agencies are expected to implement data protection measures and undergo inspections by IRS staff to ensure compliance, there’s a glaring issue. The IRS lacks the legal authority to conduct third-party inspections of agencies receiving data under section 6103. This deficiency leaves sensitive tax data potentially exposed and beyond the IRS’s oversight.

Interim Measures

The only immediate recourse to address this issue involves voluntary memorandums of agreement between certain agencies. These agreements allow agencies to perform the inspections and oversight necessary for data security controls, similar to what they do for other agencies. However, this solution is temporary, and a more permanent fix requires legislative action in Congress.

IRS’s Plans for Improvement

The IRS has outlined plans to identify agencies receiving taxpayer information and determine an agency-specific approach for IRS oversight. However, the absence of a comprehensive system to identify all data-sharing agreements and a lack of implementation dates pose challenges to this effort.

Challenges in Policing Data Access

The IRS, being a massive agency, faces inherent difficulties in monitoring data access effectively. Identifying unauthorized access and inappropriate data handling is challenging, especially when employees access large datasets for research purposes.

Recent Actions Taken

To address unauthorized access and data security concerns, the IRS implemented several measures, including a new policy requiring senior-level approval for certain system access and cybersecurity awareness training for both staff and contractors.

Security Shortcomings and Data Exposures

Previous audits by the GAO and the Treasury’s Inspector General’s office identified deficiencies in security controls, such as data encryption at rest and security settings configuration. Some issues, like encryption, remain unresolved, and instances of sensitive taxpayer data exposure on the IRS’s website and leaks to news outlets have occurred.

Training Disparities

While cybersecurity training has been completed by more than 97% of full-time staff, contractors’ training rates range from 66% to 74%. The IRS lacks specific training goals for contractors but restricts access for those who have not completed their training.

Contract Oversight Center

To enhance contractor oversight, the IRS is establishing a new contract oversight center that will provide further guidance and monitoring of its contractor base.

GAO Recommendations

The GAO has made several recommendations to address these issues, including granting the IRS new authority to audit data security practices, improving monitoring of contractor access, establishing concrete training goals and metrics, and ensuring an up-to-date inventory of IRS systems storing taxpayer information.

IRS Response

Jeffrey Tribiano, deputy commissioner for operations support, acknowledges and agrees with 14 of the 15 GAO recommendations. However, specific timelines for implementation were not provided in the response.

Conclusion

The IRS’s lack of authority to monitor how contractors and other federal agencies handle taxpayer data is a pressing concern for data security and compliance with federal laws and regulations. Addressing these issues will require legislative action and ongoing efforts to enhance data protection and oversight within the agency.