TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

 

 

Target Dates Have Not Been Established to Eliminate or Reduce Taxpayer Social Security Numbers From Outgoing Correspondence

 

 

 

August 13, 2010

 

Reference Number:  2010-40-098

 

 

This report has cleared the Treasury Inspector General for Tax Administration disclosure review process and information determined to be restricted from public release has been redacted from this document.

 

Phone Number   |  202-622-6500

Email Address   |  inquiries@tigta.treas.gov

Web Site           |  http://www.tigta.gov

 

HIGHLIGHTS

 

TARGET DATES HAVE NOT BEEN ESTABLISHED TO ELIMINATE OR REDUCE TAXPAYER SOCIAL SECURITY NUMBERS FROM OUTGOING CORRESPONDENCE

Highlights

Final Report issued on August 13, 2010

Highlights of Reference Number:  2010-40-098 to the Internal Revenue Service Deputy Commissioner for Operations Support.

IMPACT ON TAXPAYERS

More than 130 million taxpayers entrust the Internal Revenue Service (IRS) with sensitive financial and personal data, much of it on paper documents requiring protection.  Taxpayers need to be assured that the IRS is taking every precaution to protect their private information from inadvertent disclosure.

WHY TIGTA DID THE AUDIT

This audit was initiated because the Social Security Number is now a vital piece of information needed to function in American society to pay taxes, obtain a driver’s license, or open a bank account, among other things.  Identity theft affects tax administration when an individual intentionally uses the Social Security Number of another person to file a false tax return or fraudulently obtain employment.  Another person’s Social Security Number is the most valuable tool an identity thief can obtain to commit financial fraud, and the Social Security Number becomes even more valuable if it is linked to other personal data of the Social Security Number owner, such as information required to prepare a tax return.  TIGTA conducted this audit to determine whether the IRS is efficiently eliminating the unnecessary collection and use of taxpayer Social Security Numbers.

WHAT TIGTA FOUND

In response to Office of Management and Budget Memorandum 07-16, the IRS developed and is implementing its Social Security Number Elimination and Reduction (SSN ER) Plan.  A majority of a sample of SSN ER Plan accomplishments could be validated.  However, most of the supporting documentation had to be reassembled, and it was not clear if the IRS had validated the accomplishments before reporting them.  Milestones for Phase 3 of the SSN ER Plan have not been established.

The IRS will not be eliminating or reducing the use of taxpayers’ Social Security Numbers in the immediate future.  The IRS has many systems, notices, and forms that use Social Security Numbers which require significant analysis before Social Security Number use is eliminated or reduced.  The IRS focused first on internal forms using Social Security Numbers and eliminating employees’ Social Security Numbers from its systems.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Deputy Commissioner for Operations Support maintain documentation to support major deliverables and key meetings so that it is readily available for examination.  The Deputy Commissioner should also validate data received from the business units and all accomplishments to ensure all needed actions are complete, and refine and update the milestones for the SSN ER Plan to ensure timely progress of the strategy.

The IRS agreed with the recommendations.  It created a dedicated SSN ER shared folder to maintain documentation related to major SSN ER Program deliverables and key meetings and will ensure specific report and source materials are readily available for examination.  The SSN ER Program team has also identified a team member as the Records Historian.  The IRS will implement a data validation process for all SSN ER Plan accomplishments to ensure all required actions are completed.  Finally, the IRS will strengthen Program milestones by refining and updating milestones quarterly to ensure timely progress of Program strategies.

 

August 13, 2010

 

 

MEMORANDUM FOR DEPUTY COMMISSIONER FOR OPERATIONS SUPPORT

 

FROM:                            Michael R. Phillips /s/ Michael R. Phillips

                                         Deputy Inspector General for Audit

 

SUBJECT:                    Final Audit Report – Target Dates Have Not Been Established to Eliminate or Reduce Taxpayer Social Security Numbers From Outgoing Correspondence (Audit # 200940040)

 

This report presents the results of our review to determine whether the Internal Revenue Service is efficiently eliminating the unnecessary collection and use of taxpayer Social Security Numbers.  This audit was included in our Fiscal Year 2010 Annual Audit Plan and addresses the major management challenge of Taxpayer Protection and Rights.

Management’s complete response to the draft report is included as Appendix IV.

Copies of this report are also being sent to the Internal Revenue Service managers affected by the report recommendations.  Please contact me at (202) 622-6510 if you have questions or Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services), at (202) 622-5916.

 

 

Table of Contents

 

Background

Results of Review

The Internal Revenue Service Has Implemented the Social Security Number Elimination and Reduction Plan

The Internal Revenue Service Will Not Be Eliminating or Reducing the Use of Taxpayers’ Social Security Numbers in the Immediate Future

Recommendation 1:U

Recommendations 2 and 3U:

Appendices

Appendix I – Detailed Objective, Scope, and Methodology

Appendix II – Major Contributors to This Report

Appendix III – Report Distribution List

Appendix IV – Management’s Response to the Draft Report

 

Abbreviations

 

IRS

Internal Revenue Service

OMB

Office of Management and Budget

SSN ER

Social Security Number Elimination and Reduction

 

 

Background

 

In February 2010, the Federal Trade Commission reported that identity theft was the number one consumer complaint category in Calendar Year 2009.F[1]F  Identity theft occurs when someone uses Personally Identifiable Information, such as an individual’s name, Social Security Number, credit card numbers, or other account information, to commit fraud and other crimes.  The Internal Revenue Service (IRS) Office of Privacy, Information Protection, and Data Security defines Personally Identifiable Information as any combination of information that can be used to uniquely identify, contact, or locate a person and could subsequently be used for identity theft.

More than 130 million taxpayers entrust the IRS with sensitive financial and personal data, much of it on paper documents requiring protection.  For Calendar Year 2010,F[2]F the IRS mailed more than 42 million notices and letters to individual taxpayers for various reasons, including: 

·        More than 20.1 million balance due notices.  Taxpayers with outstanding tax liabilities receive balance due notices informing them of their outstanding tax liabilities.  Shown at right is a portion of a notice that the IRS mailed to a taxpayer.

·        More than 2 million letters issued by the Automated Collection System.F[3]F  For example, these are letters mailed to taxpayers advising them that a levy is being placed on their property or to confirm a taxpayer’s payment agreement to satisfy an outstanding tax liability.

·        More than 9.7 million correspondence letters.  Correspondence letters can request information from taxpayers or advise them of possible adjustments to their tax returns.

Most of these notices and letters include taxpayers’ Social Security Numbers because they require the taxpayer to respond to the IRS.  Taxpayers need to be assured that the IRS is taking every precaution to protect their private information from inadvertent disclosure.  

Although the Social Security Number was created as a means to track workers’ earnings and eligibility for Social Security benefits, it is now a vital piece of information needed to function in American society.  Because of its unique nature and broad applicability, the Social Security Number has become the identifier of choice for public and private sector entities, and it is used for numerous non-Social Security purposes.  Today, United States citizens generally need a Social Security Number to pay taxes, obtain a driver’s license, or open a bank account, among other things.  Identity theft affects tax administration when an individual intentionally uses the Social Security Number of another person to file a false tax return or fraudulently obtain employment.  Another person’s Social Security Number is the most valuable tool an identity thief can obtain to commit financial fraud, and the Social Security Number becomes even more valuable if it is linked to other personal data of the Social Security Number owner, such as information required to prepare a tax return.

Legislative Requirements

Two primary laws, the Privacy Act of 1974F[4]F and the E-Government Act of 2002,F[5]F give Federal agencies responsibilities for protecting Personally Identifiable Information, including ensuring its security.  In addition, the Federal Information Security Management Act of 2002F[6]F requires agencies to develop, document, and implement agency-wide programs to provide security for their information and information systems (which include Personally Identifiable Information and the systems on which it resides). 

The Office of Management and Budget (OMB) has also issued numerous memoranda to Federal agencies.  On May 22, 2007, the OMB issued Memorandum 07-16 (M-07-16), “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” to the heads of executive departments and agencies requiring that:

Within 120 days from the date of this memo, agencies must establish a plan in which the agency will eliminate the unnecessary collection and use of social security numbers within eighteen months.

The memorandum requires agencies to review and reduce the volume of Personally Identifiable Information to the minimum necessary and reduce the use of Social Security Numbers.  The memorandum emphasizes the need for proper privacy and security safeguards to protect Personally Identifiable Information in both electronic and paper-based formats.

This review was performed at the IRS National Headquarters in Washington, D.C., in the Office of Privacy, Information Protection, and Data Security and the Office of Privacy in Philadelphia, Pennsylvania, during the period June 2009 through May 2010.  We also conducted interviews in the Wage and Investment Division Office of Taxpayer Correspondence in Lanham, Maryland, and Austin, Texas.  We conducted this performance audit in accordance with generally accepted government auditing standards.  Those standards require that we plan and perform the audit to obtain sufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective.  We believe that the evidence obtained provides a reasonable basis for our findings and conclusions based on our audit objective.  Detailed information on our audit objective, scope, and methodology is presented in Appendix I.  Major contributors to the report are listed in Appendix II.

  

Results of Review

 

The Internal Revenue Service Has Implemented the Social Security Number Elimination and Reduction Plan

 

In response to OMB M-07-16, the IRS developed and is implementing its Social Security Number Elimination and Reduction (SSN ER) Plan.  The Plan outlines the IRS’ implementation methodology, transition to new business practices, and the future state of the SSN ER Program. 

The IRS submitted the first release of its SSN ER Plan to the Department of the Treasury in November 2007.  To date, the IRS has provided three releases of its Plan to reduce or eliminate the use of Social Security Numbers to the Department of the Treasury for incorporation into the Department’s overall plan.  The final release was submitted in February 2009. 

The SSN ER Plan is broken down into three phases.  The IRS is in Phase 2. 

·        Phase 1:  Data Gathering and Inventory.

·        Phase 2:  Review Analysis and Identification of Solutions.

·        Phase 3:  Implementation and Compliance Management.

The SSN ER Plan methodology includes identifying opportunities to eliminate or reduce Social Security Number use, reducing IRS reliance on the Social Security Number, and replacing Social Security Numbers as identifiers.  The transition to new business practices includes introducing new policies and procedures enterprise-wide to institutionalize the need to continuously reconsider Social Security Number use.  These practices will be communicated internally to IRS employees as well as externally to taxpayers, agency partners, and stakeholders. 

The IRS’ key message is to improve taxpayer service and reduce taxpayer burden by minimizing the use of Social Security Numbers and increasing information safeguards and awareness regarding agency use.

The future state of the SSN ER Program involves moving into compliance management.  This includes implementing the SSN ER Plan, business unit progress tracking and reporting, monitoring adherence with internal policies and Federal Social Security Number requirements, and internal and external communication and awareness. 

The IRS has also been an active participant in several work groups with the Department of the Treasury and other Federal agencies exploring ways to minimize or eliminate Social Security Number use. 

The Internal Revenue Service Will Not Be Eliminating or Reducing the Use of Taxpayers’ Social Security Numbers in the Immediate Future

During Fiscal Year 2009, the IRS mailed 201 million notices (including letters) to taxpayers — most of which contained taxpayer Social Security Numbers.  The IRS has many systems, notices, and forms that use taxpayer Social Security Numbers—all requiring significant analysis to determine if taxpayer Social Security Numbers are necessary or can be eliminated.  The following have been identified that may contain taxpayer Social Security Numbers. 

·        More than 500 different computer systems. 

·        More than 6,000 types of internal and external forms. 

·        20 categories of individual taxpayer notices (e.g., Adjustments, Balance Due, and Math Error), 155 notice types (e.g., Examination Adjustment Notice; Balance Due $5 or More, No Math Error; and Math Error, Overpayment of $1 or More).  The IRS stated it has more than 800 letters and correspondence. 

Since the IRS submitted its first release of the SSN ER Plan to the Department of the Treasury in the first quarter of Fiscal Year 2008, it has redacted or truncated taxpayers’ Social Security Numbers from only a small number of systems, notices, and forms.

·        Transmittal Document (Form 3210) used when transferring taxpayer files between IRS functions and offices.  The IRS now lists the last four digits of the taxpayer’s Social Security Number on the Form.

·        Notices and letters associated with the economic stimulus paymentF[7]F and Identity Theft Program.F[8]F  The IRS developed the new notices and letters so that they would not require the taxpayer’s full Social Security Number.

·        Integrated Data Retrieval SystemF[9]F command code used to verify taxpayer identities.  This command code uses only the last 4 digits of the primary or secondary taxpayer’s Social Security Number, the first 10 characters of the last name (or less, if there are less than 10 characters in the last name), and the date of birth without the year to search for the matching name(s) and address(es).  The taxpayer needs to provide only the last four digits of his or her Social Security Number. 

Since the command code was made available to IRS employees, about 50,600 requests were made from October 27, 2009, through March 31, 2010.  About 35,800 of the command code requests (71 percent) were successful.

In addition, the IRS issued Internal Revenue Bulletin 2009-51 that outlines a pilot program to truncate the Social Security Number on the printed copies of the U.S. Information Return series (Form 1099) and Mortgage Interest Statement (Form 1098).

The IRS focused first on internal forms and employee Social Security Numbers

The IRS stated that it focused first on internal forms using Social Security Numbers because it has more latitude to change the presentation of the data on the form if it does not leave the IRS.  If it leaves the IRS, consideration must be given to the effect any changes will make on the receiving organization.  The IRS has also focused on eliminating employee’s Social Security Numbers from its systems.

Systems and taxpayer correspondence containing taxpayer Social Security Numbers present complications because processes must also be analyzed and revised before reducing or eliminating taxpayer Social Security Numbers.  This is because Social Security Numbers are used to associate correspondence and documents with taxpayer accounts.

In addition, before revising forms and notices, the IRS must first analyze the various options for eliminating or reducing the Social Security Numbers (e.g., eliminating or masking the Social Security Number, or using barcodes).  The IRS began the lengthy process of analyzing the programming costs for the various systems in February 2009.  Initial results of the analysis were provided in November 2009.   

Controls need to be improved to ensure the IRS takes all necessary actions to reduce or eliminate the unnecessary use of Social Security Numbers

As the IRS moves forward to reduce and eliminate the use of taxpayer Social Security Numbers, it needs to improve internal controls to ensure all planned actions are appropriately and timely accomplished.  The IRS needs to maintain a complete list of systems, notices, and forms with associated actions for monitoring purposes.  It also needs to ensure milestones are established and updated when necessary.

The majority of the accomplishments in the SSN ER Plan could be validated but documentation needs to be improved

Release 3 of the SSN ER Plan includes 35 statements purporting Plan accomplishments.  The IRS was able to support the majority of the nine Plan accomplishments tested.  However, most of the supporting documents had to be reassembled. 

In addition, it was unclear if the IRS had validated the accomplishments before reporting them.  For example, the Plan stated that the IRS had implemented the use of a Standard Employee Identifier in lieu of the Social Security Number for one of the IRS’ major application systems.  IRS officials also advised us that the option to sign into the system with a Social Security Number was to be removed by February 2010.  Nevertheless, as of April 15, 2010, employees still had the ability to sign into the system using either a Social Security Number or a Standard Employee Identification Number.

Documentation was not adequately maintained to support and corroborate Plan accomplishments.

Because documentation was not adequately maintained, there was no support to corroborate the Plan’s accomplishments.  Without validation, there is no assurance that all systems and forms using taxpayers’ Social Security Numbers are identified and reduced or eliminated.  The inability to document or explain the steps taken to validate the accomplishments makes it difficult for the IRS to demonstrate why it may not be feasible to remove or reduce Social Security Numbers from systems and outgoing correspondence. 

The SSN ER Program currently consists of only four employees.  The SSN ER Program has experienced management and employee turnover during the development and implementation of the SSN ER Plan.  Managers have been detailed to other assignments or taken other positions within the IRS.  One analyst who reviewed data was a part-time employee.  Finally, the current Program manager stated that the SSN ER Program does not have the level of resources needed to dedicate one person to validate data and accomplishments (i.e., ensure taxpayer Social Security Numbers have been eliminated or masked, or ensure support for not removing them has been evaluated and approved).

The Office of Privacy, Information Protection, and Data Security has also been developing an IRS‑wide Authentication Strategy.  The Authentication Strategy promotes data protection and enables ease of access to maintain public confidence and improve customer service.  The goals are to enhance an IRS-wide authentication internal control framework to address risk, deter fraudulent access, and institutionalize a common set of principles for authenticating taxpayers when contacting the IRS.

There are no target dates for decisions on whether taxpayers’ Social Security Numbers can be removed from notices and/or letters

Detailed Implementation and Compliance Management milestones have not been established.  The SSN ER Plan provided a strategic roadmap that showed Ongoing Compliance Management beginning in Calendar Year 2011.  However, milestones have not been updated since Release 3 of the SSN ER Plan or established for Phase 3 of the Plan, Implementation and Compliance Management.  In addition, while the IRS has prepared draft outcome measures for the SSN ER Program related to forms and notices, it has not developed outcome measures related to its systems.

The IRS was using a tracking tool for each of the targeted SSN ER Plan areas (e.g., System Tracking Tool, a Correspondence Tracking Tool (tracks notices and letters), and a Forms Tracking Tool).  Each tool was populated with inventory data (notices, letters, systems, etc.).  After IRS offices responsible for the notices, letters, or systems decided if Social Security Numbers were essential or not essential, the tracking tools were updated.  There were no target dates for any of the pending actions or decisions.

The IRS is creating an electronic SSN ER Program Compliance Management tool.  The IRS stated this tool will eventually replace the need for the SSN ER Program tracking tools and spreadsheets.  The new tool will allow for real-time updates and will assist the SSN ER Program team in its daily tracking of the ongoing Social Security Number mitigation progress.  It will also allow the team to follow up on future SSN ER Plan compliance actions and provide progress reporting.  However, the tool only tracks actions; it does not set milestones or expectations. 

Internal controls should be designed to assure that ongoing monitoring occurs as the SSN ER Plan progresses.  Monitoring should be performed continually and be ingrained in the operations.  It includes regular management and supervisory activities, comparisons, reconciliations, and other actions people take in performing their duties.  The key benefit to monitoring is that is helps assure project performance is observed and measured regularly to identify variances from the Plan.  Without interim milestones, it is difficult to gauge the progress of the Plan. 

Recommendations

The Deputy Commissioner for Operations Support should:

Recommendation 1U:  Maintain documentation to support major deliverables and key meetings so that it is readily available for examination.

Management’s ResponseU:  IRS management agreed with this recommendation.  The IRS created a dedicated SSN ER shared folder to maintain documentation related to major SSN ER Program deliverables and key meetings and will ensure specific report and source materials are readily available for examination.  The SSN ER Program team has also identified a team member as the Records Historian.  The Records Historian will establish record retention standards, as needed, on documents not currently covered in a records control schedule.

Recommendation 2U:  Validate data received from the business units and all accomplishments to ensure all needed actions are complete.

MManagement's Response:  IRS management agreed with this recommendation.  The IRS will implement a data validation process for all SSN ER Plan accomplishments to ensure all required actions are completed.

As part of this process, the IRS will leverage a current IRS application as an SSN ER Compliance Management Tool to track, monitor, and report ongoing SSN ER compliance progress throughout the enterprise.  This Tool will house all SSN ER Program compliance data and establish an electronic case file for each system, notice, letter, and form that uses Social Security Numbers.  This system is currently going through user acceptance testing and will be released by October 1, 2010.

Recommendation 3:  Refine and update the milestones for the SSN ER Plan to ensure timely progress of the strategy. 

UManagement’s ResponseU:  IRS management agreed with this recommendation.  The IRS will strengthen Program milestones by refining and updating milestones quarterly to ensure timely progress of Program strategies.

The IRS SSN ER 2-D Barcode Project is currently producing documents and artifacts for Project Milestones 1 and 2 as defined by the Enterprise Life Cycle.  The 2-D Barcode Project, one of the solutions for the SSN ER Plan, will encode the Social Security Number within a two-dimensional barcode on IRS notices and will also provide the necessary tools to read and identify taxpayers when they respond to IRS notices.  The Project is scheduled to complete Milestones 1 and 2 by October 1, 2010.  Additional milestone dates will be established at that time.

 

Appendix I

 

Detailed Objective, Scope, and Methodology

 

The overall objective of this review was to determine whether the IRS is efficiently eliminating the unnecessary collection and use of taxpayer Social Security Numbers.  To accomplish our objective, we:

I.                    Determined the expectations of OMB Memorandum 07-16 (M-07-16), “Safeguarding Against and Responding to the Breach of Personally Identifiable Information,” and if the IRS met the Department of the Treasury (Treasury) and OMB expectations.

A.     Reviewed the IRS’ current plans and reports relating to OMB M-07-16.

B.     Determined Treasury’s evaluation and opinion/conclusion of the IRS’ submitted plans, efforts, and actions to eliminate the unnecessary use of Social Security Numbers by interviewing officials in the Treasury Office of Privacy and Treasury Records.

C.     Determined OMB’s evaluation and opinion/conclusion of the Treasury/IRS submitted plans, efforts, and actions to eliminate the unnecessary use of Social Security Numbers by interviewing officials in the OMB Office of Information and Regulatory Affairs.

II.                 Determined the accuracy of the 35 accomplishments cited in the IRS SSN ER Plan, Version 3.0, dated February 17, 2009. 

A.     Met with IRS officials to discuss the process followed for validating the February 17, 2009, SSN ER Plan.

B.     Selected a judgmental sample of 9 accomplishments from the 35 accomplishment statements and identified the source information supporting the statements.  We selected a judgmental sample because of the small population size (35) and to ensure we sampled accomplishments related to systems, notices, and forms.

C.     Reviewed the source documents and supporting documentation provided by the IRS to determine the accuracy of the Plan statements.

III.               Determined if the universal population of IRS systems, notices, and forms appeared complete. 

IV.              Determined the process used to prioritize the Social Security Number inventory to immediately eliminate, replace, or mask the Social Security Number or to include in the enterprise-wide plan to seek an alternative method to safeguard the Social Security Numbers.

V.                 Identified delivery milestones and actions to be taken.

UInternal controls methodology

Internal controls relate to management’s plans, methods, and procedures used to meet their mission, goals, and objectives.  Internal controls include the processes and procedures for planning, organizing, directing, and controlling program operations.  They include the systems for measuring, reporting, and monitoring program performance.  We determined the following internal controls were relevant to our audit objective:  Office of Privacy policies, procedures, and practices for implementing the SSN ER Plan.  We evaluated these controls by interviewing management and employees and reviewing documentation to support the accomplishments and activities as outlined in the SSN ER Plan.

 

Appendix II

 

Major Contributors to This Report

 

Michael E. McKenney, Assistant Inspector General for Audit (Returns Processing and Account Services)

Augusta R. Cook, Director

Paula W. Johnson, Audit Manager

Lynn Faulkner, Lead Auditor

Geraldine Vaughn, Auditor

 

Appendix III

 

Report Distribution List

 

Commissioner  C

Office of the Commissioner – Attn:  Chief of Staff  C

Deputy Commissioner for Services and Enforcement  SE
Chief Technology Officer  OS:CTO
Commissioner, Small Business/Self-Employed Division  SE:S
Commissioner, Wage and Investment Division  SE:W
Director, Privacy, Information Protection, and Data Security  OS:P
Associate Chief Information Officer, Enterprise Services  OS:CTO:ES
Associate Chief Information Officer, Strategy and Planning  OS:CTO:SP
Director, Campus Compliance Services, Small Business/Self-Employed Division  SE:S:CCS
Director, Collection, Small Business/Self-Employed Division  SE:S:C
Director, Customer Account Services, Wage and Investment Division  SE:W:CAS
Director, Customer Assistance, Relationships and Education, Wage and Investment Division  SE:W:CAR
Director, Examination, Small Business/Self-Employed Division  SE:S:E
Director, Privacy and Information Protection  OS:P:PIP
Director, Strategy and Finance, Wage and Investment Division  SE:W:S
Deputy Associate Chief Information Officer, Systems Integration  OS:CTO:ES:SI
Director, Accounts Management, Wage and Investment Division  SE:W:CAS:AM
Director, Campus Filing and Payment Compliance, Small Business/Self-Employed Division  SE:S:CCS: FPC
Director, Campus Reporting Compliance, Small Business/Self-Employed Division  SE:S:CCS:CRC
Director, Media and Publications, Wage and Investment Division  SE:W:CAR:MP
Director, Office of Privacy  OS:P:PIP:P
Director, Portfolio Planning and Estimation  OS:CTO:SP:PPE
Director, Strategy and Capital Planning  OS:CTO:SP:SCP
Chief, Program Evaluation and Improvement, Wage and Investment Division  SE:W:S:PRA:PEI
Chief Counsel  CC

National Taxpayer Advocate  TA

Director, Office of Legislative Affairs  CL:LA
Director, Office of Program Evaluation and Risk Analysis  RAS:O

Office of Internal Control  OS:CFO:CPIC:IC

Audit Liaisons:

Chief Technology Officer  OS:CTO

Commissioner, Small Business/Self-Employed Division  SE:S

Director, Privacy, Information Protection, and Data Security  OS:P

Senior Operations Advisor, Wage and Investment Division  SE:W:S

Chief, GAO/TIGTA/Legislative Implementation Branch, Small Business/Self-Employed Division  SE:S:CLD:PSP:GTL

Chief, Program Evaluation and Improvement, Wage and Investment Division  SE:W:S:PRA:PEI  

  

Appendix IV

 

Management’s Response to the Draft Report

 

DEPARTMENT OF THE TREASURY

INTERNAL REVENUE SERVICE

WASHINGTON, D.C. 20224

 

PRIVACY, INFORMATION PROTECTION

AND DATA SECURITY

 

 

July 30, 2010

 

MEMORANDUM FOR DEPUTY INSPECTOR GENERAL FOR AUDITS

 

FROM:                      for Deborah G. Wolf /s/ James F. Weaver

   Director, Privacy Information Protection & Data Security

 

SUBJECT:                        Draft Inspection Report. Target Dates Have Not Been Established to Eliminate or Reduce Taxpayer Social Security Numbers from Outgoing Correspondence (Audit #200940040)

 

Thank you for the opportunity to respond to the referenced draft report. Protecting the sensitive data entrusted to the Internal Revenue Service (IRS) by taxpayers and employees is vital to maintaining the public's trust in the U.S. tax administration system and is a top priority of the IRS. The Social Security Number (SSN) is used by many government and private organizations to identify and authenticate individuals, and the Office of Management and Budget (OMB), in its May 2007 Memorandum M-07-16 Safeguarding Against and Responding to the Breach of Personally Identifiable Information, asked federal agencies to take steps to eliminate or reduce the use of this sensitive piece of information in order to protect citizens from identity theft. We appreciate acknowledgement of the progress we have made in our efforts to safeguard SSNs and agree with the recommendations in your draft report.

 

The IRS has made significant strides in eliminating or reducing the use of SSNs within IRS systems, notices, letters and forms. In compliance with the OMB mandate, we completed a review of the use of SSNs in IRS programs and Federal Information Security Management Act (FISMA) and non-FISMA systems and identified instances where the collection or use of the SSN was not necessary. We have implemented numerous mitigation strategies related to SSN usage and continue our progress in eliminating or reducing the use of the SSN as an identifier. This progress is described in more detail below:

• Redaction of SSNs from Fiscal Year (FY) 2008 Economic Stimulus letters - The IRS successfully redacted SSNs from all 122,757,212 Economic Stimulus letters (Notice 1378) sent to taxpayers in FY 2008.

 

Taxpayer Identification Number (TIN) Masking On Information Returns – in partnership with IRS Chief Counsel and the Department of the Treasury General Counsel, we developed Notice 2009-93, published on November 19, 2009, to permit partial masking of all but the last four digits of the SSN on Forms 1099, 1098 and 5498. This pilot program will allow for the partial masking of SSNs on paper payee statements for 2009 and 2010. The projected number of taxpayers that will be protected by this effort is 34,959,000.

 

SSN Redaction from Automated Collection System (ACS) Letters - The IRS redacted SSNs on numerous taxpayer sensitive and enforcement-related letters. The redaction of the SSN on ACS letters not only reduces the risk of identity theft but also reduces the exposure of sensitive taxpayer information. During FY 2008 and FY 2009, over 10 million collection notices were redacted, and in some cases SSNs were fully removed.

 

• Research Command Code -In November 2009, the IRS developed a new approach to authenticating taxpayers that does not require the full use of their SSNs. Utilizing IRS' Integrated Data Retrieval System (IDRS), the Taxpayer Personally Identifiable Information Protection (TPIIP) research command code was implemented into work practices throughout the organization including the Taxpayer Advocate Service. The tool allows IDRS users in both campus and field offices to identify and/or authenticate taxpayers using a truncated or partial SSN. Pairing the last four digits of a taxpayer's SSN with identifiable information contained within IDRS TPIIP has proved to be a highly reliable tool to provide system and business process owners with corresponding account information. Through June 2010, there were over 86,000 accesses using the new command code. The IRS continues to look for new opportunities to incorporate the use of the new command code in our business processes.

 

• Identification of SSN Elimination and Reduction (ER) Solutions – Since 2008, the IRS has identified enterprise-wide solutions to eliminate and reduce SSNs in various IRS systems, notices, letters and forms. Examples of solutions that have already been implemented across the enterprise include:

·       removal of SSNs from notices, forms and letters that do not require SSNs for processing;

·        partial masking of SSNs on system displays, notices, letters and form fields that require SSNs for processing; and

·        use of an employee identifier to replace the SSN for all employee system access and employee forms, letters and notices.

 

Additionally, the IRS has taken the lead to engage other federal and state government agencies to incorporate best practices into our SSN ER program and to share progress on mitigation strategies, including the following efforts:

         SSN Elimination and Reduction Interagency Sub-Committee - We recruited participants and initiated quarterly meetings in 2007 to share SSN ER best practices between federal agencies.

         Federation of Tax Administrators - IRS Tactical Advisory Group (TAG) - This group was chartered as a vehicle for the IRS and state agencies to collaborate in striving to eliminate or reduce the use of SSNs. This monthly venue provides a means for sharing SSN ER initiatives and communicating concerns and impacts between the IRS and state agencies. The group includes representatives from Utah. Connecticut. California, Idaho, Massachusetts and California.

 

Continuing the forward momentum on SSN ER, the IRS recently approved funding for a new initiative focused on replacing the SSNs on notices with a 2D barcode. Development of the 2D barcode technology for use within IRS system generated notices is key to the success of the SSN ER effort, as it will allow the IRS to encode taxpayer data into a 2D barcode and eliminate the printed SSN on outgoing correspondence. In turn, the 2D barcode would be read by 2D imaging device scanners when correspondence is received from the taxpayer; thus, further reducing the risk of exposure of taxpayer SSNs. The project initiation artifacts have been developed and requisitions for contractor support have been submitted. Requests have also been submitted to secure both hardware and software to support the initiative. Milestone development for the new initiative is ongoing and a preliminary timeline will be established by October 1, 2010.

 

If you have any questions, please contact me at (609) 278·-7732.

 

Attachment

 

Attachment

 

RECOMMENDATION 1: Maintain documentation to support major deliverables and key meetings so that it is readily available for examination.

 

CORRECTIVE ACTION

We agree with this recommendation. We have created a dedicated SSN Elimination and Reduction (ER) SharePoint folder to maintain documentation related to major SSN ER program deliverables and key meetings and will ensure specific report and source materials are readily available for examination. The SSN ER program team has also identified a team member as the Records Historian. The Records Historian will establish record retention standards, as needed, on documents not currently covered in a records control schedule.

 

IMPLEMENTATION DATE

Completed

 

RESPONSIBLE OFFICIAL

Director, Privacy, Information Protection and Data Security

 

CORRECTIVE ACTION MONITORING PLAN

N/A

 

RECOMMENDATION 2: Validate data received from the business units and all accomplishments to ensure all needed actions are complete.

 

CORRECTIVE ACTION

We agree with this recommendation. The IRS will implement a data validation process for all SSN Elimination and Reduction (ER) accomplishments to ensure all required actions are completed.

 

As part of this process, the IRS will leverage the e-trak application as a SSN ER Compliance Management Tool to track, monitor and report ongoing SSN ER compliance progress throughout the enterprise. This tool will house all SSN ER compliance data and establish an electronic case file for each system, notice, letter and form that uses SSNs. This system is currently going through user acceptance tasting and will be released by October 1, 2010.

 

IMPLEMENTATION DATE

October 1, 2010

 

RESPONSIBLE OFFICIAL

Director, Privacy, Information Protection and Data Security

 

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal control system.

 

RECOMMENDATION 3: Refine and update the milestones for the SSN ER Plan to ensure timely progress of the strategy.

 

CORRECTIVE ACTION

We agree with this recommendation. The IRS will strengthen program milestones by refining and updating milestones quarterly to ensure timely progress of program strategies.

 

The IRS SSN ER 2-D barcode project is currently producing documents and artifacts for Project Milestones 1 and 2 as defined by the Enterprise Lie Cycle (ELC). The 2-D barcode project, one of the solutions for SSN ER, will encode the SSN within a two-dimensional barcode on IRS notices and will also provide the necessary tools to read and identify taxpayers when they respond to IRS notices. The project is scheduled to complete Milestones 1 and 2 by October 1, 2010. Additional milestone dates will be established at that time.

 

IMPLEMENTATION DATE

October 1, 2010

 

RESPONSIBLE OFFICIAL

Director, Privacy, Information Protection and Data Security

 

CORRECTIVE ACTION MONITORING PLAN

We will monitor this corrective action as part of our internal control system.

 


[1] Consumer Sentinel Network Data Book for January–December 2009, Federal Trade Commission, February 2010.

[2] Volumes are as of May 26, 2010.

[3] A telephone contact system through which telephone assistors collect unpaid taxes and secure tax returns from delinquent taxpayers who have not complied with previous notices.

[4] 5 U.S.C. Section (§) 552a (2006). 

[5] HPub. L. 107-347H, 116 HStat.H 2899, 44 U.S.C. § 101.

[6] 44 U.S.C. §§ 3541 - 3549.

[7] The IRS mailed approximately 123 million economic stimulus payment notices to taxpayers between April and December 2008.

[8] The IRS mailed about 20,700 Identity Theft Program notices and letters to taxpayers between October 2007 and January 2009.

[9] IRS computer system capable of retrieving or updating stored information.  It works in conjunction with a taxpayer’s account records.