Treasury
Inspector General for Tax Administration
Office of Audit
SOME TAXPAYERS WERE NOT APPROPRIATELY
NOTIFIED WHEN THEIR PERSONALLY IDENTIFIABLE INFORMATION WAS INADVERTENTLY
DISCLOSED
Issued on May 24, 2011
Highlights
Highlights of Report Number: 2011-40-054 to the Internal Revenue Service Deputy
Commissioner for Operations Support.
IMPACT ON TAXPAYERS
Taxpayers need to be assured that
the Internal Revenue Service (IRS) will promptly notify them of inadvertent
disclosures of their Personally Identifiable Information so they can take the
necessary steps to protect themselves from identity theft or other harm. The IRS has many processes and regulations
that protect taxpayer information, but there are times when taxpayer information
is inadvertently disclosed.
WHY TIGTA DID THE AUDIT
More than 142 million taxpayers entrust the
IRS with sensitive financial and personal data. The objective of this audit was to determine
whether the IRS is making appropriate decisions to promptly and properly notify
taxpayers of inadvertent disclosures of their tax information.
WHAT
TIGTA FOUND
TIGTA reviewed a statistical sample of 98
case files of incidents reported as inadvertent disclosures in Fiscal Years
2009 and 2010 and found not all taxpayers were properly and/or timely notified
of disclosures.
·
Five
(5 percent) of 98 incidents were closed and taxpayers were not properly
notified of the disclosures because IRS employees reporting the disclosures did
not document the identity of the individuals whose Personally Identifiable
Information had been disclosed.
·
10
(10 percent) of 98 incidents were closed and taxpayers were not properly
notified of the disclosures because only tax account information was disclosed
and IRS procedures did not include tax account information in its definition of
Personally Identifiable Information.
·
20
(74 percent) of the 27 incidents in the 98 incidents sampled that required
taxpayer notification were not sent timely.
TIGTA considered notifications timely if taxpayers were sent
notifications within 45 days of the date the incident was reported to or
identified by the IRS. The notification
letters in the sample averaged 86 days.
In addition, TIGTA reconciliations
performed on the four systems the IRS uses to capture disclosure
incident‑related information
identified 815 missing incidents.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the IRS 1) educate employees on the
importance of obtaining sufficient information on individuals whose Personally
Identifiable Information was disclosed, 2) revise procedures to include tax
account information in the Personally Identifiable Information definition and
instruct the Incident Management Program to forward disclosure incidents to the
IRS’s Identity Theft Program for victims of identity theft, 3) implement a
timeliness measure that includes the time the incident is being worked by other
IRS offices or functions before it is reported to the Computer Security
Incident Response Center, and 4) implement sufficient controls, including a
management information system, to ensure that all incidents are accurately
documented and considered.
In the response to
the report, the IRS agreed to the recommendations. The IRS has implemented a protection campaign to educate
employees on data protection and plans to study whether tax account
information should be included in the definition of Personally Identifiable
Information. In addition, the IRS plans
to strengthen procedures to address identity theft
and expand current
time metrics to include the elapsed time between initial incident reporting and
taxpayer notifications date.
It plans to consolidate all systems data for the most serious incidents.
READ THE
FULL REPORT
To view the report,
including the scope, methodology, and full IRS response, go
to:
http://www.treas.gov/tigta/auditreports/2011reports/201140054fr.html.
Email Address: TIGTACommunications@tigta.treas.gov
Phone
Number: 202-622-6500
Web Site: http://www.tigta.gov