Treasury Inspector General for Tax Administration

Office of Audit

SOME TAXPAYERS WERE NOT APPROPRIATELY NOTIFIED WHEN THEIR PERSONALLY IDENTIFIABLE INFORMATION WAS INADVERTENTLY DISCLOSED

Issued on May 24, 2011

Highlights

Highlights of Report Number: 2011-40-054 to the Internal Revenue Service Deputy Commissioner for Operations Support.

IMPACT ON TAXPAYERS

Taxpayers need to be assured that the Internal Revenue Service (IRS) will promptly notify them of inadvertent disclosures of their Personally Identifiable Information so they can take the necessary steps to protect themselves from identity theft or other harm.The IRS has many processes and regulations that protect taxpayer information, but there are times when taxpayer information is inadvertently disclosed.

WHY TIGTA DID THE AUDIT

More than 142 million taxpayers entrust the IRS with sensitive financial and personal data. The objective of this audit was to determine whether the IRS is making appropriate decisions to promptly and properly notify taxpayers of inadvertent disclosures of their tax information.

WHAT TIGTA FOUND

TIGTA reviewed a statistical sample of 98 case files of incidents reported as inadvertent disclosures in Fiscal Years 2009 and 2010 and found not all taxpayers were properly and/or timely notified of disclosures.

         Five (5 percent) of 98 incidents were closed and taxpayers were not properly notified of the disclosures because IRS employees reporting the disclosures did not document the identity of the individuals whose Personally Identifiable Information had been disclosed.

         10 (10 percent) of 98 incidents were closed and taxpayers were not properly notified of the disclosures because only tax account information was disclosed and IRS procedures did not include tax account information in its definition of Personally Identifiable Information.

         20 (74 percent) of the 27 incidents in the 98 incidents sampled that required taxpayer notification were not sent timely.TIGTA considered notifications timely if taxpayers were sent notifications within 45 days of the date the incident was reported to or identified by the IRS.The notification letters in the sample averaged 86 days.

In addition, TIGTA reconciliations performed on the four systems the IRS uses to capture disclosure incident‑related information identified 815 missing incidents.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the IRS 1) educate employees on the importance of obtaining sufficient information on individuals whose Personally Identifiable Information was disclosed, 2) revise procedures to include tax account information in the Personally Identifiable Information definition and instruct the Incident Management Program to forward disclosure incidents to the IRSís Identity Theft Program for victims of identity theft, 3) implement a timeliness measure that includes the time the incident is being worked by other IRS offices or functions before it is reported to the Computer Security Incident Response Center, and 4) implement sufficient controls, including a management information system, to ensure that all incidents are accurately documented and considered.

In the response to the report, the IRS agreed to the recommendations.The IRS has implemented a protection campaign to educate employees on data protection and plans to study whether tax account information should be included in the definition of Personally Identifiable Information.In addition, the IRS plans to strengthen procedures to address identity theft and expand current time metrics to include the elapsed time between initial incident reporting and taxpayer notifications date.It plans to consolidate all systems data for the most serious incidents.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/auditreports/2011reports/201140054fr.html.

Email Address: TIGTACommunications@tigta.treas.gov

Phone Number:†† 202-622-6500

Web Site:†† http://www.tigta.gov