Highlights Highlights of
Report Number: 2008-IE-R002 to the
Internal Revenue Service Deputy Commissioner, Operations Support. WHY TIGTA DID THIS STUDY This project
was initiated because every year, the Internal Revenue Service (IRS) mails
hardcopy personally identifiable information in millions of packages and letters. While the overwhelming majority of
commercially shipped packages reach their destinations without incident, the
few packages that are compromised present opportunities for identity
theft. The objective of this
inspection was to determine what actions the IRS is taking to protect
hardcopy personally identifiable information that is shipped from office to
office and how the IRS responds when a disclosure of hardcopy personally
identifiable information potentially occurs. WHAT TIGTA RECOMMENDED TIGTA
recommended that the Director, Privacy, Information Protection and Data
Security, collaborate with the Director, Computer Security Incident Response
Center, to develop a new incident code that clearly separates hardcopy personally
identifiable information loss from other types of losses; require originators
to maintain a list of the package contents to enable the Internal Revenue Service
to identify lost items and who to notify; reinforce the need for mandatory
monitoring of all packages by the originator to ensure receipt, or initiate
follow-up actions as appropriate.
Also, the Director should monitor actions to ensure that planned
enhancements to shipping procedures are made formal, and perform a risk
assessment on the shipment of documents to Federal Records Centers. In
their response to the report, IRS officials generally agreed to our
recommendations. |
THE PROGRAM TO PROTECT HARDCOPY
PERSONALLY IDENTIFIABLE INFORMATION IS A WORK-IN-PROGRESS Issued on September 12, 2008 IMPACT ON TAXPAYERS The few packages that are
compromised present opportunities for identity theft. Taxpayer confidence that information sent
to the IRS is properly protected from identity theft is critical to the
voluntary compliance system. WHAT
TIGTA FOUND TIGTA found that
incidents involving hardcopy personally identifiable information could not be
readily distinguished from electronic or mixed media incidents in the Also, the IRS
shipped over 3 million packages with United Parcel Service (UPS) in Fiscal
Year 2007. 181 packages, where
potential disclosure was an issue, were reported lost or damaged in
shipment. Of these 3 remain
unaccounted for and 28 were empty upon discovery. It appears
originators are not always completing the Document Transmittal which
identifies the specific documents being shipped. Procedures require originators to follow up
if a receipt copy is not received.
Also, originators did not always use the tracking features provided by
UPS to ensure that the package reached its destination. UPS packages
are delayed or fail to reach their intended destinations largely due to improperly
packaging; the outer label, which is the sole source of identification, is torn
off or rendered unreadable; or the package is improperly sealed. Guidelines and shipping instructions for
packages are available on the IRS’s web site and guidelines have been
published. The Office
of Privacy and Information Protection is working with over 50 contracted
mailrooms to accept recommendations from the shipping risk and compliance
assessment currently underway by a contracted consulting firm. Shipments of tax returns and other
documents to Federal Records Centers were not included, but a separate risk
assessment is under consideration. READ THE
FULL REPORT To view the report,
including the scope, methodology, and full IRS response, go to: http://www.treas.gov/tigta/iereports/2008reports/2008IER002fr.html. |