Treasury Inspector

General for Tax

Administration

Inspections and Evaluations

Highlights

Highlights of Report Number:2008-IE-R002 to the Internal Revenue Service Deputy Commissioner, Operations Support.

WHY TIGTA DID THIS STUDY

This project was initiated because every year, the Internal Revenue Service (IRS) mails hardcopy personally identifiable information in millions of packages and letters.While the overwhelming majority of commercially shipped packages reach their destinations without incident, the few packages that are compromised present opportunities for identity theft.The objective of this inspection was to determine what actions the IRS is taking to protect hardcopy personally identifiable information that is shipped from office to office and how the IRS responds when a disclosure of hardcopy personally identifiable information potentially occurs.

WHAT TIGTA RECOMMENDED

TIGTA recommended that the Director, Privacy, Information Protection and Data Security, collaborate with the Director, Computer Security Incident Response Center, to develop a new incident code that clearly separates hardcopy personally identifiable information loss from other types of losses; require originators to maintain a list of the package contents to enable the Internal Revenue Service to identify lost items and who to notify; reinforce the need for mandatory monitoring of all packages by the originator to ensure receipt, or initiate follow-up actions as appropriate.Also, the Director should monitor actions to ensure that planned enhancements to shipping procedures are made formal, and perform a risk assessment on the shipment of documents to Federal Records Centers.

In their response to the report, IRS officials generally agreed to our recommendations.

 

THE PROGRAM TO PROTECT HARDCOPY PERSONALLY IDENTIFIABLE INFORMATION IS A WORK-IN-PROGRESS Issued on September 12, 2008

IMPACT ON TAXPAYERS

The few packages that are compromised present opportunities for identity theft.Taxpayer confidence that information sent to the IRS is properly protected from identity theft is critical to the voluntary compliance system.

WHAT TIGTA FOUND

TIGTA found that incidents involving hardcopy personally identifiable information could not be readily distinguished from electronic or mixed media incidents in the Computer Security Incident Response Center, which sends incident reports to a team in the Office of Privacy and Information Protection.The team maintains a separate database intended to facilitate this type of analysis.

Also, the IRS shipped over 3 million packages with United Parcel Service (UPS) in Fiscal Year 2007.181 packages, where potential disclosure was an issue, were reported lost or damaged in shipment.Of these 3 remain unaccounted for and 28 were empty upon discovery.

It appears originators are not always completing the Document Transmittal which identifies the specific documents being shipped.Procedures require originators to follow up if a receipt copy is not received.Also, originators did not always use the tracking features provided by UPS to ensure that the package reached its destination.

UPS packages are delayed or fail to reach their intended destinations largely due to improperly packaging; the outer label, which is the sole source of identification, is torn off or rendered unreadable; or the package is improperly sealed.Guidelines and shipping instructions for packages are available on the IRSís web site and guidelines have been published.

The Office of Privacy and Information Protection is working with over 50 contracted mailrooms to accept recommendations from the shipping risk and compliance assessment currently underway by a contracted consulting firm.Shipments of tax returns and other documents to Federal Records Centers were not included, but a separate risk assessment is under consideration.

READ THE FULL REPORT

To view the report, including the scope, methodology, and full IRS response, go to:

http://www.treas.gov/tigta/iereports/2008reports/2008IER002fr.html.