Treasury Inspector General for Tax Administration
March 31, 2011
TIGTA - 2011-18
Contact: Karen Kraushaar
WASHINGTON – The Internal Revenue Service (IRS) needs to do a better job of protecting sensitive information when it communicates with taxpayers via email under a pilot project known as the Taxpayer Secure Email Program, according to a report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA).
The IRS began using email to communicate with a small number of corporate taxpayers in 2007 and subsequently began sharing sensitive information with more than 200 corporate taxpayers.
Prior to 2007, the IRS prohibited sending sensitive but unclassified (SBU) data in emails to taxpayers or taxpayers’ representatives. IRS procedures directed employees to not send SBU data by email to parties outside of the IRS or the Department of the Treasury, even if the other party used encryption software. The IRS cited the risks to taxpayers’ privacy as the reason for the policy.
TIGTA reviewed whether the IRS’s controls, policies, and procedures adequately protected taxpayers’ data, guarded against email threats to the IRS network, and ensured email practices were compliant with Federal regulations.
TIGTA found that while the IRS has installed antivirus software on employees’ computers, it has not implemented other security controls, such as an automated tool to detect and prevent SBU data in unencrypted emails from being transmitted outside the IRS. In addition, some employees and taxpayers are not encrypting their emails that contain SBU data. Further, IRS procedures and training lack adequate guidance for employees to report violations.
“As electronic mail presents one of the highest security risks to an organization’s sensitive data and computer networks, the IRS must be extremely careful in implementing new programs that allow email communication with taxpayers,” said J. Russell George, the Treasury Inspector General for Tax Administration. “Employees and taxpayers must work together to ensure the security of all email messages,” he added. “The risk to taxpayers’ sensitive data is simply too great to do otherwise.”
TIGTA made nine recommendations to the IRS, including developing additional procedures for employees to report secure email program violations and informing taxpayers of the specific risks associated with transmitting unencrypted email with SBU data. The IRS agreed with six of the recommendations and partially agreed with three.
To view the report, including the scope, methodology, and full IRS response go to: http://www.treas.gov/tigta/auditreports/2011reports/201120012fr.pdf.
A special plugin is required to view PDF documents. To obtain the free PDF reader, please visit the Adobe web site.