Highlights of Report Number:† 2008-IE-R002 to the Internal Revenue Service Deputy Commissioner, Operations Support.
WHY TIGTA DID THIS STUDY
This project was initiated because every year, the Internal Revenue Service (IRS) mails hardcopy personally identifiable information in millions of packages and letters.† While the overwhelming majority of commercially shipped packages reach their destinations without incident, the few packages that are compromised present opportunities for identity theft.† The objective of this inspection was to determine what actions the IRS is taking to protect hardcopy personally identifiable information that is shipped from office to office and how the IRS responds when a disclosure of hardcopy personally identifiable information potentially occurs.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the Director, Privacy, Information Protection and Data Security, collaborate with the Director, Computer Security Incident Response Center, to develop a new incident code that clearly separates hardcopy personally identifiable information loss from other types of losses; require originators to maintain a list of the package contents to enable the Internal Revenue Service to identify lost items and who to notify; reinforce the need for mandatory monitoring of all packages by the originator to ensure receipt, or initiate follow-up actions as appropriate.† Also, the Director should monitor actions to ensure that planned enhancements to shipping procedures are made formal, and perform a risk assessment on the shipment of documents to Federal Records Centers.
In their response to the report, IRS officials generally agreed to our recommendations.
THE PROGRAM TO PROTECT HARDCOPY PERSONALLY IDENTIFIABLE INFORMATION IS A WORK-IN-PROGRESS †Issued on September 12, 2008
IMPACT ON TAXPAYERS
The few packages that are compromised present opportunities for identity theft.† Taxpayer confidence that information sent to the IRS is properly protected from identity theft is critical to the voluntary compliance system.
WHAT TIGTA FOUND
TIGTA found that
incidents involving hardcopy personally identifiable information could not be
readily distinguished from electronic or mixed media incidents in the
Also, the IRS shipped over 3 million packages with United Parcel Service (UPS) in Fiscal Year 2007.† 181 packages, where potential disclosure was an issue, were reported lost or damaged in shipment.† Of these 3 remain unaccounted for and 28 were empty upon discovery.
It appears originators are not always completing the Document Transmittal which identifies the specific documents being shipped.† Procedures require originators to follow up if a receipt copy is not received.† Also, originators did not always use the tracking features provided by UPS to ensure that the package reached its destination.
UPS packages are delayed or fail to reach their intended destinations largely due to improperly packaging; the outer label, which is the sole source of identification, is torn off or rendered unreadable; or the package is improperly sealed.† Guidelines and shipping instructions for packages are available on the IRSís web site and guidelines have been published.†
The Office of Privacy and Information Protection is working with over 50 contracted mailrooms to accept recommendations from the shipping risk and compliance assessment currently underway by a contracted consulting firm.† Shipments of tax returns and other documents to Federal Records Centers were not included, but a separate risk assessment is under consideration.
READ THE FULL REPORT
To view the report, including the scope, methodology, and full IRS response, go to: