IRS officials have said the agency is committed to improving security as it makes plans for an influx of funding and employees after several high-profile leaks.
The agency is preparing for a major overhaul with $78 billion included in the 2022 Inflation Reduction Act for the IRS through the end of fiscal year 2031.
A recent Congressional watchdog report found problems with the IRS’s handling of sensitive taxpayer information. The report found weaknesses in training, information systems, contractor oversight and information-sharing.
U.S. Sen. Mike Crapo, R-Idaho, said the problems at the IRS have been longstanding issues.
“From serious breaches of confidential taxpayer data and document mismanagement to poor cybersecurity training and infrastructure vulnerabilities, the IRS has a decades-long and troubled history with adequately protecting American taxpayers’ information,” Crapo said in response to the GAO report.
The report followed several IRS leaks. Most recently, a former IRS contractor who leaked former President Donald Trump’s tax returns and disclosed tax return information for thousands of the nation’s wealthiest people pleaded guilty to disclosing tax return information without authorization. He faces up to five years in prison.
Other leaks also grabbed attention. In September 2022, the IRS discovered that it had disclosed confidential taxpayer information on its website. In December 2022, the agency was informed that some of the data appeared to have been disclosed again and discovered that the majority of those data had been inadvertently disclosed on its website, according to a report from the Government Accountability Office.
The report detailed several problems, including problems with training IRS employees and contractors on handling taxpayer information. For example, 66% of the roughly 14,000 contractors assigned a specific training course completed the course.
“As a result, IRS contractors are at increased risk of being unprepared to handle taxpayer information,” according to the report.
The Government Accountability Office has found repeated security problems over the years, including unauthorized access to tax information and unauthorized disclosure of that information. In May 2022, it reported that the IRS had investigated nearly 1,700 cases of unauthorized access by its employees between 2012 and 2021. Of these cases, about 27% violated the IRS’s rules that employees only access records required for their jobs.
“As this report illustrates, the IRS has repeatedly squandered the public’s trust by failing to protect taxpayer privacy and in some cases willfully ignoring recommendations that would have increased taxpayer information security,” U.S. House Ways and Means Committee Chair Jason Smith, R-Missouri, said in response to the report.
The report noted that of the substantiated unauthorized access cases, about 82% resulted in an employee’s suspension, resignation or removal. For the cases where the IRS found employees committed both unauthorized access and unauthorized disclosure violations, all cases resulted in the employee’s suspension, resignation, or removal.
The IRS’s attempts to safeguard data go back decades. Before 1976, the executive branch had discretion over decisions to share taxpayer information. That changed with the Tax Reform Act in 1976, which came amid growing concerns from taxpayers and members of Congress. After a 1997 report about continued shortcomings at the IRS, Congress passed the Taxpayer Browsing Protection Act of 1997, which made the willful unauthorized inspection of taxpayer returns or return information by staff a crime.
Efforts to protect taxpayer information continue. In April 2022, the IRS began requiring additional approvals to access taxpayer data that contained personally identifiable information in one of its databases, according to the GAO report.
One problem is the IRS doesn’t know how many of its systems contain personally identifiable information. The agency has taken steps to keep an inventory of systems that process or store such data, however it had not completed the inventory as of December 2022.
Jeffrey Tribiano, the IRS deputy commissioner for Operations Support, wrote in a letter that limited resources have been an issue in tackling the recommendations made by the GAO.