The IRS is putting sensitive taxpayer data at risk by failing to ensure laptop computers issued to contractors are properly returned, according to a report by the Treasury Inspector General for Tax Administration (TIGTA).
More than 7,900 contractor employees stopped working for the IRS in 2014. As the report notes, many of these employees handled sensitive taxpayer data and had access to IRS networks:
Many of these contractor employees were in positions in which they were issued laptop computers, which may allow them access to IRS networks and sensitive taxpayer data. Laptop computers and other equipment must be recovered from separating contractor employees prior to the effective date of separation to prevent the loss of the equipment and sensitive data.
It is vital that government issued laptops are properly returned and documented to prevent unauthorized access to taxpayer data, loss of government equipment, and access to sensitive IRS systems. But after analyzing a sample of 40 computer documentation and records, just 12 were properly completed. The remaining 28 had inconsistent documentation.
As the report notes, TIGTA estimates that the IRS had failed to properly document the return of 84.2 percent, or more than 1,000 computers due to be returned by contract employees:
Based on our review of a stratified random sample of contractor employee separations for FY 2014, we estimate that the IRS does not have contract administration documentation to account for the return of laptop computers for 1,078 (84.2 percent) of the 1,280 contractor employees with computer systems and facilities access who separated in FY 2014.
This is not the only time the agency has failed to protect taxpayer data. A recent report by the Government Accountability Office noted that the agency had a “significant deficiency” over its ability to ensure taxpayer financial discourse is not exposed. Physical security controls designed to protect sensitive IT housed in restricted areas were not been properly implemented, the agency continued to use unsupported software to manage taxpayer data, and personal data was not properly encrypted.
Following a data breach that exposed the personal information of hundreds of thousands of taxpayers last year, the Treasury Inspector General for Tax Administration (TIGTA) revealed that the IRS has been warned at least seven times by watchdog groups that it needed to strengthen its protections of taxpayer information. Most recently:
- In a 2014 report, TIGTA warned that if stronger protections are not implemented, “taxpayers could be exposed to the loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.”
- A 2013 report found that the IRS had failed to fully implement eight recommendations that would increase security over taxpayer data despite telling TIGTA they had been implemented.
- A 2011 report found that taxpayer data was vulnerable to hackers and stronger security measures were needed
- In 2010, TIGTA found that the agency had inadequate safeguards to protect taxpayer information from contract workers.