IRS Laptop Photo

In one year, TIGTA estimates that the IRS had failed to document the return of 84.2 percent, or more than 1,000 computers due to be returned by contract employees

Treasury Inspector General investigations of the IRS have long documented the agency’s careless approach to sensitive taxpayer data.

A 2016 TIGTA investigation found the IRS put sensitive taxpayer data at risk by failing to ensure laptop computers issued to contractors were actually returned.

For example, more than 7,900 contractor employees stopped working for the IRS in 2014. As the report notes, many of these employees handled sensitive taxpayer data and had access to IRS networks:

Many of these contractor employees were in positions in which they were issued laptop computers, which may allow them access to IRS networks and sensitive taxpayer data. Laptop computers and other equipment must be recovered from separating contractor employees prior to the effective date of separation to prevent the loss of the equipment and sensitive data.

TIGTA estimates that the IRS had failed to document the return of 84.2 percent, or more than 1,000 computers due to be returned by contract employees:

Based on our review of a stratified random sample of contractor employee separations for FY 2014, we estimate that the IRS does not have contract administration documentation to account for the return of laptop computers for 1,078 (84.2 percent) of the 1,280 contractor employees with computer systems and facilities access who separated in FY 2014.

TIGTA again noted:

We reviewed a statistically valid stratified sample of contract administration documentation for 40 of 1,280 contractor employees with computer systems and facilities access who separated from the IRS during FY 2014. Complete contract administration documentation was provided for only seven of the 40 contractor employees. For the remaining 33 contractor employees, the IRS did not provide complete contract administration documentation to sufficiently account for the return of laptop computers.

Furthermore, a 2016 Government Accountability Office report found the IRS had a “significant deficiency” over its ability to ensure taxpayer financial discourse is not exposed.

Physical security controls designed to protect sensitive IT housed in restricted areas were not properly implemented, the agency continued to use unsupported software to manage taxpayer data, and personal data was not properly encrypted.

Following a data breach that exposed the personal information of hundreds of thousands of taxpayers in 2015, TIGTA revealed that the IRS has been warned at least seven times by watchdog groups that it needed to strengthen its protections of taxpayer information.

For example:

  • In a 2014 report, TIGTA warned that if stronger protections are not implemented, “taxpayers could be exposed to the loss of privacy and to financial loss and damages resulting from identity theft or other financial crimes.”  
  • 2013 report found that the IRS had failed to fully implement eight recommendations that would increase security over taxpayer data despite telling TIGTA they had been implemented.
  • 2011 report found that taxpayer data was vulnerable to hackers and stronger security measures were needed
  • In 2010, TIGTA found that the agency had inadequate safeguards to protect taxpayer information from contract workers.

The Biden administration now wants to hire 87,000 new IRS agents, enough to fill Nationals Park twice and enough to fill the Roman Colosseum 1.74 times.

Biden also wants to give the agency new powers to automatically snoop on every personal and business bank account and Venmo account in the country.

What could go wrong?