Senate Finance ranking member Mike Crapo (R-Idaho) and 13 of his Republican colleagues sent a detailed letter to IRS commissioner Charles Rettig urging him to probe the theft of private taxpayer files of thousands of Americans spanning a period of 15 years. The Dec. 1 letter, which comes nearly six months after progressive news outlet ProPublica published the stolen information, calls out the agency for its foot-dragging in determining the source of the breach.
The letter criticizes Rettig for the agency's slow response to a serious violation of the privacy of American taxpayers. The Senators wrote:
Despite clear and ongoing evidence of a threat of a data breach, in response to a letter sent to you by Senators Grassley and Crapo, you responded in part that “We do not yet know whether there has been a data breach or a threat of a data breach.” Your letter of September 13, 2021, also notes that “We do not yet have any information concerning the source of the alleged taxpayer information published by ProPublica.”
On Tuesday, Treasury Secretary Janet Yellen said -- for at least the fifth time -- that she still does not know the source of the IRS leaks.
The letter points out how the IRS does not have proper safeguards in place to protect confidential taxpayer data. As the letter notes:
Even before ProPublica began publishing articles utilizing taxpayer information, significant issues with IRS IT systems were well documented. In fact, the struggles of the IRS to modernize IT systems is something of an old chestnut in tax policy circles. Aside from a reliance on COBOL which is referred to as “geriatric code,” it is also reported that the “IRS main software "Master File" was developed in 1962 and uses nine-track tape for data storage. None of the IRS programs have ever been that well coordinated.”
Crapo and his colleagues go on to say that IRS contractor relationships introduce additional security vulnerabilities that have not been adequately addressed. The Treasury Inspector General for Tax Administration recently recommended that the IRS implement end-to-end encryption in transferring taxpayer data to Private Collection Agencies to protect taxpayers against unauthorized access and disclosure. Despite the recommendation, the letter notes that “PCA information residing at the IRS had not been encrypted in the production environment.”
The lack of competence on the part of the IRS is especially shocking in light of their request for unprecedented funding. The letter points out that:
the IRS and Treasury are advocating for an unprecedented, nearly $80 billion, amount of mandatory funding from general taxpayer resources. In the funding scheme being advocated, the IRS is to be provided with a mandatory stream of $80 billion, after which the IRS would report to Congress on how it plans to use the funds—that is; fund now, plan later. Such a scheme, in the face of ongoing alleged privacy leaks of what appear to be IRS information, the source(s) of which no federal agency appears to have any knowledge, and in the face of known serious deficiencies in IRS data protections, defines irresponsibility.
The letter concludes with a series of questions about the agency’s response to these leaks, including how many employees have been tasked with this investigation, what is the status of IRS’s efforts to resolve the 120 open GAO recommendations, how many contractors has the IRS provided taxpayer information to that has not been encrypted over the past year and the past 10 years, and how much of their requested funding would the IRS plan to use on additional digital surveillance of taxpayers.
Given their failure to protect sensitive taxpayer information, every American should be concerned about the Democrats' proposal to increase the size and scope of the IRS.