WASHINGTON - Internal Revenue Service (IRS) employees sometimes did not protect sensitive taxpayer information in sending e-mail messages, according to an audit report that the Treasury Inspector General for Tax Administration (TIGTA) publicly released today.
Personally Identifiable Information (PII) is a specific type of sensitive information that may include tax return information. Laws require that the IRS protect PII and tax return information for different reasons, including protecting privacy, and because the information loss, theft, or unauthorized disclosure places individuals at serious risk for identity theft.
TIGTA reviewed a random sample of 80 IRS Small Business/Self-Employed (SB/SE) Division employees' e-mails sent during four weeks in May and June 2015. From its review, TIGTA determined that 39 employees (49 percent of the 80) sent a total of 326 unencrypted e-mails containing 8,031 different taxpayers' PII/tax return information internally to other IRS employees or externally to non-IRS e-mail accounts.
The 326 unencrypted e-mails that TIGTA identified were:
- 275 unencrypted e-mails containing taxpayer PII/tax return information that were sent internally to other IRS employees. These e-mails were sent inside the IRS internal information system firewall, and therefore pose less risk of improper disclosure or improper access.
- 51 unencrypted e-mails containing taxpayer PII/tax return information that were sent externally to non-IRS e-mail accounts. These employees failed to follow Internal Revenue Manual (IRM) requirements and risked exposing the information to unauthorized persons.
Additionally, 20 e-mails that six employees sent to personal e-mail accounts involved official IRS business. SB/SE employees may not be aware of the restriction on using their personal e-mail, because the Standards for Using Email in the IRM do not include this restriction.
TIGTA initiated this audit because electronic mail (e-mail) is a prevalent form of communication in the IRS. Employees who have frequent contact with taxpayers need to ensure that they take appropriate steps to safeguard e-mails. The overall objective was to determine whether SB/SE employees are following e-mail policies and properly safeguarding taxpayer PII/tax return information contained in e-mail correspondence.
The IRS Enterprise e-Fax capability was implemented in early 2013 without encryption capability. TIGTA identified 193 unencrypted e-mails that contained taxpayer PII/tax return information that were routed to the Enterprise e-Fax servers via the e-mail system. Because the Enterprise e-Fax does not use encryption, its use could result in the interception and disclosure of taxpayer PII/tax return information.
"It is critical that the Internal Revenue Service properly protect taxpayers' personally identifiable and tax return information at all times," said J. Russell George, Treasury Inspector General for Tax Administration. "Not only is this protection required by law; it is essential if taxpayers are to maintain a high level of confidence in the IRS's mission," he added.
TIGTA made five recommendations; the IRS agreed with the recommendations and plans to take corrective actions.