U.S. flag

An official website of the United States government

Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock () or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

July 6, 2010
TIGTA - 2010-29
David Barnes
David.Barnes@tigta.treas.gov
TIGTA-PAO@tigta.treas.gov
(202) 622-6500

TIGTA Report: Inadequate Controls on IRS Contractors Place Taxpayer Data At Risk for Unauthorized Access or Disclosure

WASHINGTON - Internal Revenue Service (IRS) procedures do not identify all contractors who process, store or house confidential taxpayer information at their facilities, thereby placing such data at risk for unauthorized access or disclosure, according to a report released today by the Treasury Inspector General for Tax Administration (TIGTA).

The IRS regularly provides taxpayer data to contractors who store and process the data at contractor facilities outside of IRS offices. While sharing this information is necessary for contractors to support the IRS's mission of tax administration, contractors must comply with security control requirements including annual security reviews. The IRS, which is ultimately responsible for identifying and regulating all contractors who have data access, does not always ensure that contractors are complying with IRS security policies and procedures and protecting taxpayer information, according to the report.

In its review, TIGTA also found that security weaknesses identified by the IRS at contractor facilities were not corrected in a timely manner. TIGTA's review of eight contractor site visits by the IRS officials found security weaknesses in all eight facilities, and the IRS was unable to provide monitoring documents for seven of these facilities.

"The IRS needs to improve its current processes and controls to identify all contractors who process, manage, or store IRS taxpayer data at contractor facilities and to ensure timely corrective actions are taken to correct security weaknesses," said J. Russell George, the Treasury Inspector General for Tax Administration. "It is imperative that taxpayer data be protected from unauthorized access or disclosure at all times."

TIGTA recommended that the IRS implement a better system to identify contractors receiving and using IRS taxpayer data at contractor facilities and that the IRS improve its system for monitoring and identifying security weaknesses at such facilities, to ensure the weaknesses' timely correction.

In their response to the report, IRS management agreed with TIGTA's recommendations and stated that they plan to take appropriate corrective actions.