Employees Sometimes Did Not Adhere to E mail Policies Which Increased the Risk of Improper Disclosure of Taxpayer Information

The Deputy Commissioners for Operations Support and Services and Enforcement should determine the feasibility of implementing a systemic solution to help ensure that e-mails with PII/tax return information are encrypted. Until such a solution is identified, consider requiring the default Microsoft Outlook setting to encrypt e-mail messages for compliance and enforcement employees who routinely send taxpayer information by e-mail and other employees who routinely send employee PII/tax return information, e.g., human resource personnel.

The Deputy Commissioners for Operations Support and Services and Enforcement should provide additional training and issue a memorandum to remind employees that all internal and external e-mail with taxpayer PII/tax return information must be encrypted and include that:. External e-mail with taxpayers' PII/tax return information requires written approval from the IT function Office of Cybersecurity.. Employees sending their own PII, which is not related to their official duties, must encrypt the document containing the PII.

The Deputy Commissioners for Operations Support and Services and Enforcement should ensure that managers are aware of the violations for sending unencrypted e-mails with taxpayer PII/tax return information and that they take appropriate disciplinary action when violations occur.

The Chief Technology Officer should update the Standards for "Using Email" Internal Revenue Manual (IRM) to include that no officer or employee of the IRS may use a personal e-mail account to conduct any official business of the Government. Additionally, provide training and issue a memorandum to instruct employees that they cannot send any work-related e-mails to their personal e-mail accounts.

The Chief Technology Officer should update the EEFax system to allow encrypted messages to be sent to the EEFax system server.