Private Collection Agency Security Over Taxpayer Data Needs Improvement

The Chief Information Officer should update Publication 4812 to require the remediation of critical- and high-risk vulnerabilities within 30 calendar days and clarify that vulnerability scans should include all devices that process and store IRS information or are connected to the PCA network.

The Chief Information Officer and the Director, Headquarters Collection, SB/SE Division, should ensure that monthly vulnerabilities of the PCAs' systems are timely communicated to the IRS. This continuous monitoring reporting will provide the IRS with a better assessment of the overall security posture of the PCAs and reduce the risk to the Private Debt Collection Program.

The Chief Information Officer and the Director, Headquarters Collection, SB/SE Division, should enforce the timely remediation of critical- and high-risk vulnerabilities within 30 calendar days or consider removing the PCA from the Program.

The Chief Information Officer and the Director, Headquarters Collection, SB/SE Division, should require PCAs' policies to be specific on the use of mobile devices connecting to the PCA network and include a mechanism for enforcing the policy.

The Director, Headquarters Collection, SB/SE Division, should provide oversight to ensure that physical security assessments of the mailrooms and mail processing sites are conducted annually for the Private Debt Collection Program.