IRS (Again) Puts Taxpayer Info At Risk

Its procedures to combat identity theft sometimes "increase the risk for an unauthorized disclosure of tax return information."


Matthew G Bisanz

On the day that Anthem announced a major security breach compromising customers' records, it may come as welcome news that the Internal Revenue Service has a program specifically intended to cooperate with law enforcement in addressing identity theft. Well…It could come as welcome news, if the program didn't sound so security breachy itself. The Treasury Inspector General for Tax Administration sampled law enforcement requests for taxpayer information received from January 3, 2013 through September 27, 2013, and found that a (un)healthy share of them should never have been processed, because they risked dangerous disclosures of poorly identified people's sensitive information to incompletely identified parties.

The inspector general's report (PDF) was issued on November 28, 2014, but published February 4 of this year. The report examined "a statistically valid sample of 194 of the 2,481" requests for information. It reveals, in part:

Our review of the 155 requests for which the IRS provided the law enforcement officer with tax return information identified 11 (7 percent) requests that should not have been processed. Based on the results of our analysis, we estimate that 141 of the 2,481 requests received during the period January 3, 2013, through September 27, 2013, may not have been rejected as required. These 11 requests included invalid and incomplete information and, as such, should have been rejected from processing.

While some relevant parts of the report are redacted (supposedly because they reveal tax return information or create a risk of circumvention of regulations and statutes), two reasons the requests should have been rejected, says the inspector general, are incomplete identification of whose information was being sought, and insufficient details about who was doing the asking. That's risky because such flawed requests "increase the risk for an unauthorized disclosure of tax return information by providing information to the wrong law enforcement officer or providing the wrong taxpayer's information."

Tracking the specifics of what has been turned over in response to requests—a task the importance of which is enhanced by the possibility the wrong data has been sent to the wrong person—is complicated by the IRS's poor recordkeeping. The IRS "did not maintain copies of the tax return information provided to law enforcement officers for 111 (72 percent) of the requests."

For the majority of requests from law enforcement agencies that were valid attempts to assist victims of identity theft, it's interesting to note that police officers have no better luck than other customers of the tax agency when it comes to having matters dealt with in a timely way. Only 42 percent of requests were processed within the required 10 business days.

The IRS, unfortunately, has a history of turning tax records into hacker bait.