Tax Analysts Blog

Is the IRS Protecting Taxpayer Information or State Tax Authorities?

Posted on Jun 4, 2015

Data breaches involving taxpayer information have made headlines lately. To combat this, the IRS and state tax authorities are working together to change the way taxpayer identities and accounts are verified. The goal of the project is to improve the security of taxpayer identities and detect patterns of identity refund fraud.

Any effort on the part of tax authorities is a step in the right direction. Tax authorities, both federal and state, need all the help they can get. Historically, they’ve lacked access to the most modern computer systems or equipment. I heard one state commissioner of revenue suggest that it’s not a matter of getting ahead of increasingly sophisticated cyberattacks; it’s a matter of trying to keep up. There is no question that cybersecurity is a daunting task.

Still, I can’t help but wonder whether there are steps that should (and could) have been taken before the most recent data breach, but weren’t. For example, the U.S. Government Accountability Office issued a report in March that revealed more than 50 vulnerabilities in the IRS’s information security controls.

There is also a significant amount of federal taxpayer information that is passed from the IRS to state tax authorities. Any sharing of information bears certain risks. In this case, it is that state tax authorities sufficiently protect the information they receive.

About a year ago, Tax Analysts submitted a FOIA request to the IRS seeking the Safeguard Review Reports (SRRs) it should have on file for each state. These reports outline state tax authorities’ compliance with required data security standards designed to protect the confidentiality of the data the IRS shares with states. The data security standards are set forth in IRC section 6103(p)(4), though some requirements have been augmented by other Treasury Department, IRS, or National Institute of Standards and Technology requirements. SRRs address each requirement and specify the actions state tax authorities must take to be in compliance.

To date, the IRS has provided four reports, all heavily redacted. Perhaps it is commonplace for these reports to include confidential taxpayer information, even though that would seem unnecessary in a report outlining data security standards. A recent phone call to the IRS suggested that Tax Analysts’ FOIA request would not be complete until mid-2017 and that the IRS would not reconsider the exemptions it is relying upon to redact the reports.

The process of safeguarding information at the IRS has been the subject of criticism. The Treasury Inspector General for Tax Administration issued a report dated September 15, 2014, that indicated several deficiencies with the IRS Office of Safeguards, the office having oversight responsibility for agencies that receive federal taxpayer information. The report said the office does not conduct on-site reviews of state tax authorities before the release of federal taxpayer information. It also said the office does not require and ensure that agencies conduct proper background investigations.

Although the IRS indicated it would make changes to improve the oversight of federal taxpayer information, it still seems information is shared between the IRS and state tax authorities as a matter of course and without a true determination (before information is shared) about whether a state tax authority has a secure system in place to protect the information received.

Perhaps if the IRS made that determination, it would be more willing to produce the SRRs we’ve requested. Because not sharing them just raises the question whether the IRS is stalling because the FOIA request would require the production of 50 different reports or whether it is attempting to conceal the fact that states are not adequately protecting taxpayer information.

Read Comments (1)

Steven H. Kassel EAJun 6, 2015

Data Security? IRS? Really? Really?? I'm an EA and hold Power of Attorney for
many taxpayers since I became licensed in 1993. I receive thousands of notices
each year from IRS with full Social Security Numbers. The biggest problem IS
the IRS!

Submit comment

Tax Analysts reserves the right to approve or reject any comments received here. Only comments of a substantive nature will be posted online.

By submitting this form, you accept our privacy policy.


All views expressed on these blogs are those of their individual authors and do not necessarily represent the views of Tax Analysts. Further, Tax Analysts makes no representation concerning the views expressed and does not guarantee the source, originality, accuracy, completeness or reliability of any statement, fact, information, data, finding, interpretation, or opinion presented. Tax Analysts particularly makes no representation concerning anything found on external links connected to this site.