Data breaches involving taxpayer information have made headlines lately. To combat this, the IRS and state tax authorities are working together to change the way taxpayer identities and accounts are verified. The goal of the project is to improve the security of taxpayer identities and detect patterns of identity refund fraud.
Any effort on the part of tax authorities is a step in the right direction. Tax authorities, both federal and state, need all the help they can get. Historically, they’ve lacked access to the most modern computer systems or equipment. I heard one state commissioner of revenue suggest that it’s not a matter of getting ahead of increasingly sophisticated cyberattacks; it’s a matter of trying to keep up. There is no question that cybersecurity is a daunting task.
Still, I can’t help but wonder whether there are steps that should (and could) have been taken before the most recent data breach, but weren’t. For example, the U.S. Government Accountability Office issued a report in March that revealed more than 50 vulnerabilities in the IRS’s information security controls.
There is also a significant amount of federal taxpayer information that is passed from the IRS to state tax authorities. Any sharing of information bears certain risks. In this case, it is that state tax authorities sufficiently protect the information they receive.
About a year ago, Tax Analysts submitted a FOIA request to the IRS seeking the Safeguard Review Reports (SRRs) it should have on file for each state. These reports outline state tax authorities’ compliance with required data security standards designed to protect the confidentiality of the data the IRS shares with states. The data security standards are set forth in IRC section 6103(p)(4), though some requirements have been augmented by other Treasury Department, IRS, or National Institute of Standards and Technology requirements. SRRs address each requirement and specify the actions state tax authorities must take to be in compliance.
To date, the IRS has provided four reports, all heavily redacted. Perhaps it is commonplace for these reports to include confidential taxpayer information, even though that would seem unnecessary in a report outlining data security standards. A recent phone call to the IRS suggested that Tax Analysts’ FOIA request would not be complete until mid-2017 and that the IRS would not reconsider the exemptions it is relying upon to redact the reports.
The process of safeguarding information at the IRS has been the subject of criticism. The Treasury Inspector General for Tax Administration issued a report dated September 15, 2014, that indicated several deficiencies with the IRS Office of Safeguards, the office having oversight responsibility for agencies that receive federal taxpayer information. The report said the office does not conduct on-site reviews of state tax authorities before the release of federal taxpayer information. It also said the office does not require and ensure that agencies conduct proper background investigations.
Although the IRS indicated it would make changes to improve the oversight of federal taxpayer information, it still seems information is shared between the IRS and state tax authorities as a matter of course and without a true determination (before information is shared) about whether a state tax authority has a secure system in place to protect the information received.
Perhaps if the IRS made that determination, it would be more willing to produce the SRRs we’ve requested. Because not sharing them just raises the question whether the IRS is stalling because the FOIA request would require the production of 50 different reports or whether it is attempting to conceal the fact that states are not adequately protecting taxpayer information.