Confidentiality of Tax Data:
IRS' Implementation of the Taxpayer Browsing Protection Act
GGD-99-43, Mar 31, 1999
Pursuant to a congressional request, GAO provided information on the Internal Revenue Service's (IRS) implementation of the Taxpayer Browsing Protection Act, focusing on: (1) actions IRS has taken to implement the law; and (2) the number of potential and proven incidents of unauthorized access by IRS employees that IRS has identified since enactment of the law, as well as penalties imposed in cases where unauthorized access was proven.
GAO noted that: (1) the IRS has two approaches for implementing the law; (2) over the long term, IRS believes that modernizing its core automated systems offers the best means to prevent and detect unauthorized access to taxpayer data; (3) according to IRS, modernization will: (a) allow it to restrict employees' access to only those taxpayer records that they have a specific work-related reason to look at; and (b) enable it to detect unauthorized accesses almost as soon as they happen; (4) it will be several years, however, before this modernization becomes a reality; (5) in the meantime, IRS has taken several other steps directed at deterring, preventing, and detecting unauthorized access and ensuring that consistent disciplinary action is taken when unauthorized access is proven; (6) between October 1, 1997, and November 30, 1998, the Office of the Chief Inspector identified 5,468 potential instances of unauthorized access and completed preliminary investigative work on 4,392 of those leads; (7) of those 4,392 leads, 338 were determined to warrant further investigation; (8) many of these 338 cases were still under investigation or adjudication as of January 25, 1999; (9) using data provided by IRS, GAO identified 36 cases for which investigation and adjudication had been completed; (10) of those 36 cases, 15 involved an IRS determination that IRS employees had intentionally accessed taxpayer data without authorization; (11) in the other 21 cases, IRS determined that either there was no unauthorized access or the access was accidental; (12) according to IRS, employees involved in the 15 cases of intentional unauthorized access either resigned in lieu of termination or were terminated; (13) according to IRS data, proven cases of unauthorized access that occurred after enactment of Public Law 105-35 have generally been referred to U.S. Attorneys for prosecution, and these U.S. Attorneys have, with one exception, declined to prosecute; (14) according to IRS, the one case that was accepted for prosecution was still open as of February 2, 1999, but the employee had been removed from the agency; and (15) as required by the law, IRS notified the three taxpayers whose data the employee had accessed.