Title: Protecting Taxpayer Data from Unauthorized Access by IRS
Employees

Description: Millions of Americans file tax returns each year that
include personal and financial information like their incomes,
addresses, mortgage information. Among these filings are those for
celebrities and politicians, as well as others whose financial records
might be of interest to the public. But taxpayer records, no matter who
you are, are confidential. So why do we sometimes hear about these
records in the news? We find out more from GAO's Jessica Lucas-Judy and
Jennifer Franks.

Related GAO Work: GAO-22-105872, Security of Taxpayer Information:
Characteristics of IRS Employee Unauthorized Access and Disclosure Cases

Released: May 2022

[Jessica Lucas-Judy:] It's very important that taxpayers feel confident
that personal and financial information is properly safeguarded.

[Music]
[Holly Hobbs:] Hi and welcome to GAO's Watchdog Report--your source for
news and information from the U.S. Government Accountability Office. I'm
your host, Holly Hobbs.

Millions of Americans file tax returns each year that include personal
and financial information like their incomes, addresses, mortgage
information, how many kids they have, and more. Among these filings are
those for celebrities and politicians, as well as others whose financial
records might be of interest to the public. But taxpayer records, no
matter who you are, are confidential. So why do we sometimes hear about
these records in the news? Today, we'll talk with two GAO
directors--Jessica Lucas-Judy, an expert on tax policy, and Jennifer
Franks, an expert on data protection--about their new report that looks
at unauthorized access and sharing of taxpayer records. Why does it
happen and what's being done about it? Thanks for joining us.

[Jennifer Franks:] Thanks for having me, Holly.

[Jessica Lucas-Judy:] Thanks for having me.

[Holly Hobbs:] So Jessica, this information is tempting right? Who all
at IRS has access to taxpayer records, and what's stopping them from
accessing or sharing this information?

[Jessica Lucas-Judy:] Well, first, I want to make sure everybody
understands what we mean when we say taxpayer records or federal tax
information. It's federal tax returns and any return information derived
from those returns that's in IRS's possession or IRS's control, or it
could be obtained through some other secondary source like the Social
Security Administration or someone acting on IRS's behalf. So it could
be, for example, your W-2 or your form 1040, and things like whether
returns have been filed or someone's under examination, ah they're
subject to investigation or, you know, they have collection activities
against them. So it's all very important, very sensitive information
that needs to be protected. Now, IRS employees are responsible for
accessing tax returns or return information only when they need it, only
when it's required to complete their official IRS duties as assigned.
They can't just access tax records from their children, for example, or
their relatives, their neighbors, celebrities, or another organization
or an individual that they work with. So all of that information is
protected.

[Holly Hobbs:] And do we know how often unauthorized access by IRS
employees occurs?

[Jessica Lucas-Judy:] So what we looked at is about a ten year period
between fiscal years 2012 and 2021. During that time, IRS investigated
about 1,700 cases of what they call UNAX. So it's willful, unauthorized
access of taxpayer information. So of those cases, they closed 462--so
that's 27%--that were determined to be substantiated violations. That's
where IRS determined that the facts support that the employee being
investigated committed a violation or unauthorized disclosure. Then
there was another 50%--850 or so cases--that were unsubstantiated, where
IRS investigated and determined there was no proof that a violation
occurred. And then the remaining 22%--or about 380 cases--were unresolved.
And those were cases where IRS closed them because the employee resigned
or retired or otherwise separated from the agency prior to the case
being adjudicated.

[Holly Hobbs:] So, how did IRS detect unauthorized access and catch
people doing it? 

[Jessica Lucas-Judy:] The Treasury Inspector General for Tax
Administrations, or TIGTA, investigates IRS programs and operations. And
it's TIGTA's Office of Investigations that ultimately evaluates cases to
determine whether UNAX or some other unauthorized disclosure incident
warrants an investigation. Now TIGTA can find out about UNAX or
unauthorized disclosure incidents when somebody reports an incident. But
TIGTA also does the monitoring or analysis of regular IRS reports. So
one of those would be IRS's cybersecurity office. That office analyzes
security reports obtained from information systems across the agency
that display employees' accesses of federal tax information. So that
information then can get reported to TIGTA and TIGTA can look and see if
there seems to be something that needs to be investigated.

[Holly Hobbs:] And do we know anything about what the people who have
been caught have in common?

[Jessica Lucas-Judy:] So UNAX violations during the ten year period that
we looked at originated within ten different IRS organizations, or ten
different offices, over that ten year period. But it was primarily in
the Wage and Investment Division and the Small Business and
Self-employed Division where you saw the majority of UNAX violations.
When we talked with IRS, they said that W&I in combination with the
Small Business and Self-employed Division processed nearly all of the
transactions that affect taxpayer accounts. And that would include
things like a refund payments or a notice of balance due. So they're
having a lot of interactions with taxpayer data, and that's where you
would expect to see perhaps the largest number of UNAX violations. In
addition, the majority of the disclosure violations during that time
period were by non-managers. So managers themselves accounted for less
than 10% of the UNAX violations and less than 15% of unauthorized
disclosure violations.

[Holly Hobbs:] So then what happens when an IRS employee gets caught
accessing somebody's records without authorization?

[Jessica Lucas-Judy:] IRS policy generally requires removal of an IRS
employee to be proposed, at least, for all UNAX violations. More than
82% of the UNAX violations during the period that we looked at resulted
in the offending employees suspension or resignation or removal. And
similarly, for cases where IRS found employees committed both UNAX and
unauthorized disclosure, all of those cases resulted in the offending
employees' suspension, resignation or removal. I want to emphasize also
that that employees who are convicted of criminal UNAX or unauthorized
disclosure violations could face jail time as well as fines.

[Music]
[Holly Hobbs:] So Jessica just told us that IRS has taken steps to
identify and investigate incidents of willful, unauthorized access to
taxpayer records and unauthorized disclosure of these records. And that
if caught, violators could lose their jobs and potentially face jail
time. Jennifer, you're  an expert in data protection, and for this
report you looked at some of the bigger picture issues here. What did
you find?  

[Jennifer Franks:] Yes, there is a bigger picture. IRS's struggles to
protect sensitive information are not unique to their agency. Both the
federal government and the private sector have really struggled to
protect privacy and sensitive data. And the increasing number of
individuals affected by various data breaches has drawn some concerns
that personally identifiable information is just not adequately being
protected across the various federal agencies. We've even had some
recent reviews at GAO, where we're looking at agencies practices to
protect their sensitive data. And of course, we've had some weaknesses
identified and even made some recommendations. But it wasn't just to the
IRS. We make recommendations to agencies like the Department of
Education and even the Department of Housing and Urban Development.

[Holly Hobbs:] So what is the IRS doing to address these breaches?

[Jennifer Franks:] So the IRS has two key offices that oversee policies
and practices that protect sensitive information. And this includes our
federal tax information. And one of the key offices is the IT and
Cybersecurity Office. And they are responsible for protecting the
agency's systems and data from both internal and external cyber-related
threats. And then they have an established second office. And this
office is called the Privacy and Government Liaison and Disclosure
Office. And they do things like develop policies and standards related
to disclosure of the sensitive information. And then they create
agency-wide privacy and incident training and communication materials.
So, for example, given the majority of employees are still under maximum
telework procedures, the office could provide employees with cyber-smart
notices about just being aware of their home surroundings, such as what
smart devices, with built-in digital assistants, could be recording and
listening to their conversations.

[Holly Hobbs:] And last question, for the both of you-- what's the bottom
line of this report? Jessica, maybe you could start.

[Jessica Lucas-Judy:] IRS is a large entity and it handles a lot of tax
information. What we found is that only a small number of cases are
substantiated every year. However, our tax system is based largely on
voluntary compliance. And it's very important, for that reason, that
taxpayers feel confident that the personal and financial information
that they're providing to the IRS is properly safeguarded. We're going
to have a report on our assessment of IRS's work, looking at this very
issue and the extent to which IRS is following up on its tax safeguards
for protecting federal tax information.

[Holly Hobbs:] And Jennifer? 

[Jennifer Franks:] Well, while over the last ten years, violations have
varied in quantity, the agency has indeed established processes for
addressing the number of incidents such as disciplinary actions for both
their employees and the contractors.

[Holly Hobbs:] That was Jessica Lucas-Judy and Jennifer Franks talking
about GAO's recent review of unauthorized access to taxpayer records.
Thanks for your time ladies.

[Jessica Lucas-Judy:] Thanks very much for having me.

[Jennifer Franks:] Thanks for having me. Holly.

[Holly Hobbs:] And thank you for listening to The Watchdog Report. To
hear more podcasts, subscribe to us on Apple Podcasts, Spotify or
wherever you listen. And make sure to leave a rating and review to let
others know about the work we're doing. For more from the congressional
watchdog, the U.S. Government Accountability Office, visit us at
GAO.gov.