Taxpayer Information:

IRS Needs to Improve Oversight of Third-Party Cybersecurity Practices

GAO-19-340: Published: May 9, 2019. Publicly Released: May 9, 2019.

Additional Materials:

Contact:

Jessica Lucas-Judy
(202) 512-9110
lucasjudyj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

Each year, about 90% of people file their taxes using commercial software or a paid tax return preparer. If these "third parties" that handle your tax information are hacked, your personal information could be exposed—leaving you vulnerable to identity theft.

Some of these third parties may not know how to keep your information safe. Also, IRS doesn't have the same information security requirements for all software companies or for all paid preparers, so taxpayer information isn't consistently protected from hackers.

We recommended that IRS make its information security standards for third parties more consistent.

 

IRS tweet: Some scam emails link bogus IRS websites that look real. Be alert and stay informed.

IRS tweet: Some scam emails link bogus IRS websites that look real. Be alert and stay informed.

Additional Materials:

Contact:

Jessica Lucas-Judy
(202) 512-9110
lucasjudyj@gao.gov

 

Office of Public Affairs
(202) 512-4800
youngc1@gao.gov

What GAO Found

Federal law and guidance require that the Internal Revenue Service (IRS) protect the confidentiality, integrity, and availability of the sensitive financial and taxpayer information that resides on its systems. However, taxpayer information held by third-party providers—such as paid tax return preparers and tax preparation software providers—generally falls outside of these requirements, according to IRS officials.

In 2018, about 90 percent of individual taxpayers had their tax returns electronically filed by paid preparers or used tax preparation software to prepare and file their own returns.

How Individual Tax Returns Were Filed, Calendar Year 2018

IRS seeks to help safeguard electronic tax return filing for various types of third-party providers through requirements under its Authorized e-file Provider program. However, IRS’s efforts do not provide assurance that taxpayers’ information is being adequately protected.

  • Paid Preparers. IRS has not developed minimum information security requirements for the systems used by paid preparers or Authorized e-file Providers. According to IRS’s Office of Chief Counsel, IRS does not have the explicit authority to regulate security for these systems. Instead, the Internal Revenue Code gives IRS broad authority to administer and supervise the internal revenue laws. The Department of the Treasury has previously requested additional authority to regulate the competency of all paid preparers; GAO has also suggested that Congress consider granting IRS this authority. Congress has not yet provided such authority. Neither the Department of the Treasury request nor the GAO suggestion included granting IRS authority to regulate the security of paid preparers’ systems. Having such authority would enable IRS to establish minimum requirements. Further, having explicit authority to establish security standards for Authorized e-file Providers’ systems may help IRS better ensure the protection of taxpayers’ information.

  • Tax Software Providers. As part of a public-private partnership between IRS and the tax preparation industry, 15 tax software providers voluntarily adhere to a set of about 140 information security controls developed using guidance from the National Institute of Standards and Technology (NIST). However, these controls are not required, and these providers represent only about one-third of all tax software providers. Additionally, IRS established six security, privacy, and business standards for providers of software that allows individuals to prepare their own tax returns (as opposed to software that paid preparers use). However, IRS has not substantially updated these standards since 2010, and they are, at least in part, outdated. For example, IRS cites an outdated encryption standard that NIST recommends not using due to its many known weaknesses.

A key factor contributing to missed opportunities to address third-party cybersecurity is IRS’s lack of centralized leadership. Consequently, IRS is less able to ensure that third-party providers adequately protect taxpayers’ information, which may result in identity theft refund fraud.

Example of Successful Identity Theft Refund Fraud Attempt

IRS monitors compliance with its electronic tax return filing program requirements for those paid preparers who electronically file returns; however, IRS’s monitoring has a limited focus on cybersecurity issues. For example, the monitoring techniques largely focus on physical security (e.g., locked filing cabinets) rather than verifying that preparers have an information security policy consistent with NIST-recommended controls. Without effective monitoring of cybersecurity controls, IRS has limited assurance that those paid preparers’ systems have adequate controls in place to protect clients’ data.

IRS recently began collecting information on high-risk security incidents, such as hackers infiltrating third-party provider systems. Reported incidents increased from 2017 to 2018, the only years for which IRS has data. However, IRS does not have a full picture of the scope of incidents because of inconsistent reporting requirements, including no reporting requirements for paid preparers.

Reported High-Risk Security Incidents at Paid Preparers and Tax Software Providers, 2017 and 2018

  2017 2018
Number of security incidents 212 336
Number of taxpayer accounts affected 180,557 211,162

GAO analysis of Internal Revenue Service data. | GAO-19-340

Why GAO Did This Study

Third-party providers, such as paid tax return preparers and tax preparation software providers, greatly impact IRS’s administration of the tax system. If these third parties do not properly secure taxpayers’ personal and financial information, taxpayers will be vulnerable to identity theft refund fraud and their sensitive personal information will be at risk of unauthorized disclosure. IRS estimates that it paid out at least $110 million in identity theft tax refund fraud during 2017, and at least $1.6 billion in identity theft tax refund fraud during 2016.

GAO was asked to review IRS’s efforts to track, monitor, and deter theft of taxpayer information from third parties. Among other things, this report assesses what is known about the taxpayer information security requirements for the systems used by third-party providers, IRS’s processes for monitoring compliance with these requirements, and IRS’s requirements for third-party security incident reporting.

GAO analyzed IRS’s information security requirements, standards, and guidance for third-party providers and compared them to relevant laws, regulations, and leading practices, such as NIST guidance and Standards for Internal Control in the Federal Government. GAO reviewed IRS’s monitoring procedures and its requirements and processes for third-party reporting of security incidents, and compared them to Internal Control Standards and GAO’s A Framework for Managing Fraud Risk in Federal Programs. GAO also interviewed IRS and tax industry group officials.

What GAO Recommends

GAO suggests that Congress consider providing IRS with explicit authority to establish security requirements for paid preparers’ and Authorized e-file Providers’ systems.

GAO is also making eight recommendations, including that the Commissioner of Internal Revenue

  • Develop a governance structure or other form of centralized leadership to coordinate all aspects of IRS’s efforts to protect taxpayer information while at third-party providers.
  • Require all tax software providers to adhere to prescribed information security controls.
  • Regularly review and update security standards for tax software providers.
  • Update IRS’s monitoring programs to include basic cybersecurity issues.
  • Standardize incident reporting requirements for all types of third-party providers.

IRS agreed with three recommendations, including the above recommendations to regularly review and update security standards for tax software providers, and standardize incident reporting requirements.

IRS disagreed with five recommendations—including the other three listed above—generally citing the lack of clear and explicit authority it would need to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. GAO believes that IRS can implement these recommendations without additional statutory authority.

For more information, contact Jessica Lucas-Judy at 202-512-9110 or lucasjudyj@gao.gov.

Matter for Congressional Consideration

  1. Status: Open

    Comments: In September 2020, a bill was introduced in the Senate (S.4735) that would require the Secretary of the Treasury to set cybersecurity standards for third party tax preparation companies to better protect taxpayer information, as well as requiring the Commissioner of the Internal Revenue Service to organize and coordinate all aspects of the Service's efforts to protect taxpayer information received from third-party preparers. As of December 2020, there has been no additional movement on this bill.

    Matter: Congress should consider providing IRS with explicit authority to establish security requirements for the information systems of paid preparers and Authorized e-file Providers. (Matter for Consideration 1)

Recommendations for Executive Action

  1. Status: Open

    Priority recommendation

    Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said that it agreed with the intent of the recommendation, but did not agree to implement it, citing the need for additional explicit authority to establish security requirements for the information systems of paid preparers and others who electronically file. IRS reported that to effectively establish data safeguarding policies and implement strategies enforcing compliance with those policies, a centralized leadership structure requires the statutory authority that clearly communicates the authority of the IRS to do so. Without such authority, implementing the recommendation would be an inefficient, ineffective, and costly use of resources, according to IRS. We disagree that convening a governance structure or other centralized form of leadership would require additional statutory authority or be inefficient, ineffective, and costly. As discussed in the report, IRS has seven different offices across the agency working on information security-related activities that could benefit from centralized oversight and coordination, such as updating existing standards, monitoring Authorized e-file Provider program compliance, and tracking security incident reports. As of December 2020, there are no additional status updates.

    Recommendation: The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS's efforts to protect taxpayer information while at third-party providers. (Recommendation 1)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  2. Status: Closed - Implemented

    Comments: In May 2019, we found that IRS had not fully incorporated the Federal Trade Commission (FTC) Safeguards Rule into its requirements for all provider types under the Authorized e-file Provider program. In August 2020, IRS updated its Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns to include more information on the FTC's Safeguard Rule including the Commission's authority, some basic security elements, and details where e-file providers can locate more information. The updates to this publication will help IRS ensure that all types of Authorized e-file Providers are aware of, and comply with, the FTC Safeguards Rule, which could help them better protect taxpayers' information.

    Recommendation: The Commissioner of Internal Revenue should modify the Authorized e-file Provider program's requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  3. Status: Open

    Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, IRS does not plan to implement it without additional statutory authority to require Authorized e-file Provider Program participants to comply with the NIST Special Publication 800-53. We continue to believe that under IRS's existing authority, IRS has already established some information security requirements for a portion of tax software providers, those that are online providers. IRS has the opportunity to further establish standards for all tax software providers by incorporating the subset of NIST controls into its Authorized e-file Provider program, which would capitalize on the work it has completed with the Security Summit members. As of December 2020, there are no additional status updates.

    Recommendation: The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  4. Status: Open

    Comments: In May 2019, GAO found IRS did not have a robust set of information security requirements for all tax software providers in the Authorized e-file Provider program. Instead, IRS had limited security requirements for the subset of tax software providers designated as online providers. In August 2020, IRS updated its Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Tax Returns. The update included six new security standards applicable to online providers in the Authorized e-file Providers Program. For example, online providers are required to run weekly external network vulnerability scans of all their systems. All providers in the program are required to report security incidences to IRS once detected. However, it is unclear how IRS plans to regularly review and update these requirements. We will continue to follow-up on the recommendation.

    Recommendation: The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  5. Status: Open

    Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS stated it was in agreement with the intent of this recommendation; however, it does not plan to implement it. IRS reported it does not have the statutory authority to establish policy on information security and cybersecurity issues, nor to enforce compliance if noncompliance is observed. Additionally, IRS said that the specialized technical skills required to monitor compliance with information and cybersecurity standards, should statutory authority be granted, would require additional funding to meet those monitoring needs. However, as we reported, IRS already monitors physical aspects of information security, which goes beyond existing Authorized e-file Provider program requirements. Since most individuals now file tax returns electronically, having checks for physical security without comparable checks for cybersecurity does not address current risks, as cyber criminals and fraudsters are increasingly attacking third-party providers, as IRS has noted. We believe that incorporating some basic cybersecurity monitoring into the visits would provide IRS the opportunity to help inform the most vulnerable third-party providers of additional guidance and resources. As of December 2020, there are no additional status updates.

    Recommendation: The Commissioner of Internal Revenue should update IRS's monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  6. Status: Open

    Comments: In its initial response to our draft report, IRS disagreed with this recommendation. In November 2019, IRS said it agreed with the intent of this recommendation; however it does not plan to implement it. IRS stated that absent statutory authority and funding, an assessment of the different monitoring approaches is moot. We disagree with this conclusion. As discussed in the report, IRS does not systematically monitor the existing security requirements for online providers, nor does it conduct information security or cybersecurity monitoring for all types of Authorized e-file Providers. We believe that IRS could conduct a risk assessment of its current monitoring program within existing statutory authority and make necessary changes that would provide better assurance that all types of providers are receiving some level of oversight and that IRS is addressing the greatest risk areas appropriately. As of December 2020, there are no additional status updates.

    Recommendation: The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS's Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  7. Status: Closed - Implemented

    Comments: In May 2019, GAO found that IRS did not have comprehensive information about the security incidents because, in part, its reporting requirements do not apply to all third-party providers. In August 2020, IRS updated Publication 1345: Handbook for Authorized IRS e-file Providers of Individual Tax Returns to include a standardized reporting requirement for all types of Authorized e-file providers. Among the requirements are to include specifics on the timing of the incident, number of taxpayers affected, and whether taxpayer information was disclosed. The addition of a clear and standardized reporting requirement for all types of providers will help IRS have more assurance that third-party providers consistently report their security incidents in a timely manner. This in turn will help IRS better understand the size and scope of information security incidents, which it uses to protect compromised individual taxpayer accounts and prevent identity theft refund fraud.

    Recommendation: The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)

    Agency Affected: Department of the Treasury: Internal Revenue Service

  8. Status: Open

    Comments: In May 2019, GAO found that IRS had not documented processes for third-party provider security incident reporting or data storage. IRS reported that on January 1, 2018 Stakeholder Liaison began using the Return Preparer Database for reporting and storing Tax Professional Data Breach incident information. Given that IRS reported these changes occurred during our review and prior to issuance of the report, we requested additional information on changes made to address this recommendation. We will continue to follow-up on the status of this recommendation.

    Recommendation: The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)

    Agency Affected: Department of the Treasury: Internal Revenue Service

 

Explore the full database of GAO's Open Recommendations »

Mar 1, 2021

Jan 14, 2021

Nov 18, 2020

Nov 9, 2020

Oct 19, 2020

Sep 23, 2020

Aug 31, 2020

Jun 29, 2020

Jun 16, 2020

May 1, 2020

Looking for more? Browse all our products here