SOME TAXPAYERS WERE NOTAPPROPRIATELY NOTIFIED WHENTHEIR PERSONALLY IDENTIFIABLEINFORMATION WAS INADVERTENTLYDISCLOSED
Final Report issued on May 24, 2011
Highlights of Reference Number: 2011-40-054to the Internal Revenue Service DeputyCommissioner for Operations Support.
IMPACT ON TAXPAYERS
Taxpayers need to be assured that the InternalRevenue Service (IRS) will promptly notify themof inadvertent disclosures of their PersonallyIdentifiable Information so they can take thenecessary steps to protect themselves fromidentity theft or other harm. The IRS has manyprocesses and regulations that protect taxpayerinformation, but there are times when taxpayerinformation is inadvertently disclosed.
WHY TIGTA DID THE AUDIT
More than 142 million taxpayers entrust the IRSwith sensitive financial and personal data. Theobjective of this audit was to determine whetherthe IRS is making appropriate decisions topromptly and properly notify taxpayers ofinadvertent disclosures of their tax information.
WHAT TIGTA FOUND
TIGTA reviewed a statistical sample of 98 casefiles of incidents reported as inadvertentdisclosures in Fiscal Years 2009 and 2010 andfound not all taxpayers were properly and/ortimely notified of disclosures.
Five (5 percent) of 98 incidents were closedand taxpayers were not properly notified ofthe disclosures because IRS employeesreporting the disclosures did not documentthe identity of the individuals whosePersonally Identifiable Information had beendisclosed.
10 (10 percent) of 98 incidents were closedand taxpayers were not properly notified ofthe disclosures because only tax accountinformation was disclosed and IRSprocedures did not include tax accountinformation in its definition of PersonallyIdentifiable Information.
20 (74 percent) of the 27 incidents in the98 incidents sampled that required taxpayernotification were not sent timely. TIGTAconsidered notifications timely if taxpayerswere sent notifications within 45 days of thedate the incident was reported to oridentified by the IRS. The notification lettersin the sample averaged 86 days.In addition, TIGTA reconciliations performedon the four systems the IRS uses to capturedisclosure incident-related informationidentified 815 missing incidents.
WHAT TIGTA RECOMMENDED
TIGTA recommended that the IRS 1) educateemployees on the importance of obtainingsufficient information on individuals whosePersonally Identifiable Information wasdisclosed, 2) revise procedures to include taxaccount information in the Personally IdentifiableInformation definition and to forward disclosureincidents to the IRS’s Identity Theft Program forvictims of identity theft, 3) implement atimeliness measure, and 4) implement sufficientcontrols to ensure that all incidents areaccurately documented and considered.In the response to the report, the IRS agreed tothe recommendations. The IRS hasimplemented a protection campaign to educateemployees on data protection and plans to studywhether tax account information should beincluded in the definition of PersonallyIdentifiable Information. In addition, the IRSplans to strengthen procedures to addressidentity theft and expand current time metrics toinclude the elapsed time between initial incidentreporting and taxpayer notifications date. Itplans to consolidate all systems data for themost serious incidents.