The GAO Makes Recommendations to Improve Security of Taxpayer Information
The U.S. Internal Revenue Service (IRS) is required by federal law to protect the security of the sensitive taxpayer information it holds on its systems. What it does not do, and currently believes it cannot do, is protect the information that is held by third-party tax preparers before it reaches the IRS. During 2018, 80.3 million tax returns were prepared and filed electronically in this manner, with a further 55.2 million prepared via tax preparation software.
This not an idle concern. According to IRS figures, it detected and prevented at least $11.7 billion fraud attempts, but still paid out at least $0.1 billion to fraudsters during 2017.
The threat is twofold. Criminals can either compromise the systems of the tax preparer and steal the users’ personal information provided, or can compromise the tax software and have personal information sent to them. Using that information, a fraudster is able to file a fraudulent return claiming a refund with the IRS.
The IRS already has several initiatives aimed at preventing taxpayer identity fraud. In 2015 it established the Security Summit, a public-private partnership with representatives from the IRS, state tax administrators, and industry partners including the software industry, tax professional associations, and payroll and tax financial product processors.
In January 2017, working with the Security Summit, the IRS established the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (ISAC) for a more formal home for information sharing between the IRS, states, and the industry. It streamlined a rapid response team established for the 2016 filing season to work more closely with the ISAC.
The IRS also seeks to safeguard taxpayer information by providing security requirements for various types of third-party providers in two publications: Revenue Procedure 2007-40, and Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns. The latter specifically requires third-party providers to have security controls in place to prevent any unauthorized access to taxpayer information. However, the IRS does not believe it has the power to enforce its own requirements on these third parties.
The U.S. Government Accountability Office (GAO) has examined the current situation, found it still wanting, and has published an open letter (PDF, actually a detailed report) addressed to Kevin Brady, ranking member for the Committee on Ways and Means, on what it believes should be done. It has eight recommendations. These start with the IRS establishing a steering committee to coordinate all aspects of protecting taxpayer activity. It then recommends that third-party providers should be informed of the required elements of an information security program as provided by the FTC Safeguards Rule; and that they be required to follow a sub-set of NIST SP800-53 as already agreed by the Security Summit participants.
The security requirements that apply to providers should be regularly reviewed and updated. The IRS should update its own monitoring systems for providers to include techniques to monitor basic information security and cybersecurity issues. It should conduct a risk assessment to determine whether different monitoring approaches are appropriate, and update accordingly.
The IRS should also standardize the incident reporting requirements for the providers, and should document the intake, storage and sharing of incident data across IRS offices.
A draft of the report was provided to the Commissioner of Internal Revenue prior to it being sent to Kevin Brady. The IRS accepted three of the recommendations: to review and update the security requirements that apply to providers; to standardize incident reporting; and to share incident data across IRS offices.
It disagreed, however, over the remaining five recommendations, “generally citing for all of them,” says the GAO report, “the lack of clear and explicit authority it would need to establish security requirements for the information systems of paid preparers and others who electronically file returns.” In general, the IRS believes “it would require statutory authority that clearly communicates its authority to establish security requirements for the information systems of paid preparers and others who electronically file tax returns.”
The GAO disagrees, and believes that IRS can implement its recommendations without additional statutory authority. By sending the report to the ranking member for the Committee on Ways and Means, it is seeking a referee for its proposals. What is clear — and confirmed by the almost $1 billion paid out to fraudsters in 2017 — personal taxpayer information is not currently sufficiently secure.