Title: Protecting Taxpayer Data from Unauthorized Access by IRS Employees Description: Millions of Americans file tax returns each year that include personal and financial information like their incomes, addresses, mortgage information. Among these filings are those for celebrities and politicians, as well as others whose financial records might be of interest to the public. But taxpayer records, no matter who you are, are confidential. So why do we sometimes hear about these records in the news? We find out more from GAO's Jessica Lucas-Judy and Jennifer Franks. Related GAO Work: GAO-22-105872, Security of Taxpayer Information: Characteristics of IRS Employee Unauthorized Access and Disclosure Cases Released: May 2022 [Jessica Lucas-Judy:] It's very important that taxpayers feel confident that personal and financial information is properly safeguarded. [Music] [Holly Hobbs:] Hi and welcome to GAO's Watchdog Report--your source for news and information from the U.S. Government Accountability Office. I'm your host, Holly Hobbs. Millions of Americans file tax returns each year that include personal and financial information like their incomes, addresses, mortgage information, how many kids they have, and more. Among these filings are those for celebrities and politicians, as well as others whose financial records might be of interest to the public. But taxpayer records, no matter who you are, are confidential. So why do we sometimes hear about these records in the news? Today, we'll talk with two GAO directors--Jessica Lucas-Judy, an expert on tax policy, and Jennifer Franks, an expert on data protection--about their new report that looks at unauthorized access and sharing of taxpayer records. Why does it happen and what's being done about it? Thanks for joining us. [Jennifer Franks:] Thanks for having me, Holly. [Jessica Lucas-Judy:] Thanks for having me. [Holly Hobbs:] So Jessica, this information is tempting right? Who all at IRS has access to taxpayer records, and what's stopping them from accessing or sharing this information? [Jessica Lucas-Judy:] Well, first, I want to make sure everybody understands what we mean when we say taxpayer records or federal tax information. It's federal tax returns and any return information derived from those returns that's in IRS's possession or IRS's control, or it could be obtained through some other secondary source like the Social Security Administration or someone acting on IRS's behalf. So it could be, for example, your W-2 or your form 1040, and things like whether returns have been filed or someone's under examination, ah they're subject to investigation or, you know, they have collection activities against them. So it's all very important, very sensitive information that needs to be protected. Now, IRS employees are responsible for accessing tax returns or return information only when they need it, only when it's required to complete their official IRS duties as assigned. They can't just access tax records from their children, for example, or their relatives, their neighbors, celebrities, or another organization or an individual that they work with. So all of that information is protected. [Holly Hobbs:] And do we know how often unauthorized access by IRS employees occurs? [Jessica Lucas-Judy:] So what we looked at is about a ten year period between fiscal years 2012 and 2021. During that time, IRS investigated about 1,700 cases of what they call UNAX. So it's willful, unauthorized access of taxpayer information. So of those cases, they closed 462--so that's 27%--that were determined to be substantiated violations. That's where IRS determined that the facts support that the employee being investigated committed a violation or unauthorized disclosure. Then there was another 50%--850 or so cases--that were unsubstantiated, where IRS investigated and determined there was no proof that a violation occurred. And then the remaining 22%--or about 380 cases--were unresolved. And those were cases where IRS closed them because the employee resigned or retired or otherwise separated from the agency prior to the case being adjudicated. [Holly Hobbs:] So, how did IRS detect unauthorized access and catch people doing it? [Jessica Lucas-Judy:] The Treasury Inspector General for Tax Administrations, or TIGTA, investigates IRS programs and operations. And it's TIGTA's Office of Investigations that ultimately evaluates cases to determine whether UNAX or some other unauthorized disclosure incident warrants an investigation. Now TIGTA can find out about UNAX or unauthorized disclosure incidents when somebody reports an incident. But TIGTA also does the monitoring or analysis of regular IRS reports. So one of those would be IRS's cybersecurity office. That office analyzes security reports obtained from information systems across the agency that display employees' accesses of federal tax information. So that information then can get reported to TIGTA and TIGTA can look and see if there seems to be something that needs to be investigated. [Holly Hobbs:] And do we know anything about what the people who have been caught have in common? [Jessica Lucas-Judy:] So UNAX violations during the ten year period that we looked at originated within ten different IRS organizations, or ten different offices, over that ten year period. But it was primarily in the Wage and Investment Division and the Small Business and Self-employed Division where you saw the majority of UNAX violations. When we talked with IRS, they said that W&I in combination with the Small Business and Self-employed Division processed nearly all of the transactions that affect taxpayer accounts. And that would include things like a refund payments or a notice of balance due. So they're having a lot of interactions with taxpayer data, and that's where you would expect to see perhaps the largest number of UNAX violations. In addition, the majority of the disclosure violations during that time period were by non-managers. So managers themselves accounted for less than 10% of the UNAX violations and less than 15% of unauthorized disclosure violations. [Holly Hobbs:] So then what happens when an IRS employee gets caught accessing somebody's records without authorization? [Jessica Lucas-Judy:] IRS policy generally requires removal of an IRS employee to be proposed, at least, for all UNAX violations. More than 82% of the UNAX violations during the period that we looked at resulted in the offending employees suspension or resignation or removal. And similarly, for cases where IRS found employees committed both UNAX and unauthorized disclosure, all of those cases resulted in the offending employees' suspension, resignation or removal. I want to emphasize also that that employees who are convicted of criminal UNAX or unauthorized disclosure violations could face jail time as well as fines. [Music] [Holly Hobbs:] So Jessica just told us that IRS has taken steps to identify and investigate incidents of willful, unauthorized access to taxpayer records and unauthorized disclosure of these records. And that if caught, violators could lose their jobs and potentially face jail time. Jennifer, you're an expert in data protection, and for this report you looked at some of the bigger picture issues here. What did you find? [Jennifer Franks:] Yes, there is a bigger picture. IRS's struggles to protect sensitive information are not unique to their agency. Both the federal government and the private sector have really struggled to protect privacy and sensitive data. And the increasing number of individuals affected by various data breaches has drawn some concerns that personally identifiable information is just not adequately being protected across the various federal agencies. We've even had some recent reviews at GAO, where we're looking at agencies practices to protect their sensitive data. And of course, we've had some weaknesses identified and even made some recommendations. But it wasn't just to the IRS. We make recommendations to agencies like the Department of Education and even the Department of Housing and Urban Development. [Holly Hobbs:] So what is the IRS doing to address these breaches? [Jennifer Franks:] So the IRS has two key offices that oversee policies and practices that protect sensitive information. And this includes our federal tax information. And one of the key offices is the IT and Cybersecurity Office. And they are responsible for protecting the agency's systems and data from both internal and external cyber-related threats. And then they have an established second office. And this office is called the Privacy and Government Liaison and Disclosure Office. And they do things like develop policies and standards related to disclosure of the sensitive information. And then they create agency-wide privacy and incident training and communication materials. So, for example, given the majority of employees are still under maximum telework procedures, the office could provide employees with cyber-smart notices about just being aware of their home surroundings, such as what smart devices, with built-in digital assistants, could be recording and listening to their conversations. [Holly Hobbs:] And last question, for the both of you-- what's the bottom line of this report? Jessica, maybe you could start. [Jessica Lucas-Judy:] IRS is a large entity and it handles a lot of tax information. What we found is that only a small number of cases are substantiated every year. However, our tax system is based largely on voluntary compliance. And it's very important, for that reason, that taxpayers feel confident that the personal and financial information that they're providing to the IRS is properly safeguarded. We're going to have a report on our assessment of IRS's work, looking at this very issue and the extent to which IRS is following up on its tax safeguards for protecting federal tax information. [Holly Hobbs:] And Jennifer? [Jennifer Franks:] Well, while over the last ten years, violations have varied in quantity, the agency has indeed established processes for addressing the number of incidents such as disciplinary actions for both their employees and the contractors. [Holly Hobbs:] That was Jessica Lucas-Judy and Jennifer Franks talking about GAO's recent review of unauthorized access to taxpayer records. Thanks for your time ladies. [Jessica Lucas-Judy:] Thanks very much for having me. [Jennifer Franks:] Thanks for having me. Holly. [Holly Hobbs:] And thank you for listening to The Watchdog Report. To hear more podcasts, subscribe to us on Apple Podcasts, Spotify or wherever you listen. And make sure to leave a rating and review to let others know about the work we're doing. For more from the congressional watchdog, the U.S. Government Accountability Office, visit us at GAO.gov.