IRS Security of Taxpayer Information: Characteristics of Employee Unauthorized Access and Disclosure Cases
Fast Facts
Federal tax returns include confidential information (such as Social Security numbers). IRS employees are responsible for accessing federal tax information only when it is required for their job. If they access federal tax information otherwise, they could be removed from their job and face criminal and civil penalties.
We found that, between FYs 2012 and 2021, the IRS completed 1,694 investigations into the willful unauthorized access of tax data by employees—and 27% were found to be violations. Most of these violations resulted in the offending employee's suspension, resignation, or removal.
Highlights
What GAO Found
Federal tax information consists of federal tax returns and return information and is covered by the confidentiality protections of the Internal Revenue Code. Return information can include information extracted from a return, including names of dependents or the location of a business. A number of offices at the Internal Revenue Service (IRS) share responsibilities for overseeing policies and practices that protect federal tax information. IRS employees are responsible for accessing federal tax information only when it is required to complete their official duties. IRS employees also play a role in protecting the confidentiality and privacy of taxpayer information to which they have access.
If IRS employees access tax information that (1) is not a part of their assigned duties, or (2) is otherwise prohibited, then this access is unauthorized. Unauthorized access can either be considered inadvertent or willful. UNAX is the willful unauthorized access, attempted access, or inspection of tax returns or return information. Similarly, disclosures of tax information that are not authorized can be considered inadvertent or willful.
The Treasury Inspector General for Tax Administration (TIGTA) investigates suspected UNAX or unauthorized disclosure incidents to determine whether the incident can be substantiated. TIGTA becomes aware of UNAX and unauthorized disclosure incidents when someone reports an incident or through its own analysis of IRS reports, both of which can originate from a number of sources. If TIGTA determines there is sufficient evidence to suggest an UNAX or unauthorized disclosure violation occurred, it refers the case to the Department of Justice to determine if it would like to pursue prosecution. TIGTA also provides IRS with the information it collected during its investigation. IRS employees are subject to criminal penalties for UNAX and unauthorized disclosure violations, including imprisonment or fines.
IRS investigates, and, as appropriate, determines the penalty for IRS employees who committed UNAX and unauthorized disclosure violations. For cases that IRS determines warrant disciplinary action, the employee's management team determines the appropriate penalties. IRS policy generally requires removal of the IRS employee to be proposed for all UNAX violations. IRS policy also states that removal is an appropriate penalty for willful unauthorized disclosure violations.
About one-quarter of cases investigated in the time period GAO reviewed were ultimately substantiated. Between fiscal years 2012 and 2021, IRS completed 1,694 investigations of employee discipline cases that included an UNAX issue. More than half of UNAX cases originated in IRS's Wage & Investment Division. About 30 percent of cases originated in the Small Business/Self-Employed Division. Of the 1,694 UNAX cases, 12 percent (204) also included an unauthorized disclosure issue. IRS substantiated 27 percent of the 1,694 UNAX cases as violations and about 24 percent of the 204 unauthorized disclosure cases. Over the past 10 fiscal years, it has taken TIGTA and IRS, on average, a combined 464 days to investigate and close UNAX cases.
The majority of UNAX and unauthorized disclosure violations during fiscal years 2012-2021 were committed by nonmanagerial employees. Managers accounted for less than 10 percent of UNAX and less than 15 percent of unauthorized disclosure violations. During this same period, permanent full-time employees committed most UNAX and unauthorized disclosure violations.
More than 82 percent of UNAX violations resulted in the offending employee's suspension, resignation, or removal. In all cases where IRS found employees committed both UNAX and unauthorized disclosure violations, the offending employee also was suspended, resigned, or removed.
Why GAO Did This Study
The U.S. tax system is based on voluntary compliance. One factor that may influence an individual's willingness to voluntarily comply with the tax system is the confidence that IRS is protecting one's personal and financial information.
GAO was asked to describe IRS's processes for safeguarding federal tax information and what is known about cases of UNAX and unauthorized disclosure of federal tax information by IRS employees.
GAO analyzed IRS data, reviewed IRS and TIGTA documentation, and interviewed IRS and TIGTA officials for this analysis.
For more information, contact Jessica Lucas-Judy at (202) 512-6806 or LucasJudyJ@gao.gov or Jennifer Franks at (404) 679-1831 or FranksJ@gao.gov.