June 21, 2021

Crapo Requests Review of IRS Data Security

Unauthorized leak of confidential tax returns brings security practices into question

U.S. Senator Mike Crapo (R-Idaho), Ranking Member of the Senate Finance Committee, has requested a review by the Government Accountability Office (GAO) of the Internal Revenue Service’s (IRS) data security practices, procedures and methods.  The request follows the unauthorized disclosure of individuals’ confidential tax returns to the media outlet, ProPublica. 

From the letter:

“The size and scope of the apparent disclosure to ProPublica of confidential taxpayer information from a government agency warrant increased government oversight to ensure that the IRS is implementing robust processes and procedures to fully protect tax filers’ personal data.”

“Whether private, legally-protected, and personal information was first obtained and shared with ProPublica by actors internal or external to the IRS, there appear to be gaps in the data security measures at the IRS.  It is important to understand and evaluate how the IRS collects, stores, uses, and protects taxpayers’ data, and any gaps or deficiencies in its possibly porous safeguards, in order to prevent any violation of Americans’ privacy from happening again.”

Read the full letter here or below.

Dear Comptroller Dodaro:

The recent apparent unauthorized disclosure of individuals’ confidential tax return information to the media outlet, ProPublica, and a subsequent article titled “The Secret IRS Files: Trove of Never-Before-Seen Records Reveal How the Wealthiest Avoid Income Tax” is deeply troubling.  The article states that “ProPublica has obtained a vast trove of Internal Revenue Service data on the tax returns of thousands of the nation’s wealthiest people, covering more than 15 years.”  Such unauthorized disclosure represents an unacceptable violation of the trust that Americans place in the IRS to safeguard their personal information and undermines the system of voluntary compliance upon which our tax system relies.

The size and scope of the apparent disclosure to ProPublica of confidential taxpayer information from a government agency warrants increased government oversight to ensure that the IRS is implementing robust processes and procedures to fully protect tax filers’ personal data.  In a related article, ProPublica asserts, “We live in an age in which people with access to information can copy it with the click of a mouse and transmit it in a variety of ways to news organizations.”  IRS practices, procedures, and methods must ensure that it is not that easy for unauthorized individuals to access and transmit to third parties the private information Americans entrust every year to the tax collectors.  The same related article continues, “We [ProPublica] have gone to considerable lengths to confirm that the information sent to us is accurate.  We compared the tax data in our possession to other sources of the same information wherever we could find them, some of which were public (a tax return for a candidate for national office), others of which were private [emphasis added].”  If ProPublica is confirming private tax information by comparison to information from other private sources, additional concerns arise about the security of Americans’ financial information.

Whether private, legally-protected, and personal information was first obtained and shared with ProPublica by actors internal or external to the IRS, there appear to be gaps in the data security measures at the IRS.  It is important to understand and evaluate how the IRS collects, stores, uses, and protects taxpayers’ data, and any gaps or deficiencies in its possibly porous safeguards, in order to prevent any violation of Americans’ privacy from happening again.

Section 6103 of the Internal Revenue Code provides that “returns and return information shall be confidential,” and prohibits any officer or employee of the United States or any state – as well as any person with access to returns or return information – from disclosing anyone’s return or return information except when authorized by the taxpayer or provided expressly by federal law.  Therefore, disclosing confidential taxpayer information to the public is a crime.

Section 7213 of the Internal Revenue Code provides that: “It shall be unlawful for any person to whom any return or return information (as defined in section 6103(b)) is disclosed in a manner unauthorized by this title thereafter willfully to print or publish in any manner not provided by law any such return or return information.”  Acceptance or solicitation of personal return or return information, and publication of such information is unlawful, and it is important to understand ProPublica’s potential liability if tax return information has been willingly published with knowledge of the nature of the data being published.

Given these concerns about the IRS’s data security practices, procedures, and methods, I request that GAO promptly review:

  1. Policies, procedures, and methods employed by the IRS to collect, store, use, and protect taxpayer information, and the IRS’s compliance with all applicable laws, regulations, and guidance with respect to such policies, procedures, and methods;
  2. Policies, procedures, and methods for giving IRS employees (or third party contractors) access to taxpayer information, including the circumstances for giving and procedures to revoke such access, restrictions on the use or sharing of taxpayer information, and procedures to oversee IRS employees (or third party contractors) with access to taxpayer information; third party contractors shall include researchers who, through the Joint Statistical Research Program of the Statistics of Income Division of the IRS, have been made IRS employees under an agreement made possible by the Intragovernmental Personnel Act of 1970 (5 U.S.C. 3371-3376) or under any other arrangement;
  3. Any gaps or deficiencies in the policies, procedures, and methods implemented by the IRS to collect, store, use, or protect taxpayer information that may increase the susceptibility of such data to internal or external breach or misuse;
  4. The IRS’s practices to retain taxpayer information, including the length of time information is retained, methods for protecting noncurrent stored information, and methods for determining when information should be disposed;
  5. The IRS’s use of encryption of taxpayer information, and how the IRS determines what information is or is not encrypted; and
  6. Any best practices that the IRS should implement to improve the protection and security of taxpayer information.

Thank you for your prompt attention to these matters. 

Sincerely,