Skip to content
U.S. National Debt:

Weekly Column: IRS Must Better Protect Idaho Taxpayers

Guest column submitted by U.S. Senator Mike Crapo

Taxpayers have certain fundamental rights when it comes to dealing with the Internal Revenue Service (IRS), including the right to privacy and the right to confidentiality.  From serious breaches of confidential taxpayer data and document mismanagement to poor cybersecurity training and infrastructure vulnerabilities, the IRS has a decades-long and troubled history with adequately protecting American taxpayers’ information.  One particularly egregious event in recent history was the unauthorized disclosure of private, legally-protected IRS data to online news source ProPublica—an incident of which little has been revealed, despite an ongoing, years-long investigation by multiple agencies.   

As Ranking Member of the Senate Finance Committee, I asked the Government Accountability Office (GAO) to review the data security practices used by the IRS to ensure the agency was implementing robust processes and procedures to fully protect tax filers’ personal data.  GAO recently released its report, and the findings are not reassuring.  The report highlights new and longstanding unresolved security risks surrounding the safety of confidential taxpayer information at the IRS.  The report identifies dozens of security weaknesses at the agency, many of which have been known by the IRS for years, and makes multiple recommendations aimed at safeguarding and protecting taxpayer information. 

 Among the GAO report’s findings:

  • Since 2010, the IRS has failed to implement 77 GAO recommendations targeted at safeguarding taxpayer information, including multiple recommendations that have been open for more than seven years and two high priority recommendations that would “significantly improve” data protection.
  • The IRS’s ongoing failure to act upon all GAO and Treasury Inspector General for Tax Administration recommendations means that at present confidential taxpayer “data will remain at risk of exposure and unauthorized access.”
  • The IRS lacks controls and logging and monitoring capabilities on all its systems containing confidential taxpayer data that would allow it to identify persons who have accessed such data without authorization.
  • Two IRS research and analysis systems with access to troves of taxpayer data and thousands of active users, including non-federal employee researchers, retain taxpayer information far longer than authorized by IRS Records Control Schedules, taking them out of compliance with National Archives and Records Administration recordkeeping requirements. 
  • The IRS only recently implemented key safeguards to protect taxpayer information.  For example, it was not until July 2022 that the IRS began limiting the functionality of its workstations and laptops to prevent persons from removing IRS data from its network by saving it to external devices.
  • Vast discrepancies exist between the rate of data protection training completed by IRS employees and contractors, largely due to the IRS not setting training completion goals for contractors.

In addition to highlighting the dozens of prior recommendations, the GAO reported the IRS has thus-far failed to take comprehensive action to “significantly improve IRS’s ability to safeguard taxpayer information.”  The GAO also makes 15 new recommendations to the IRS, including to: establish agency-wide training completion goals for contractors; maintain comprehensive inventory of systems that store taxpayer information; and risk-assess its methods of data transferals to contractors.

Now, in addition to tax collector and enforcer, the agency wants to act as tax preparer, despite the evidence showing it is unprepared to be trusted with such responsibility.  Instead of devoting time and resources to developing new federal programs that would collect and expose even more sensitive information from taxpayers, the IRS should instead focus on addressing its security weaknesses and improving its woeful customer service.  Protecting taxpayer privacy must be a top priority for the IRS, and I will keep fighting to hold the agency to a higher standard for Idaho taxpayers.

# # #