Some Internal Revenue Service employees didn’t do enough to protect sensitive taxpayer information when they were sending emails, according to a new report.
The report, from the Treasury Inspector General for Tax Administration, found that nearly half the employees whose emails were examined sent unencrypted emails. TIGTA auditors reviewed a random sample of 80 employees from the IRS’s Small Business/Self-Employed Division during four weeks in May and June 2015 for the report. They found that 39 of the employees (that is, 49 percent of the 80) sent a total of 326 unencrypted emails containing 8,031 different taxpayers’ personal information or tax return information internally to other IRS employees or externally to non-IRS email accounts.
Among the 326 unencrypted emails identified by TIGTA, 275 that contained personally identifiable information or tax return information were sent internally to other IRS employees. These emails were sent inside the IRS internal information system firewall, so they posed less risk of improper disclosure or improper access.
However, 51 of the unencrypted emails were sent externally to non-IRS email accounts. The employees who sent the messages failed to follow the requirements of the Internal Revenue Manual and risked exposing the information to unauthorized people.
On top of that, 20 of the emails that six employees sent to personal email accounts involved official IRS business. The report acknowledged that employees might not be aware of restrictions on using their personal email, because the Standards for Using Email in the Internal Revenue Manual don’t include this restriction.
Part of the problem lies in the way the IRS’s email system was set up. The IRS implemented its Enterprise e-Fax capability in early 2013 without encryption features. TIGTA found 193 unencrypted emails that contained either taxpayers’ personal information or tax return information were routed to the Enterprise e-Fax servers through the email system. Because the system lacks encryption, its use could result in the interception and disclosure of taxpayers’ personally identifiable information or tax return information.
“It is critical that the Internal Revenue Service properly protect taxpayers’ personally identifiable and tax return information at all times,” said TIGTA Inspector General J. Russell George in a statement. “Not only is this protection required by law, it is essential if taxpayers are to maintain a high level of confidence in the IRS’s mission.”
TIGTA made five recommendations in the report. The IRS agreed with all of them and plans to correct the problems. TIGTA recommended the IRS consider the feasibility of a systemic solution to ensure personally identifiable information and tax return information is encrypted, and until that time the agency should consider requiring the default Outlook setting for certain employees to encrypt the email messages they send. The IRS should also ensure that managers are aware of any email violations and take the appropriate disciplinary action, TIGTA suggested. The IRS also should update the Internal Revenue Manual to specify that no IRS employee can use a personal email account to conduct official government business, and the IRS should request an information technology update to allow encrypted messages to be sent to the EEFax server, the report recommended.
Karen Schiller, commissioner in charge of the IRS’s Small Business/Self-Employed Division, pointed out in response to the report that TIGTA’s review did not identify any instances in which personally identifiable information was sent unencrypted to an unintended recipient. While the review found a small number of emails containing personal information were not properly encrypted, the majority of the emails were sent within the IRS firewall to other IRS employees who needed to know the information.
“We are continuously looking for ways to appropriately balance the need to enable our workforce to communicate with each other and with taxpayers electronically, our taxpayers’ expectations for more robust electronic communications, and the overriding need to ensure that those communications are secure and guarded from external threats,” she wrote. “To that end, we have implemented some significant enterprise data protection initiatives.”