Problems found with security at private tax debt collection agencies

The private debt collection agencies that have contracted with the Internal Revenue Service to help collect overdue tax receivables have some security vulnerabilities, according to a new government report.

The report, from the Treasury Inspector General for Tax Administration, examined security at the four collection agencies that have been hired by the IRS. A 2015 highway transportation bill, the FAST Act, revived the IRS’s private debt collection program, even though the IRS had twice before shut it down because it ended up costing more money than it brought in and consumers complained of being harassed by the collection agencies. The latest iteration of the program got underway last year, with the IRS promising that safeguards would be in place to protect against abuses and avoid confusion with scammers pretending to represent the IRS (see IRS revives private debt collection program).

The four private collection agencies that have been approved as contractors — BE Group of Cedar Falls, Iowa; Conserve of Fairport, N.Y.; Performant of Livermore, Calif.; and Pioneer of Horseheads, N.Y. — are required to secure taxpayer data.

The TIGTA report acknowledged that the private collection agencies, or PCAs, have established secure environments for housing taxpayer data. They included access and control policies for managing taxpayer data, procedures for employees who telework, and systems access logs that are monitored and reviewed to prevent employee browsing of taxpayer data.

However, according to the report, TIGTA found the IRS was unaware that one PCA couldn’t provide monthly vulnerability scans of systems containing taxpayer data, and three of the four PCAs were not remediating critical- and high-risk vulnerabilities within the required 30 calendar days. The report recommended the PCA reporting requirements should be updated to ensure the IRS finds out about the risk associated with the PCAs’ vulnerabilities.

The IRS didn’t enforce the requirements in its own Publication 4812, Contractor Security Controls, for cell phone use policy specific to IRS data nor ensure that data were encrypted before transferring it to the PCAs, according to TIGTA.

On top of that, three of the four PCA mailrooms where taxpayer correspondence and payments are received weren’t included in the IRS’s annual security assessments. One of the private collection agencies lacked a secure mail processing area for payments and didn’t secure misdirected payments prior to sending them to the IRS. One of the PCAs didn’t back up video footage, and three of the four PCAs didn’t back up their video footage to an offsite location.

TIGTA recommended that the IRS update and enforce Publication 4812 to fix critical- and high-risk vulnerabilities within 30 calendar days. The report also suggested the IRS should clarify which devices should have vulnerability scans, and ensure timely communication of the scan results to the IRS. The IRS should also require that policies be specific on mobile devices connected to systems containing sensitive information and include a mechanism to enforce the policy, the report suggested.

TIGTA also recommended that the IRS perform annual assessments of the PCAs’ mailrooms; perform follow-up assessments for any deficiencies identified; and implement stronger security controls over mailrooms that receive taxpayer correspondence and payments, including enhanced security camera coverage to record all sensitive areas. Finally, suggested the report, the IRS should ensure that all taxpayer data at rest being transferred to the PCAs are encrypted.

In response to the report, IRS management agreed with six of TIGTA’s eight recommendations. The IRS said it plans to communicate all vulnerabilities in a timely way, develop policies about the use of mobile devices, perform annual security assessments over mailrooms, and conduct a feasibility study to identify possible options for ensuring data at rest are encrypted. As for the two partially agreed-to recommendations, the IRS didn’t address the enforcement of vulnerability remediation and the inclusion of all devices when scanning for vulnerabilities. TIGTA said it believes that the IRS should complete these items.

“The private collection agencies (PCAs) who do this work are required to secure all taxpayer data,” wrote Mary Beth Murphy, commissioner of the IRS’s Small Business/Self-Employed Division, in response to the report. “To ensure these protections, the IRS initiated a controlled launch of the program in April 2017 when it contracted with four PCAs to initiate the private collection of certain overdue federal tax debts. Through an incremental implementation of the program, we increased the likelihood that the program would work effectively while at the same time ensuring the protection and security of taxpayer data.”

The National Treasury Employees Union, which represents IRS employees, has long been critical of the private debt collection program and found fresh ammunition in the latest TIGTA report.

“Not only does this program lose money and punish low-income taxpayers, now we learn that taxpayers’ personal information may be compromised by insufficient security protocols, which will cost even more taxpayer money to address,” National Treasury Employees Union National President Tony Reardon said in a statement last week. “Congress was wrong to force this program on the IRS and replace the professionally trained civil servants of the IRS with for-profit companies that work on commission.”

The IRS won’t have a true sense of the companies’ security posture without additional information, the NTEU noted. “Americans are already under siege from cyberattacks and hackers who are trying to steal their personal data and financial information,” said Reardon. “Congress should make sure that the IRS does not expose them to even more threats because they let private contractors do government work.”

The Partnership for Tax Compliance, a trade group that represents the private collection agencies, took issue with accusations of security vulnerabilities. “The TIGTA report does not suggest that any security areas have negatively impacted taxpayers or the government, merely that more security protocols should be added on top of what’s already a very rigorous security process,” said a statement forwarded by spokesperson Kristin Walter. “The PCAs meet and exceed all the government standards for data security. We support continued vigilance about security, which the TIGTA report shows is already extraordinary, and we will continue our work alongside the IRS to make what is already one of the most audited and inspected programs even better.”

A man walks past the IRS headquarters in Washington, D.C.

Andrew Harrer/Bloomberg


Michael Cohn