A recent article reported ongoing problems at the IRS associated with lax protections of taxpayer data came to our attention. There is a summary of the article below. We encourage you to read the article in its entirety.
But before we get to the summary of the article, we wanted to bring a few items to your attention.
- If your employees have access to sensitive identifying information, you should know that the IRS conducts background investigations of BOTH employees AND contractors. We wrote previous blog posts about the importance of including contractors in your background check program here and and here.
- The article mentions that there was a lack of follow up on those individuals that failed the background check. Follow up is most important. A firm that has a background check program should assign at least one or two employees whose job includes assuring that individuals who fail the background check are removed from either the hiring process or the employee population.
- An important point in the criticism of systems at the IRS was that there was a lack of controls surrounding complete, accurate, and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes. We would strongly recommend that your firm conduct an audit to uncover exposures in this area.
The IRS failed to revoke access to sensitive tax systems from contractors who failed background checks and doesn’t have protections for some of those systems to prevent unauthorized removal of taxpayer data, the agency’s chief watchdog warns in a stinging rebuke that comes on the heels of a devastating criminal leak of tax records.
“The fact remains that for some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users,” the Treasury Department Inspector General for Tax Administration (TIGTA) concluded in a report this month.
That report was issued at the same time ex-IRS contractor Charles Edward Littlejohn was sentenced to five years in prison for leaking tax information to news organizations about former President Donald Trump and countless other wealthy Americans.
The IRS has struggled for decades to fix lax security. TIGTA first began warning the IRS was doing a poor job protecting taxpayer information back in 2007. Those concerns linger.
“Specifically, 19 contractors’ most recent background investigations were not favorable as of July 13, 2023,” the report stated. “However, these contractors still retained their access to one or more sensitive systems because the IRS did not take action to suspend or disable the contractors from the IRS’s systems, as required.”
TIGTA said it also found that 279 contractors and employees no longer with the agency still had access to at least one sensitive computer system. “Actions were not always taken to timely remove users once they separated from the IRS,” the report warned.
“For some sensitive systems, the IRS does not have adequate controls to detect or prevent the unauthorized removal of data by users,” the watchdog reported.
“TIGTA has reported that a key deficiency in the IRS’s detection and deterrence processes did not ensure that all sensitive systems provide complete, accurate, and usable audit trail logs for monitoring and identifying unauthorized access and for other investigative purposes,” the report added.
Adding to the watchdog’s concerns was the fact that the IRS struggled to come up with a complete list of sensitive computer systems, eventually identifying 319.
House Ways and Means Committee Chairman Jason Smith, R-Mo., whose panel requested the TIGTA inquiry, plans to questions the IRS chief at a hearing on Thursday.
TIGTA noted improvements were underway but far from complete.
James P. Randisi, President of Randisi & Associates, Inc., has been helping employers protect their clients, workforce and reputation through implementation of employment screening and drug testing programs since 1999. This post does not constitute legal advice. Randisi & Associates, Inc. is not a law firm. Always contact competent employment legal counsel. Mr. Randisi can be contacted by phone at 410.494.0232 or Email: info@randisiandassociates.com or the website at randisiandassociates.com
