IG: IRS is failing to protect taxpayer information in emails

Internal Revenue Service employees are not protecting sensitive information when they communicate with taxpayers through email, federal investigators reported Thursday. According to a 2010 audit, unauthorized employees often exchanged messages with taxpayers and the IRS failed to ensure emails were indecipherable to intruders.

"We believe that many of these employees knowingly disregarded the [email policies] and do not fully understand the risk of unnecessarily exposing the release of taxpayer data," wrote Michael R. Phillips, deputy inspector general for audit at the Treasury Inspector General for Tax Administration in a Feb. 4 report, published March 31.

In 2007, the IRS partially lifted a long-standing ban on emailing taxpayers sensitive data, such as their tax and financial information, as well as personal information that can identify them by name. Emailing was prohibited because identity thieves frequently impersonate IRS officials in emails to elicit victims' Social Security numbers, bank account information and other financial data. Like clockwork, every tax season the IRS reminds filers that it does not initiate communications via email. In 2007, however, the IRS began allowing taxpayers to exchange emails with the IRS, if they opt-in to a special program that requires using a compatible email system with encryption features and sign a memorandum of understanding on security.

In Thursday's findings, internal watchdogs reported that about 36 percent of IRS staff that are authorized to email taxpayers received 128 unencrypted, or unsecured, emails from filers. In addition, eight, or 21 percent, of the people who sent the unencrypted messages were not the actual taxpayer; they were a taxpayer's representative such as a public accountant, or an individual with power of attorney for the taxpayer. "[Those] taxpayers are most likely unaware their sensitive data were transmitted insecurely," Phillips wrote.

Many of the unencrypted messages were sent by people who should not have been emailing sensitive data to the IRS at all. Of 38 taxpayers who were not exchanging secure emails, 14 were unauthorized because they had not signed an MOU. Officials at the tax agency told the inspector general "the IRS is not responsible for reporting or stopping taxpayers from sending unencrypted [sensitive but unclassified] data in emails," Phillips wrote.

The investigators disagreed with the IRS that the government is off the hook when a taxpayer violates the agreement. "If taxpayers' sensitive data are lost or stolen as a result of the [email initiative], we believe the brunt of the criticism and negative publicity would be directed at the IRS," Phillips stated.

IRS employees, too, were sending unprotected emails. Staff who were not authorized to email taxpayers sent 21 unencrypted emails to 14 taxpayers. More than one-third of a sample of 70 unauthorized employees also received unencrypted emails from 64 taxpayers. Nine percent of the employees authorized to email taxpayers sent 20 unencrypted messages to nine taxpayers.

A technology system that can monitor for insecure emails could prevent these types of violations. But the IRS will not be able to install such a tool until July 2012. Until then, "the IRS cannot stop these types of emails from occurring other than by relying on employee compliance," Phillips wrote. "The credibility and purpose of the program are undermined when nonparticipating employees send and receive unencrypted emails from taxpayers."

The inspector general recommended, among other things, that the IRS cut off agreements with taxpayers if they repeatedly fail to code sensitive emails. In responding to a draft of the findings, IRS officials said they would amend the MOU to inform participants of the security risks they are taking when they do not encrypt messages, but would not terminate agreements if participants fail to comply.

Investigators also advised that the IRS develop procedures for reporting email violations.

IRS Chief Technology Officer Terrance V. Milholland wrote in response to a draft report that the agency agreed with most of the IG's recommendations. "The IRS's modernization information technology services organization is committed to continuously improving the security of our information technology process; your report recommendations will further improve our secure email with taxpayer program," he wrote.

IRS officials did not respond by 6 p.m. Thursday to a request for comment on the final audit.