IRS Not Keeping Track of Whom It Shares Data With

Andrew Harnik/AP

Many "interconnections" used at the tax agency lack proper authorization or security agreements, according to an audit.

The Internal Revenue Service links up its IT systems with a number of other federal agencies and even private companies, including tax-preparation software providers. These system interconnections, as they’re known, make it easier to share data between organizations.

IRS policy requires the agency to keep track of these connections and to ensure proper documentation -- specifying the security controls used by third-party organizations IRS shares data with -- has been filled out.

However, a new watchdog report turned up dozens of system connections -- including to some of the country’s top tax-prep software providers -- that either lacked full documentation or didn’t show up in IRS’ inventory.

“Many interconnections in use at the IRS do not have proper authorization or security agreements,” concluded a Sept. 15 Treasury Inspector General for Tax Administration report, which was released today.

The undocumented data-sharing connections included several regional Federal Reserve Banks, the payroll giant Automated Data Processing, and tax-prep providers Intuit, H&R Block and Jackson Hewitt tax-preparation software.

Some of the interconnections that actually were properly documented in IRS’ inventory had expired paperwork. Those included connections with Customs and Border Protection, which transferred names and passport data; the Defense Manpower Data Center, which transmitted data on delinquent DOD taxpayers; telecommunications provider Verizon; and the Office of Personnel Management, which was used to transmit background investigation case files to the agency.

Security agreements are necessary, the IG argued, because linking up government IT systems with outside systems can often be risky.

“If the interconnection is not properly designed, security failures could compromise the connected systems as well as the data that they store, process, or transmit,” auditors said. “Similarly, if one of the connected systems is compromised, the interconnection could be used as a conduit to compromise the other system and its data.”

Auditors recommended the IRS chief technology officer identify all external connections and ensure they are properly documented. The agency said it had already updated its central inventory of connections and its Office of Cybersecurity would ensure security agreements governing the connects were in order.