IRS Authority To Regulate Tax Prep Cybersecurity Has Gaps, Watchdog Says


Digital tax fraud schemes are on the rise but the IRS can only do so much to regulate third-party providers without more authority.

The number of high-risk security incidents involving tax preparers and software jumped by 50 percent from 2017 to 2018, from 212 to 336. But, despite the growing number of citizens filing taxes digitally and the rise in incidents, the IRS remains largely powerless to police third-party providers, according to a watchdog report.

“Federal law and guidance require that the Internal Revenue Service protect the confidentiality, integrity, and availability of the sensitive financial and taxpayer information that resides on its systems,” a new Government Accountability Office report states. “However, taxpayer information held by third-party providers—such as paid tax return preparers and tax preparation software providers—generally falls outside of these requirements, according to IRS officials.”

The scope of the problem is large, as last year, 90 percent of taxes were filed digitally through a third party—either a tax accountant or online service.

The agency has issued a list of 140 security controls based off of standards set by the National Institute of Standards and Technology. However, those controls are voluntary and currently only a third of providers follow them.

The agency also developed six security, privacy and business standards for individual tax preparation software, but these have not been updated since 2010.

However, even with updated standards, the IRS does not have the authority to regulate or otherwise manage the security of third-party providers directly.

The agency does authorize preparers to operate under the Authorized e-file Provider program. “However, IRS’s efforts do not provide assurance that taxpayers’ information is being adequately protected,” according to GAO researchers, as the agency has not “developed minimum information security requirements for the systems used by paid preparers or Authorized e-file Providers.”

While GAO suggested such requirements would be necessary to establish baseline security for the industry, the report notes Congress has yet to give the IRS the requisite authority to do so. That is despite calls from both GAO and the Treasury Department—including in the administration’s 2020 budget request—to grant such authority.

“Having explicit authority to establish security standards for Authorized e-file Providers’ systems may help IRS better ensure the protection of taxpayers’ information,” GAO analysts wrote.

In the report, GAO urged Congress to take action and grant the proper authority to IRS.

For the agency, GAO made eight recommendations. IRS officials agreed with the first three: regularly review and update security requirements; standardize incident reporting; and document, intake, store and share incident data across the agency.

The IRS disagreed with the remaining five recommendations, which centered on developing governance structures and instituting closer reviews of third-party systems and controls. Officials argued that doing so without additional congressional authority would lead to lawsuits, though GAO analysts believe IRS could make some changes using its existing statutory authorities.