Audit: IRS Needs to Improve How It Wipes Taxpayer Data  from Devices

A report from the U.S. Treasury Inspector General for Tax Administration found flaws regarding how the IRS sanitizes—or gets rid of—taxpayer data contained on agency-owned desktop computers and laptop hard disks.

The audit, released Sept. 20, indicates the tax-collecting agency is at increased risk of revealing sensitive taxpayer data because it is “not using an approved sanitation product to overwrite sensitive taxpayer data on laptop and desktop hard disks.” The audit further found the tax-collecting agency is not annually testing its sanitation equipment and procedures at its Memphis Sanitation Site.

And while TIGTA said the IRS is sanitizing “most of” its laptop and desktop computers, auditors said the agency’s process to independently verify the sanitation of each individual computer “is ineffective.”

“Applying effective sanitization techniques and tracking hardware asset inventory are critical aspects to ensure that sensitive data are protected against unauthorized disclosure,” the audit states. “If an unauthorized disclosure of tax or personally identifiable information occurred, it could result in substantial harm, embarrassment, and loss of public confidence in the IRS. An unauthorized disclosure could also harm an individual.”

Auditors based their findings on a sample of 87 desktop and laptop computers from a total of more than 3,800 that were sanitized between January and March 2021. Of the statistical interval sample, one computer was not sanitized, two were missing hard disks and six had “bad sector error messages,” which auditors said “could potentially allow readable information to re recovered.” Projected across the three-month period, auditors estimate as many as 45 computers may not have been sanitized and 89 may be missing hard disks.

In its audit, TIGTA also observed smartphone wiping and tested a small sample—none of which were improperly sanitized.

Auditors made six recommendations to the IRS, all of which the agency agreed with. The agency agreed to only use approved sanitation products; to test and procedures and equipment annually; to destroy or degauss any hard drives that are not sanitized; to account for hard disks separated from their computers; and to independently verify the sanitation of computers and laptops.