Auditors: IRS plan compromises security for e-payment users

The Internal Revenue Service glossed over computer security in planning for a new tax return law that applies to e-payment processors, government investigators said. The law kicks in during the 2012 filing season for the 2011 tax year.

A tiny provision folded into the 2008 Housing and Economic Recovery Act stipulates that companies handling credit card transactions for merchants, such as PayPal, Amazon and traditional banks, must report the gross amounts of merchants' transactions along with the vendors' sensitive personal information starting in tax year 2011. The Treasury Department estimates that clamping down on sellers that are under-reporting sales, by comparing self-reported gross figures to the payment processors' numbers, will generate nearly $10 billion during the next 10 years.

But the law will add millions of additional reporting documents to IRS computer systems, according to federal auditors. And the agency's strategy for applying the law "does not consider the security of the computer systems being planned and changed or the new data being received," Michael R. Phillips, the Treasury Inspector General for Tax Administration's deputy IG for audit wrote in a July 26 report released Thursday.

The new provision will require that the IRS store the names, addresses and taxpayer identification numbers, or TINs, of the sellers that each third-party processor submits. Only merchants that amassed more than $20,000 in payments from more than 200 transactions in a single year are subject to the new rule. Small vendors often use their Social Security numbers as their TINs, so the reporting could put them at greater risk of identity theft, say some privacy groups, such as the Center for Democracy and Technology.

"CDT continues to have concerns about government requiring private entities, in this case payment systems, to collect and keep more sensitive personal information than they would otherwise need," David Sohn, senior policy counsel for the center, said on Friday. "Data breaches continue to be an unfortunate fact of life, so forcing companies to hold on to sensitive data to assist the government in tracking user behavior carries real risk."

The security policy lapse follows repeated criticisms from TIGTA and the Government Accountability Office during the past few years about glitches in IRS computers. Most recently, the inspector general issued a report in late June that stated software housing taxpayer information had not received the latest bug fixes, and the agency was not running appropriate vulnerability scans on all databases. GAO revealed in March 2010 that the IRS did not consistently use strong passwords, restrict access only to personnel whose jobs required logging on to systems, or keep track of breaches.

"In light of issues related to system security previously reported by the GAO, we expected the IRS to have more detail of the security considerations in its plan," Phillips wrote.

On Friday, a TIGTA spokesman said the IRS has since informed auditors that, after the review, the agency added particulars on computer security to its rollout plan. "TIGTA has not performed a follow-up review of the implementation plan to confirm the IRS' statements that details on computer security had been added," the spokesman said.

IRS spokesman Eric Smith on Friday was unable to comment on whether there has been an addendum.

During their audit, inspectors also discovered that a risk assessment of the new reporting program makes no mention of security reviews. "Sensitive taxpayer data could be at risk of disclosure," the report stated. "We believe that because of the significant risk associated with transmitting and storing large amounts of sensitive data, the effect if the data are compromised, and [given] the fact that the IRS has been criticized in the past for security weaknesses, the IRS should have specifically addressed this issue in its risk assessment to ensure all necessary steps were taken and contingency plans were developed as necessary."

The safety of consumers' personal information is not at issue because the payment processors will not be reporting individual buyer transactions to the IRS.

Faris Fink, IRS commissioner for the small business/self-employed division, responded to draft IG findings with a June 8 memo, saying security controls mandated by the 2002 Federal Information Security Management Act are required to be in place to ensure the protection of sensitive data. "These controls are tested and any risks are identified along with mitigations prior to system production," he wrote.

On Friday, Smith said the IRS does not discuss specifics about the agency's information safeguards, but "security is a cornerstone of our operations involving sensitive data, and we follow FISMA security protocols."