The U.S. federal tax system involves a plethora of sensitive taxpayer information—for individuals and businesses alike. Taxpayers should have some measure of confidence that the U.S. government, particularly the Internal Revenue Service (“IRS”), has measures in place to protect sensitive taxpayer information. On August 1, 2023, the Treasury Inspector General for Tax Administration (“TIGTA”) issued to the IRS Commissioner its final report on the IRS’s compliance with certain policies designed to protect taxpayer data.
IRS Internal Guidelines
The IRS maintains certain guidelines related to IRS employees requesting and transferring tax records from Tax Processing Centers. The IRS has three primary Tax Processing Centers located in Kansas City, Missouri; Austin, Texas; and Ogden, Utah. According to the Internal Revenue Manual, the IRS ships packages with Personally Identifiable Information (“PII”), i.e., sensitive taxpayer data, using a private delivery carrier. See I.R.M. 10.5.1.6.9.3 (Dec. 31, 2020). Among its general policies, IRS employees are required to:
- List the total number of documents contained in the package and include identifying information, i.e., taxpayer name, Employer Identification Number, etc., for at least the first four documents and the last document in the package.
- Include two copies of Form 3210, Document Transmittal, to be placed inside the secure package with its contents while the sender of the package keeps the ‘Originator’s Copy.’
- Verify receipt of the package by signing and returning the Form 3210 ‘Acknowledgment Copy’ to the sender.
- Report, upon discovery, all instances of lost mailed packages to TIGTA and the IRS’s Office of Privacy, Governmental Liaison, and Disclosure/Incident Management (“PGLD/IM”) Office.
- Report a data breach to the PGLD/IM Office on Form 14164-A, Personally Identifiable Information (PII) Breach Reporting Form.
- Notify the potentially impacted taxpayers of an IRS data breach involving their sensitive information if the PGLD/IM Office determines that notification is appropriate after its risk analysis.
See TIGTA, Sensitive Tax Information Is Not Being Controlled Adequately When Shipping to and From Tax Processing Centers (Aug. 1, 2023).
Results of TIGTA Review
From September 2022 to May 2023, TIGTA conducted its investigation and review of the IRS’s compliance with its policies and procedures. TIGTA reviewed IRS policies, reviewed the population of lost mail, and evaluated the IRS delivery processes. Among its findings, TIGTA determined:
- Actions are not taken to properly account for and/or control sensitive taxpayer information sent by private delivery carriers;
- Quarterly audits of the Forms 3210 acknowledgement process are not performed as required;
- Inadequate documentation resulted in the inability to identify, notify, and offer protection to some taxpayers when their sensitive tax information was lost; and
- Data breach indicators are not placed on business tax accounts associated with sensitive business tax information lost by the IRS.
See TIGTA, Sensitive Tax Information Is Not Being Controlled Adequately When Shipping to and From Tax Processing Centers (Aug. 1, 2023).
For a complete review of TIGTA’s report, click here.
Conclusion
TIGTA’s findings are not necessarily a vote of confidence for taxpayers and the security of their sensitive information. Taxpayers may take proactive steps to protect themselves from tax-related identity theft. For example, taxpayers may request an Identity Protection PIN (“IP PIN”), a six-digit number used when filing a tax return. For more information on requesting an IP PIN, click here.
Contact Provident Legal Counsel today to discuss your federal tax situation. Schedule a Consultation or call (214) 432-6100.
Explore these related articles to gain further insights on your chosen topic.
Schedule a consultation today or give us a call to start your journey.
