Can the IRS be trusted with your data?

Like many Americans, I tend to feel generous this time of year — not only because it’s the season for giving, but also for the tax implications. This year, however, my usual concerns about how many deductions I can claim on next year’s return have given way to worries about privacy.

In fiscal 2021, the Internal Revenue Service processed 269 million tax forms, each one rich with information that scammers and thieves would love to have. A scathing new report from the U.S. Treasury Department’s Inspector General for Tax Administration calls into question the ability of the IRS to protect this mass of data.

Ever since 1996, when what was then known as the General Accounting Office issued a stinging report about vulnerabilities in IRS computers, critics have questioned how well the agency protects all the data it collects. In 2002, Congress adopted the Federal Information Security Modernization Act, or FISMA, which set forth standards all federal agencies were required to meet. How’s the IRS been doing with that?

Here’s the IG report: “Until the IRS takes steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements, taxpayer data could be vulnerable to inappropriate and undetected use, modification or disclosure.”

Daniel Acker/Bloomberg

The wordsmith in me can’t leave unremarked upon the drafters’ clumsy effort to soften the harshness of this judgment. To be “vulnerable” is to be susceptible to harm; a vulnerable person is one who might easily suffer something bad. (Think, the unvaccinated.) Thus the phrase “could be vulnerable” is what my older brother used to call a double impositive. The taxpayer data either are vulnerable or not.

They are. Enormously.

Consider the Income Verification Express Service, known as IVES, which allows lenders to use IRS data to check income claims. Few of the companies that use the service have complied with security mandates. And the IRS itself has scarcely done better: “We identified 8,754 tax transcripts that the IVES Program improperly issued for 4,726 taxpayers during Processing Year 2019” — all because either the software of the clerks didn’t take proper note that the file in question had been flagged for identity theft.

The report is full of similarly alarming nuggets, from improperly sanitized laptops and smartphones to insecure physical door locks, from inactive accounts with administrative access that nobody’s disabled to inaccurate equipment inventory in the department’s crime lab.

And there are bigger issues. For instance, the legacy systems have persistent vulnerabilities: “Configuration management compliance for Windows and Linux servers is not effective,” the report states flatly. It’s hardly reassuring that the explanation that follows, which occupies a good two pages, has been almost entirely redacted.

Oh, and just in case you’re wondering: “Vulnerabilities open past remediation time frames are not effectively documented and tracked.” In other words, the agency itself isn’t sure which vulnerabilities have been patched — or even which ones exist.

Remember the leak of confidential taxpayer information to ProPublica earlier this year? Whatever one’s politics, it’s easy to see it as a reason to worry, given that the IRS evidently either (1) has no way to track down who handled the data in question, or (2) allows access to private data to so many people that it’s impossible to tell who downloaded it. (And if it was an outside hack, well, that’s more worrisome still.)

But it’s not surprising. An August report from the Senate Committee on Homeland Security found cyberprotections throughout the federal government to be ... well, the only word that comes to mind is atrocious. For example, the Department of Transportation was unable to locate 7,231 mobile devices and — get ready for it — 4,824 servers. Tests at the State Department “revealed 450 critical-risk and 736 high-risk outstanding vulnerabilities” and found thousands of active email accounts for former employees, including on the department's classified networks.

At the Department of Education, investigators “successfully transmitted to an external email address a test file containing 200 credit card numbers in a format that should have been blocked according to the Department’s policy.” By exploiting the same flaw, a real document containing thousands or tens of thousands of credit card numbers could have been stolen.

Seven of the eight departments surveyed were equally abysmal at cybersecurity.

If the federal government were a private corporation, trial lawyers would be having a field day. The fact that its agencies are protected by the principle of sovereign immunity is producing exactly the moral hazard problems scholars have long noted.

The issue is government-wide, so it is unfair to single out the IRS and its 81,000 employees. (My own admittedly rare interactions have been excellent.) And the unfortunate bipartisan erosion of the IRS budget over the past decade can hardly have helped it comply with security mandates. Nor did the IG give the agency a failing grade at everything; some departments seem to be securing data better than others. Moreover, there is some solace in the fact that the 2020 SolarWinds attack on multiple federal agencies apparently failed to gain access to data on individual taxpayers.

Having said that, it is fair to ask whether there might be a point to the widespread skepticism about such new IRS requirements as the one calling for banks to share ever more information about ever-smaller accounts. Maybe a government hungry for more private data should first meet its own standards for security.