The Internal Revenue Service has investigated nearly 1,700 cases of unauthorized access of tax data by its own employees in the past decade, and over one-fourth of them turned out to be violations that typically led to employees being suspended, fired or resigning.
A
Such access is against the law and could even lead to criminal prosecution. The report arrives at a time when the IRS has come under fire from Congress and tax professionals for backlogs in processing tax returns, the destruction of 30 million paper information return documents, and the difficulty of reaching IRS employees by phone. Lawmakers have also demanded answers from the IRS about potential taxpayer confidentiality leaks in response to reports from the investigative news site
“Federal tax returns include confidential information (such as Social Security numbers),” said the report. “IRS employees are responsible for accessing federal tax information only when it is required for their job. If they access federal tax information otherwise, they could be removed from their job and face criminal and civil penalties.”
The GAO report noted that several offices at the IRS share responsibilities for overseeing policies and practices that protect federal tax information. IRS employees are usually responsible for accessing federal tax information only when it’s required to complete their official duties. Workers also play a role in protecting the confidentiality and privacy of taxpayer information to which they have access.
“If IRS employees access tax information that (1) is not a part of their assigned duties, or (2) is otherwise prohibited, then this access is unauthorized,” said the report. “Unauthorized access can either be considered inadvertent or willful. UNAX is the willful unauthorized access, attempted access, or inspection of tax returns or return information. Similarly, disclosures of tax information that are not authorized can be considered inadvertent or willful.”
The Treasury Inspector General for Tax Administration probes suspected unauthorized access or unauthorized disclosure incidents to decide whether the incident can be substantiated. Most of the time, TIGTA finds out about the incidents when someone reports an incident or through its own analysis of IRS reports, both of which can originate from a number of sources. If TIGTA finds sufficient evidence to suggest an unauthorized access or disclosure violation happened, it refers the case to the Justice Department to decide whether it wants to pursue prosecution. TIGTA also gives the IRS the information it collected during its investigation. IRS employees are subject to criminal penalties for unauthorized access and disclosure violations, and those could include imprisonment or fines.
IRS investigates the incidents, and when appropriate, sets the penalty for IRS employees who committed unauthorized access and disclosure violations. In cases where the IRS determines they warrant disciplinary action, the employee's management team decides on the appropriate penalties. IRS policy generally requires removal of the employee to be proposed for all unauthorized access violations. A similar IRS policy says removal is an appropriate penalty for willful unauthorized disclosure violations.
About one-quarter of cases investigated in the time period reviewed by the GAO were ultimately substantiated. Between fiscal years 2012 and 2021, IRS completed 1,694 investigations of employee discipline cases that included an unauthorized access issue. More than half the so-called UNAX cases originated in the IRS's Wage & Investment Division, while approximately 30% of the cases came from the IRS’s Small Business/Self-Employed Division. Of the 1,694 UNAX cases, 12% (204) also included an unauthorized disclosure issue. The IRS substantiated 27% of the 1,694 UNAX cases as violations and about 24 percent of the 204 unauthorized disclosure cases. Over the past 10 fiscal years, it has taken TIGTA and IRS, on average, a total of 464 days to investigate and close unauthorized cases.
The majority of unauthorized access and disclosure violations during fiscal years 2012-2021 were committed by nonmanagerial employees. Managers accounted for less than 10% of unauthorized access and under 15% of unauthorized disclosure violations. During this same period, permanent full-time employees committed most unauthorized access and disclosure violations.
More than 82% of the unauthorized access violations led to the offending employee's suspension, resignation, or removal. In all the cases where the IRS found employees committed both unauthorized access and disclosure violations, the offending employee also was suspended, resigned or removed.
In response to the report, the IRS said it takes its responsibility to prevent unauthorized access and disclosure seriously and has created a monitoring system to identify such incidents, investigate cases and adjudicate any findings. IRS employees are constantly reminded that they should only access taxpayer information that is directly related to their casework.
“The vast majority of IRS employees take their charge to protect taxpayer information as the foundation of their career in serving America’s taxpayers,” wrote Jeffrey Tribiano, deputy commissioner for operations support at the IRS. “The small number of employees who do not uphold our standards face serious discipline up to and including removal from the IRS. We will continue to educate our employees and refine our capabilities to detect UNAX and unauthorized disclosures as these efforts are key to ensuring that taxpayers can trust that the information provided to the IRS will be protected and only used for legitimate tax administration purposes.”