Like many Americans, I tend to feel generous this time of year — not only because it’s the season for giving, but also for the tax implications. This year, however, my usual concerns about how many deductions I can claim on next year’s return have given way to worries about privacy.
In fiscal 2021, the Internal Revenue Service processed 269 million tax forms, each one rich with information that scammers and thieves would love to have. A scathing new report from the U.S. Treasury Department’s Inspector General for Tax Administration calls into question the ability of the IRS to protect this mass of data.
Ever since 1996, when what was then known as the General Accounting Office issued a stinging report about vulnerabilities in IRS computers, critics have questioned how well the agency protects all the data it collects. In 2002, Congress adopted the Federal Information Security Modernization Act, or FISMA, which set forth standards all federal agencies were required to meet. How’s the IRS been doing with that? Here’s the IG report:
Until the IRS takes steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure.
The wordsmith in me can’t leave unremarked upon the drafters’ clumsy effort to soften the harshness of this judgment. To be “vulnerable” is to be susceptible to harm; a vulnerable person is one who might easily suffer something bad. (Think, the unvaccinated.) Thus the phrase “could be vulnerable” is what my older brother used to call a double impositive. The taxpayer data either are vulnerable or not.
They are. Enormously.
Consider the Income Verification Express Service, known as IVES, which allows lenders to use IRS data to check income claims. Few of the companies that use the service have complied with security mandates. And the IRS itself has scarcely done better: “We identified 8,754 tax transcripts that the IVES Program improperly issued for 4,726 taxpayers during Processing Year 2019” — all because either the software of the clerks didn’t take proper note that the file in question had been flagged for identity theft.
The report is full of similarly alarming nuggets, from improperly sanitized laptops and smartphones to insecure physical door locks, from inactive accounts with administrative access that nobody’s disabled to inaccurate equipment inventory in the department’s crime lab.
And there are bigger issues. For instance, the legacy systems have persistent vulnerabilities: “Configuration management compliance for Windows and Linux servers is not effective,” the report states flatly. It’s hardly reassuring that the explanation that follows, which occupies a good two pages, has been almost entirely redacted.
Oh, and just in case you’re wondering: “Vulnerabilities open past remediation time frames are not effectively documented and tracked.” In other words, the agency itself isn’t sure which vulnerabilities have been patched — or even which ones exist.