Remember the leak of confidential taxpayer information to ProPublica earlier this year? Whatever one’s politics, it’s easy to see it as a reason to worry, given that the IRS evidently either (1) has no way to track down who handled the data in question, or (2) allows access to private data to so many people that it’s impossible to tell who downloaded it. (And if it was an outside hack, well, that’s more worrisome still.)
But it’s not surprising. An August report from the Senate Committee on Homeland Security found cyberprotections throughout the federal government to be ... well, the only word that comes to mind is atrocious. For example, the Department of Transportation was unable to locate 7,231 mobile devices and — get ready for it — 4,824 servers. Tests at the State Department “revealed 450 critical-risk and 736 high-risk outstanding vulnerabilities” and found thousands of active email accounts for former employees, including on the department's classified networks.
At the Department of Education, investigators “successfully transmitted to an external email address a test file containing 200 credit card numbers in a format that should have been blocked according to the Department’s policy.” By exploiting the same flaw, a real document containing thousands or tens of thousands of credit card numbers could have been stolen.
Seven of the eight departments surveyed were equally abysmal at cybersecurity.
If the federal government were a private corporation, trial lawyers would be having a field day. The fact that its agencies are protected by the principle of sovereign immunity is producing exactly the moral hazard problems scholars have long noted.
The issue is government-wide, so it is unfair to single out the IRS and its 81,000 employees. (My own admittedly rare interactions have been excellent.) And the unfortunate bipartisan erosion of the IRS budget over the past decade can hardly have helped it comply with security mandates. Nor did the IG give the agency a failing grade at everything; some of departments seem to be securing data better than others. Moreover, there is some solace in the fact that the 2020 SolarWinds attack on multiple federal agencies apparently failed to gain access to data on individual taxpayers.
Having said that, it is fair to ask whether there might be a point to the widespread skepticism about such new IRS requirements as the one calling for banks to share ever more information about ever-smaller accounts. Maybe a government hungry for more private data should first meet its own standards for security.
Stephen L. Carter is a Bloomberg Opinion columnist. He is a professor of law at Yale University and was a clerk to U.S. Supreme Court Justice Thurgood Marshall. His novels include “The Emperor of Ocean Park,” and his latest nonfiction book is “Invisible: The Forgotten Story of the Black Woman Lawyer Who Took Down America's Most Powerful Mobster.”