A surprising number of IRS employees are sending unencrypted emails containing personal taxpayer information to private accounts, putting that information at risk of being stolen, the agency’s inspector general said Thursday.
Auditors found hundreds of unencrypted emails sent that risked leaking taxpayers’ personal information, after running through a random sample of 80 employees’ emails from the IRS’s small business/self employed division for four weeks in 2015. Extrapolated over a year, that could mean more than 1.1 million emails, covering more than 28 million taxpayers’ information, could have been sent by the division.
“These unencrypted e-mails violated IRM requirements and potentially compromised the security of taxpayer information,” Inspector General J. Russell George said.
Most of the unencrypted messages were sent to other IRS employees, posing a lower risk because they were inside the agency’s firewall. But some 15 percent of the messages were sent outside the IRS — including some that IRS agents sent to their own personal email accounts, for reasons that were unclear.
The IRS, in its official response, said the review didn’t prove that information had gotten into the wrong hands, and said most of the messages identified were at least kept within the agency’s firewall.
“These communications are within the extensive protections of the IRS firewall, and pose a minimal risk of disclosure or access,” Karen Schiller, commissioner of the small business division, wrote. “But, nonetheless, we agree that encryption provides an added layer of protection.”
She said the agency has already upgraded some of its checks since the inspector general’s 2015 review.
IRS officials have repeatedly warned employees to be careful with what’s dubbed “personally identifiable information,” or PII in government-speak. Email is a particular risk, the agency says.
Personal information can be sent within the IRS to other employees who have a need to know, but even then it’s supposed to be encrypted. And sending personal information outside the IRS is forbidden, even if a taxpayer gives OK, unless an exception is specifically approved.
During the four-week test, involving 80 employees, the auditors found 32 of them — 40 percent — broke the rules by sending a total of 326 unencrypted messages containing “tax return information” from more than 8,000 taxpayers.
Of those, 51 were sent outside the IRS. More than half were sent directly to taxpayers, 14 were sent to taxpayers’ representatives, three were sent to other government agencies or third parties, and in six cases employees sent taxpayers’ information to their own personal email addresses. In some cases they sent their own information to themselves — which is still prohibited.
IRS rules allow for employees to be admonished or fired for breaking email privacy — though neither the audit nor the agency’s official response said whether anyone has been disciplined.
In a separate audit released Thursday the inspector general said the IRS didn’t always take steps to protect data transferred in bulk to other federal agencies, state and local governments, banks or contractors.
“It is essential that the IRS fully protect sensitive personal and taxpayer information that it transmits externally,” Mr. George, the inspector general, said.