The U.S. Internal Revenue Service (IRS) is entrusted with the vital responsibility of safeguarding sensitive taxpayer information. Recent incidents of potential unauthorized access to or disclosure of this data have raised concerns and prompted a thorough review by the Government Accountability Office (GAO).
In its latest report, the GAO has identified significant weaknesses in how the IRS protects taxpayer information. While the IRS has implemented many data safeguards, gaps remain in contractor oversight, monitoring capabilities, training, and technical controls.
The GAO report found that IRS contractors had much lower cybersecurity and privacy training completion rates than IRS employees in 2021. For example, only about 65% of contractors took mandatory Insider Threat Awareness training versus more than 97% of IRS staff.
The report highlighted that the IRS does not have full visibility into unauthorized access incidents across its systems. The IRS cannot monitor all staff constantly, but its incomplete inventory of systems containing taxpayer data limits detection efforts, the GAO found.
Additionally, the GAO found that some IRS officials responsible for overseeing contractors did not fully understand the requirements for reporting data access violations. Clear guidance and training could improve reporting and response.
On the technical side, the IRS has not addressed weaknesses in controls previously identified by the GAO and inspectors general, including fully encrypting data. The IRS also has not assessed risks with its method of sharing taxpayer information with private collection agencies.
The report made 15 recommendations to the IRS, including establishing contractor training goals, maintaining a comprehensive system inventory, monitoring contractor violations, providing guidance to staff on reporting requirements, and addressing the IT control gaps.
The GAO also suggested Congress give the IRS express authority to inspect other agencies' safeguards for taxpayer data in certain situations. The IRS currently lacks a way to ensure the protection of taxpayer information shared with some federal agencies.
In light of recent incidents involving potential unauthorized access to taxpayer data, the GAO report underscores the importance of the IRS taking actions to improve oversight, monitoring, training, and security controls. Fully implementing these recommendations will help provide taxpayers with greater assurance that their personal information is being appropriately protected.
Follow SecureWorld News for more stories related to cybersecurity.