By Martin H. Bosworth
ConsumerAffairs.com
March 29, 2006
The federal watchdog Government Accountability
Office (GAO) warns that the Internal Revenue Service is endangering Americans'
personal information through significant weaknesses in the storing of
the taxpayer data it collects.
The GAO report claimed that though the IRS was making "significant progress" in correcting a list of security flaws in its administrative and security processes, it found "new information security control weaknesses that threaten the confidentiality, integrity, and availability of IRS's financial information systems and the information they process."
The agency was already under fire for its plan to sell taxpayer information to third parties.
Among the weaknesses the GAO catalogued in its study:
• The IRS did not adequately secure passwords or administer passwords
in ways that prevented misuse. One surveyed IRS office stored user
passwords in "clear text" and "readable form," where anyone could look
at them.
• Guards at IRS branches failed to verify the photo identification of
visitors as IRS employees until the GAO analysts notified the branches
of the problem.
• The agency did not provide specialized training for its employees
who had sensitive, security-specific duties. Of nearly 3,000 reported
agents with security-sensitive duties, only 300 received special
training, according to the report.
• In addition, the IRS also failed to provide proper oversight and
training for contractors working with the agency.
Previous GAO reports had noted the IRS' lack of control over the access outside contractors had to Social Security numbers, a key component of identity fraud.
The latest report credited the IRS with improvements to its security processes, such as instituting regular reviews of user access to its mainframe servers, and stronger controls over securing user names and passwords.
In written comments submitted with the report, IRS Commissioner Mark Everson said that "the IRS takes security and privacy responsibilities very seriously."
"We are aware that effective information security controls are essential for insuring information is adequately protected from inadvertent or deliberate misuse," Everson said.
In addition to its plans to allow tax preparers to sell customer information, the IRS has been embroiled in several other scandals relating to how it handles taxpayer records.
The agency was accused of "outrageous abuses of public trust" after one of its contract vendors was found to be collecting information on taxpayer voting preferences. It also has stopped sharing its audit data on large businesses and corporations, leading to several lawsuits by public interest advocacy groups in order to regain access to the information.
The IRS also came under fire from its "in house critic," the Taxpayer Advocates' Service, for wrongfully freezing the refunds of thousands of Americans while investigating them for fraud. Many taxpayers were never told they were being investigated or why.
