The IRS punished hundreds of employees for unauthorized access of taxpayer info this past decade
The IRS substantiated more than 450 instances of willful, unauthorized access of taxpayer information by employees between fiscal years 2012 and 2021, according to a Government Accountability Office report released Thursday.
IRS employees are only supposed to access confidential tax return information like Social Security Numbers when required, but the agency found them in violation in 27% of its 1,694 investigations.
Both the IRS’s Privacy, Governmental Liaison and Disclosure and Cybersecurity operations train and remind employees about protecting sensitive information and IRS systems, and there’s a monitoring and reporting structure for identifying unauthorized access (UNAX) and disclosures.
“The U.S. tax system is based on voluntary compliance,” read GAO‘s findings. “One factor that may influence an individual’s willingness to voluntarily comply with the tax system is the confidence that IRS is protecting one’s personal and financial information.”
Employees found to have committed UNAX are generally suspended or removed or they resign, and they may be criminally or civilly prosecuted with imprisonment or fines as possible punishments. During the period GAO surveyed, 82% of UNAX violators were suspended or removed or they resigned, and all violators who also committed unauthorized disclosure, which occurred 12% of the time, were removed.
The IRS confirmed 24% of 204 unauthorized disclosure cases.
Employees who attempt to access their own information or that of a spouse or child typically receive anywhere from a 14-day suspension to removal.
GAO found the IRS notified 51 taxpayers their information was improperly accessed as a result of 11 UNAX violations in fiscal 2021.
The Treasury Inspector General for Tax Administration investigates UNAX and unauthorized disclosure cases based on reports it receives and its own analysis and may refer those it substantiates to the Department of Justice. Between 2012 and 2021, DOJ accepted 35 such cases, resulting in 24 guilty verdicts, and the IRS closed 25 cases where a criminal indictment was returned.
Cases usually took TIGTA 464 days to investigate and close with most violations committed by permanent, full-time employees.
Non-managerial employees committed most unauthorized disclosures, while managers committed less than 10% of UNAX and 15% of unauthorized disclosures. And employees with less than six or more than 21 years of service were less likely to commit violations.
More than half of UNAX cases were in the Wage & Investment Division, and about 30% were in the Small Business Self-Employed Division.
Presented with GAO’s findings, the IRS resolved to further improve incident monitoring and reporting.
“The small number of employees who do not uphold our standards face serious discipline up to and including removal from the IRS,” reads the agency’s response. “We will continue to educate our employees and refine our capabilities to detect UNAX and unauthorized disclosures as these efforts are key to ensuring that taxpayers can trust that the information provided to the IRS will be protected and only used for legitimate tax administration purposes.”