IRS Employees Told to Better Handle E-Mail With Sensitive Information

Internal Revenue Service employees do not always adhere to official policy on avoiding transmission of private taxpayer information on insecure email,  a watchdog found.

Citing the risk of identity theft, the Treasury Inspector General for Tax Administration in a report released Thursday noted that messages sent to recipients outside the agency containing taxpayers’ personally identifiable information were sent using the IRS’ Enterprise e-Fax capability, which does not have encryption capability, or another approved software. Interoffice messages using Microsoft Outlook and attachments, sent on the agency’s Secure Enterprise Messaging System, are encrypted.

But when TIGTA auditors reviewed a random sample of email from 80 employees in the Small Business/Self Employed division in May and June 2015,  it found that 39 (or 49 percent) of them sent a total of 326 unencrypted emails containing 8,031 different taxpayers’ personal tax return information. Extrapolating to the larger IRS staff unit, auditors calculated that 11,416 division employees over four weeks sent 95,396 unencrypted emails with private information for 2.4 million taxpayers. If that rate is typical, TIGTA estimated, that means more than 1.1 million unencrypted emails with personal information and tax return information of 28.2 million taxpayers could be sent annually.

Such acts are in violation of the IRS Internal Revenue Manual, and if deliberate, violate the privacy section of the U.S. Code. If a wronged taxpayer were to bring a successful civil action, the employee would be subject to punishment for a felony carrying a fine of up to $5,000 and/or a prison term of five years. 

“It is critical that the Internal Revenue Service properly protect taxpayers’ personally identifiable and tax return information at all times,” said J. Russell George, Treasury Inspector General for Tax Administration.  “Not only is this protection required by law; it is essential if taxpayers are to maintain a high level of confidence in the IRS’ mission.”

Auditors also found 20 emails that six employees sent to personal email accounts involved official IRS business. “SB/SE employees may not be aware of the restriction on using their personal email, because the Standards for Using Email in the IRM do not include this restriction,” the report said.

TIGTA made five recommendations, including that the agency explore the feasibility of a systemic solution to the failure to consistently use encrypted email systems; improve training for line employees and managers, including imposing disciplinary action on violators; require the IRS chief technology officer to update the manual’s standards for email use; and update the EEFax system to allow it to handle encrypted messages.

IRS agreed with the recommendations.