IRS Chief Says He Won’t Blame Data Breach on Budget Crunch

In the hot seat before a Senate panel probing the recent data breach of the Internal Revenue Service, Commissioner John Koskinen on Tuesday said the recent theft of personal identifying information of more than 100,000 taxpayers was not related to his agency’s budget crunch.

“I don’t want everyone to think every problem we have is a budget problem—there are issues of management,” Koskinen told a Senate Homeland Security and Governmental Affairs Committee reviewing the tax agency’s efforts to tighten its website user authentication security procedures.

But in his broader testimony, the commissioner characterized the recent cyberattack as a “shot across the bow from increasingly sophisticated criminals” that reinforces his agency’s urgent need for a budget hike. “The challenge is a continuing attack on our basic databases, some of which are on antiquated systems,” he said. “The underfunding of information technology investments leave us vulnerable because of our 50-year-old systems,” some of which are no longer supported by software manufacturers.

“Congress can help by approving the president’s fiscal 2016 budget request, which includes $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure,” he said. “Even with our constrained resources as a result of cuts to our budget totaling $1.2 billion since 2010, we continue to devote significant time and attention to” the challenge of securing systems and protecting taxpayer information from identify thieves.

The IRS also depends on Congress to enact an acceleration of the deadline for employers to prepare W-2 earnings forms for employees to give the IRS more time for third-party verification of income claimed on tax returns, he said. For its part, the IRS had reorganized its identify theft operations to consolidate them into a single unit set up like a private sector call center, Koskinen said. This should ease the burden on taxpayers who phone in to report problems by equipping multiple staff members with records of each taxpayer’s complaint, he noted.

Earlier in the day, Koskinen appeared before the Senate Finance Committee to discuss the data breach and again pivoted to the IRS’ shrunken budget. He asked Congress for renewed funding for the agency’s “streamlined critical pay” program, which dates back to 1998 reforms of the agency. Under that program, IRS can mimic private sector hiring practices by recruiting and quickly onboarding up to 40 executives with IT and other specialized skills who earn pay above the Senior Executive Service levels. Koskinen said since he arrived at the IRS in December 2013, half the critical pay executives have left and two key candidates turned down the opportunity because of pay limits.

Appearing alongside Koskinen and bearing some cheerier news was J. Russell George, the Treasury Department’s inspector general for tax administration. A recent audit prepared before news of the data breach broke showed that “during the past several years, the IRS has continued to take steps to more effectively detect and prevent the issuance of fraudulent refunds resulting from identity theft.” During the 2013 filing season, the agency prevented between $22 billion and $24 billion in identity theft tax refunds from being issued, the IG reported, citing the effective use of filters to flag suspicious returns and the placement of locks on the accounts of deceased individuals.

“At the same time the IRS is operating with a reduced budget, it continues to dedicate significant resources to detect and review potential identity theft tax returns as well as to assist victims,” George testified. “Resources have not been sufficient for the IRS to work identity theft cases dealing with refund fraud, which continues to be a concern.”

George was less laudatory, however, of the IRS’ record on following his staff’s recommendations for heading off identify theft.