Confidentiality of Tax Data

The Internal Revenue Service (IRS) has two approaches for implementing the Taxpayer Browsing Protection Act, which made willful, unauthorized inspection of taxpayer data illegal. Over the long term, IRS believes that modernizing its core automated systems offers the best way to prevent and detect unauthorized access to taxpayers data. According to IRS, modernization (1) will allow it to restrict employees' access to those taxpayer records that they have a work-related reason to look at and (2) enable it to detect unauthorized access almost as soon as it happens. It will be several years, however, before modernization becomes a reality. In the meantime, IRS has taken other steps to deter, prevent, and detect unauthorized access and ensure that consistent disciplinary action is taken when unauthorized access is detected. For example, IRS now provides briefings to all employees on unauthorized access. It has also created a unit to track proven access violations and to help administer penalties. Between October 1997 and November 1998, IRS identified 5,468 potential instances of unauthorized access and completed preliminary investigations of 4,392 of those leads. In 15 cases, IRS determined that employees had intentionally accessed taxpayer data without authorization. These employees either resigned or were fired.

GAO noted that: (1) the IRS has two approaches for implementing the law; (2) over the long term, IRS believes that modernizing its core automated systems offers the best means to prevent and detect unauthorized access to taxpayer data; (3) according to IRS, modernization will: (a) allow it to restrict employees' access to only those taxpayer records that they have a specific work-related reason to look at; and (b) enable it to detect unauthorized accesses almost as soon as they happen; (4) it will be several years, however, before this modernization becomes a reality; (5) in the meantime, IRS has taken several other steps directed at deterring, preventing, and detecting unauthorized access and ensuring that consistent disciplinary action is taken when unauthorized access is proven; (6) between October 1, 1997, and November 30, 1998, the Office of the Chief Inspector identified 5,468 potential instances of unauthorized access and completed preliminary investigative work on 4,392 of those leads; (7) of those 4,392 leads, 338 were determined to warrant further investigation; (8) many of these 338 cases were still under investigation or adjudication as of January 25, 1999; (9) using data provided by IRS, GAO identified 36 cases for which investigation and adjudication had been completed; (10) of those 36 cases, 15 involved an IRS determination that IRS employees had intentionally accessed taxpayer data without authorization; (11) in the other 21 cases, IRS determined that either there was no unauthorized access or the access was accidental; (12) according to IRS, employees involved in the 15 cases of intentional unauthorized access either resigned in lieu of termination or were terminated; (13) according to IRS data, proven cases of unauthorized access that occurred after enactment of Public Law 105-35 have generally been referred to U.S. Attorneys for prosecution, and these U.S. Attorneys have, with one exception, declined to prosecute; (14) according to IRS, the one case that was accepted for prosecution was still open as of February 2, 1999, but the employee had been removed from the agency; and (15) as required by the law, IRS notified the three taxpayers whose data the employee had accessed.