IRS Employees Sent Sensitive Taxpayer Info to Their Personal Email Accounts

8,031 taxpayers' personally identifiable information exposed through unencrypted emails

IRS building in Washington / AP
November 17, 2016

IRS employees sent emails with sensitive taxpayer information to their own personal email accounts, according to an audit from the Treasury Inspector General for Tax Administration.

The inspector general found that there were six IRS employees who failed to follow the rules and sent unencrypted emails containing taxpayers' personally identifiable information to their personal email, which risked exposing that information to unauthorized individuals.

Additionally, from May to June 2015, 49 percent of IRS employees in the small business and self-employed division sent 326 unencrypted emails containing 8,031 different taxpayers' personally identifiable information to other IRS employees and other non-IRS email accounts.

Personally identifiable information is defined as anything that can be used to trace an individual's identify such as Social Security numbers, birth dates, or tax return information. According to the report, the loss, theft, or unauthorized disclosure of this information places individuals at risk for invasion of privacy and identify theft.

IRS employees are directed to encrypt emails to transform their content into unreadable text so that only the end user can see it. Employees who sent unencrypted emails failed to follow the rules, risking exposure of personal information to unauthorized individuals.

Based on the sample of unencrypted emails that were sent during the period from May to June, the inspector general estimates that 1.1 million unencrypted emails could be sent per year exposing the personal information of 28.2 million taxpayers.

"The IRS has established penalties, ranging from admonishment to removal, for employees who send unencrypted emails with taxpayer personally identifiable information/tax return information; however, there was no evidence provided that these penalties were enforced," the audit said. "Based on additional statistical analysis, we estimate that 3.9 percent of all small business/self-employed division employee emails contain one or more violations, with most being internal emails (3.3 percent)."

Karen Schiller, commissioner at the small business/self-employed division, said the audit shows where the agency can improve upon its controls.

"Ensuring the privacy and security of taxpayer information is a top priority for the IRS and a fundamental component of maintaining the public trust in the tax system and promoting voluntary compliance," Schiller said.

"We are continuously looking for ways to appropriately balance the need to enable our workforce to communicate with each other and with taxpayers electronically, our taxpayers' expectations for more robust electronic communications, and the overriding need to ensure that those communications are secure and guarded from external threats," she continued.

"It is critical that the Internal Revenue Service properly protect taxpayers' personally identifiable and tax return information at all times," said J. Russell George, head of the Treasury Inspector General for Tax Administration. "Not only is this protection required by law; it is essential if taxpayers are to maintain a high level of confidence in the IRS's mission."