The TIGTA reviewed 98 incidents involving the inadvertent disclosure of taxpayers' personally identifiable information and found that 27 cases required notification to taxpayers. In 74% of the cases requiring notification, the taxpayers were not notified in a timely manner.
“We considered notifications timely if taxpayers were sent notifications within 45 days of the date the incident was reported to or identified by the IRS. The notification letters in the sample averaged 86 days”, the TIGTA said.
In addition, TIGTA found that in 5% of the 98 cases, the taxpayer was not notified because IRS employees did not document the identity of the individual. In 10% of the cases, the IRS did not notify the individual because it did not consider disclosure of tax account information to fit the definition of personally identifiable information.
In 21% of the 98 cases, the cases were closed without the IRS notifying taxpayers that their personally identifiable information was disclosed because the disclosure was made to individuals with power of attorney responsibilities, state agencies, law firms, or payroll processors. The IRS considers that these individuals and businesses do not pose a likely risk of identity theft, the auditors said.
In total, the IRS records showed that there were 4,081 inadvertent disclosures of taxpayers’ personally identifiable information in fiscal years 2009 and 2010.
TIGTA recommended that the IRS educate employees on the importance of obtaining sufficient information on individuals whose personally identifiable information is disclosed, revise procedure to include disclosure of tax account information as qualifying as personally identifiable information disclosure that requires taxpayer notification, implement a timeliness measure for notification, and implement controls to ensure that all incidents are accurately documented and considered.
The IRS agreed with the recommendations. Among other things, the agency said it plans to strengthen procedures to address identity theft and expand current time metrics to include the elapsed time between initial incident reporting and taxpayer notification.