A recent report from the Treasury Inspector General for Tax Administration (TIGTA) found that IRS employees sent unencrypted emails which contained 8,031 different taxpayers’ personally identifiable information.
According to the report, TIGTA found 326 unencrypted emails containing taxpayer data. 275 of the emails were sent internally within IRS, while 51 emails were sent outside of the agency’s network to non-IRS email accounts. Of those emails sent externally, 20 were sent to six IRS employees’ personal email accounts.
The significance of where the emails were sent is relevant to the level of the security risk to the taxpayer data. The report noted that unencrypted emails sent within the IRS internal network were of lower risk because they remained behind the agency’s firewalls which greatly lowers the probability they could be accessed by a third party. However, the emails sent outside of the agency were exposed to greater risk, not only because they were not encrypted, but because they no longer had the protection afforded by the firewall.
Additionally, for the emails sent to personal accounts, the report noted that per IRS policy, no officer or employee of the IRS may use a personal email account to conduct official business.
326 emails containing 8,031 different taxpayers’ data may not sound like much, but TIGTA had this to say about their findings:
Based on our sample results, we estimate that 11,416 SB/SE Division employees sent 95,396 unencrypted e-mails with taxpayer PII/tax return information for 2.4 million taxpayers during the four-week period of our sample. If this four-week period is typical, we estimate that more than 1.1 million unencrypted e-mails with taxpayer PII/tax return information of 28.2 million taxpayers could be sent annually.
Based on its findings, TIGTA recommended that the IRS consider looking into implementing a systemic solution to ensure that PII/tax return information is encrypted, and until such time consider requiring the default Outlook setting for certain employees to encrypt sent email messages. It also recommended appropriate disciplinary action be taken against employees when email violations occur.
A copy of the report is included below.