The Treasury Inspector General for Tax Administration (TIGTA) recently released a report that trashes the IRS method of handling private taxpayer information. The problem involves private contractors and trash removal. Yes, this is one report that gets down and dirty.
The report is nothing if not clear about the problem of identity theft and government responsibility to the public. One part of the problem is taking care of personal data and sensitive but unclassified (SBU) information in a way that protects documents containing this information. However, the results of the TIGTA investigation are actually shocking in the cavalier way in which IRS employees have treated personal information.
The report begins:
In November 2007, the Federal Trade Commission reported that, for the eighth year in a row, identity theft was the number one consumer complaint nationwide and that each year it affects more than 10 million Americans. Consumers have lost more than $45 billion to identity thieves. Taxpayers need to be assured that the IRS is taking every precaution to protect their private information from inadvertent disclosure. This includes, but is not limited to, evaluating the integrity and security of taxpayer data and sensitive information during the collection, disposal, and destruction of SBU waste/PII generated in paper form by the daily business of tax administration.
. . .
At every location we visited, we found documents containing PII or other SBU information in regular waste containers and/or dumpsters. If security policies are not adequately communicated and adhered to, sensitive taxpayer and employee data are at an increased risk of disclosure or other improper usage.
The results of the examination were pretty amazing. Here are a few examples:
As of May 2008, we were unable to locate anything in the Internal Revenue Manual (IRM) or other policy documents assigning responsibility to perform and document site visits to the shred or burn facilities of businesses contracted to destroy SBU waste.
The 13 Territory Managers responding to our questionnaire indicated that no official inspection of the shred/burn contractor’s facilities in their territories had been performed within the last 18 months.
The inspection found evidence of only 2 instances where IRS personnel conducted visitations to shred/burn facilities in the past 2 fiscal years.
Not all Territory Managers were even able to identify the contractor who provided their shred/burn services or where they were located.
None of the four contractor sites we visited had ever received a request from the IRS to inspect their facility or onsite records
We found no documentation to show that any review of the background investigation files was performed by IRS officials.
One contracted shred facility informed us that the IRS had not asked about or checked on the background investigations of their employees in 6 or 7 years, and another stated that the IRS had never done such a check.
At each site visited, we found that keys to SBU waste container locks were identical,
not only within the IRS facility, but also identical to keys for the locks on containers for other
customers of the shred/burn contractors.In one location from an open dumpster located outside the building, we obtained a document containing a complete IRS purchase card number as well as other PII.
In another IRS facility, receptacles specifically provided for recyclable materials were the only trash receptacles available at employee workstations. These containers, which were bright blue and clearly marked “RECYCLE,” were being used by employees throughout the day for SBU waste. We observed contractor employees emptying these containers into regular waste carts while employees were not at their desks. In one location, we found cardboard boxes and trash pails labeled “CLASSIFIED MATERIAL-DO NOT DISCARD.” This local practice is a significant control weakness when cleaning staff are expected to differentiate between standard SBU waste or PII containers and all other labeled waste receptacles. In addition, these labels can be easily misunderstood by contractor employees.
By the way, for those of you who might wonder which IRS offices were examined, they were: IRS offices in Phoenix, Tempe, and Tucson, Arizona; New Carrollton, Maryland; Holtsville, Garden City, and Westbury, New York; and Ogden, Utah.
The report is Treasury Inspector General for Tax Administration (TIGTA), Increased Management Oversight of the Sensitive but Unclassified Waste Disposal Process Is Needed to Prevent Inadvertent Disclosure of Personally Identifiable Information (Reference Number: 2009-30-059)
Comments
Add Comment