The Internal Revenue Service (IRS) put personal taxpayer information at risk of exposure by using unsecured emails, according to a report released Thursday.
The Treasury Inspector General conducted a random sample of agency emails sent between May and June 2015. The review estimates that 11,416 employees sent 95,396 unencrypted emails during that time. The Personally Identifiable Information (PII) and tax return information of 2.4 million taxpayers might have been at risk of exposure.
“If this four-week period is typical, we estimate that more than 1.1 million unencrypted e-mails with taxpayer PII/tax return information of 28.2 million taxpayers could be sent annually,” the report detailed. “Employees sent unencrypted e-mails with taxpayer PII/tax return information internally to other IRS employees or externally.”
The Inspector General based its estimate off a sampling of 80 agency employees. The sampled employees primarily worked in the Small Business and Self-Employed Division of the agency. The review determined that 49 percent of employees sampled sent unsecured emails during the four weeks.
“Encrypting internal e-mail does not guarantee that malicious internal users could not inappropriately access e-mails with taxpayer PII/tax return information and misuse the information for their own benefit,” the report also said. “However, failure to encrypt internal e-mails with taxpayer PII/tax return information could result in compromised security from careless internal users who might inadvertently send it to unauthorized individuals.”
The report adds the majority of unsecured emails were sent internally which comes at less risk of exposure. The use of unsecured emails, however, violated internal agency rules. The Internal Revenue Manual (IRM) prohibits agency employees from sending personal information out through unsecured emails.
“The IRS has established penalties, ranging from admonishment to removal, for employees who send unencrypted e-mails with taxpayer PII/tax return information,” the report said. “There was no evidence provided that these penalties were enforced.”
The Inspector General determined most of the unsecured emails were sent internally. Nevertheless, some employees used personal email accounts outside the agency to conduct official government business. Those employees violated internal agency rules but likely didn’t break the law.
“Pursuant to a recent change in the law, no officer or employee of the IRS may use a personal e-mail account to conduct any official business of the Government,” the report said. “These e-mails were sent prior to the enactment of the law prohibiting use of personal e-mail accounts to conduct official business, so they were not in violation of the law, but they did violate IRS procedures.”
The Inspector General puts the blame on the agency itself instead of the employees who used personal email accounts. Its review found the agency failed to provide adequate information to its employees. Agency employees likely didn’t know they couldn’t use personal emails to conduct government business.
“The Standards for Using Email IRM does not include specific guidance regarding employees’ use of personal e-mail accounts to conduct official business,” the report stated. “Division employees may not have been aware of the restriction on using their personal e-mail.”
The Inspector General makes several recommendations on how the agency should fix the issues. It stated the agency should look into a systematic digital solution to prevent future violations, provide additional compliance training and ensure agency managers are aware of the violations for sending unencrypted emails.
The IRS responded to the report by agreeing with the recommendations. The agency notes they have even begun implementing internal procedures to address the issues. The Privacy, Governmental Liaison and Disclosure office, for instance, has already sent out interim guidance memorandums addressing the email issue.
The IRS did not respond to a request for additional comment by InsideSources.