Today I received an alert from the IRS that a new version of Publication 4557 is available. (At this point, only the web version of the publication is available.) Interestingly, the IRS notes the following:
To safeguard taxpayer information, you must determine the appropriate security controls for your environment based on the size, complexity, nature and scope of your activities. Security controls are the management, operational and technical safeguards you may use to protect the confidentiality, integrity and availability of your customers’ information. Examples of security controls are:
1. Locking doors to restrict access to paper or electronic files;
2. Requiring passwords to restrict access to computer files;
3. Encrypting electronically stored taxpayer data;
4 .Keeping a backup of electronic data for recovery purposes;
5. Shredding paper containing taxpayer information before throwing it in the trash.
6. Do not mail unencrypted sensitive personal information.
Further, Authorized IRS e-file Providers that participate in the role as an Online Provider must follow the six security, privacy and business standards to better serve taxpayers and protect their individual income tax information collected, processed and stored. See “Safeguarding IRS e-file” in Publication 1345 for more information. [emphasis added]
There’s nothing wrong with these recommendations; in fact, they’re excellent. But note that the IRS says that authorized e-file providers that participate in the role as an Online Provider must follow these rules.
I highlighted the last rule (#6, above) regarding mailing unencrypted sensitive personal information. Why? Because the IRS is one of the biggest offenders in this area. Indeed, just yesterday TIGTA (the Treasury Inspector General for Tax Administration) issued a report stating this. From the TIGTA press release:
In Fiscal Year 2014, the IRS mailed more than 141 million notices and 37 million letters to taxpayers for various reasons, to help them understand and meet their tax obligations. In a prior review, TIGTA reported that the IRS had not made significant progress in redacting or masking taxpayers’ SSNs from systems, notices, and forms. This audit was initiated to assess the IRS’s progress in eliminating taxpayer SSNs from correspondence.
TIGTA found that as of January 2015, the IRS estimates that it has removed SSNs from 58 (2 percent) of the 2,749 types of letters and 93 (48 percent) of the 195 types of notices it issues.
“A person’s Social Security Number is the most valuable piece of personal data identity thieves can obtain.” said J. Russell George, Treasury Inspector General for Tax Administration. “The fact that the IRS does not have processes and procedures to accurately identify all correspondence that contain Social Security Numbers remains a concern.”
There’s not much to add to this. The IRS needs to act on this as they are a far larger source of identity theft than tax professionals. I state that as I open up an IRS letter and an IRS notice to clients that both contain their social security numbers. And there was the IRS notice which didn’t have the full social security number but put the number within a bar code instead….