Sometimes the IRS needs to send taxpayers’ documents from one location to another. The documents don’t always get there.
An inspector general, in a new report Thursday, found hundreds of examples of the IRS losing taxpayers’ documents in shipments over nearly three years beginning in 2019.
Worse, the agency didn’t always notify the taxpayers that it lost their data, nor did it offer monitoring services to help the taxpayers recover from the breach, the Treasury Inspector General for Tax Administration said.
Sometimes the agency couldn’t even figure out whose information was lost, because the IRS’s record-keeping was so bad. Other times the agency concluded that the lost records related to a business, which the IRS decided presented a low risk and so they didn’t deserve identity protection and credit monitoring services.
“The IRS is not adhering to its own internal guidelines when sending large volumes of sensitive taxpayer information to and from its Tax Processing Centers,” the inspector general concluded.
The revelations come at a crucial time for the IRS, which has been facing intense attacks from Republicans who say the agency is unfair, intrusive and reckless.
GOP lawmakers are battling to claw back tens of billions of dollars that President Biden and the Democrat-led Congress pumped into the IRS in last year’s budget-climate legislation.
IRS officials are battling to keep the money. In their official reply to the inspector general, they said that cash will help them improve their systems and should help lessen the risk of losing taxpayers’ information in the mail.
Just before the inspector general’s new report went public, the IRS announced it would use some of the cash infusion to advance its “paperless processing” initiative. The goal, officials said, is to digitize more operations so the average taxpayer can conduct all business electronically and never have to send paper — unless they still want to.
The inspector general said the IRS flagged 599 packages that contained sensitive taxpayer information that were lost between October 2019 and August 2022.
Investigators took a deep dive into 50 of those cases and found just 18 where the IRS identified the taxpayers whose information was lost, notified them of the breach and offered them monitoring services.
In some of the other cases the IRS said it later found the package, or the data it sent was encrypted on an electronic device, so no information could be lost.
But there were seven packages — or 14% of the cases — where the agency said it couldn’t offer assistance to the affected taxpayers because it couldn’t even figure out who they were.
The inspector general scolded the agency, saying that amid the growing threat of identity theft it is “critical” that the IRS figure out how to identify and notify every person whose data the agency loses.
The IRS contracts with a private delivery service to ship documents between its processing facilities in Austin, Texas; Kansas City, Missouri, and Ogden, Utah. Each package is supposed to have a form detailing the contents and tracking send and receipt.
When a package is lost, the agency is supposed to evaluate the risk, assigning each case a rating of low, moderate or high impact.
High-impact cases are supposed to be offered identity protection and monitoring services.
When investigators visited the three processing sites last year, they inspected 71 packages with “large quantities of sensitive taxpayer information” that were either coming in or going out. In the vast majority of cases, employees failed to finish Form 3210.
Sometimes the forms were incomplete. Other times they were left out entirely.
Without that information, the IRS can struggle to figure out whose data it lost.
Investigators recounted one lost package that contained a whistleblower case file. Another lost package’s contents were so sensitive that it was redacted in the inspector general’s public report.
The IRS’s rules also call for managers to do quarterly audits of the package process, but the processing centers weren’t following through.
One manager told the inspector general they didn’t know about the rule requiring the quarterly audit. Another said the audits were done “occasionally,” but only to make sure forms were signed and not to verify the accuracy of the transmission.
The inspector general said the audits are supposed to be a way to make sure no unauthorized people got a look at the data.
Kenneth C. Corbon, the IRS’s commissioner at its wage and investment division, said the agency does try to protect taxpayer information it sends between facilities.
“We recognize the risk associated with shipping documents containing sensitive information from one location to another and take steps to mitigate it,” he wrote in the IRS’s response to the inspector general.
That includes “double-packaging and labeling” and a process for flagging lost parcels.
He did not offer an explanation for the cursory approach to record-keeping that the inspector general identified, but he did promise the IRS will do a refresher for managers and employees to remind them of their duties.
He also said the IRS will give more scrutiny to cases where it loses records from a business’s tax filings, and won’t automatically assume there is no risk of sensitive information being compromised.