Attention FAE Customers:
Please be aware that NASBA credits are awarded based on whether the events are webcast or in-person, as well as on the number of CPE credits.
Please check the event registration page to see if NASBA credits are being awarded for the programs you select.

Want to save this page for later?

Most Popular Content

TIGTA: IRS Not Tracking Transport of Sensitive Tax Information, Risking Data Breaches

S.J. Steinhardt
Published Date:
Aug 4, 2023

The IRS is violating its own guidelines on transporting sensitive tax information between processing centers, potentially causing an inability to inform and protect taxpayers whose information may be lost as a result, the Treasury Inspector General for Tax Administration (TIGTA) found.

Conducting on-site inspections of 31 incoming packages with large quantities of sensitive taxpayer information received via private delivery carrier at three tax processing centers (Kansas City, Mo.; Austin, Tex.; and Ogden, Utah), TIGTA found that 22 of 31 packages did not include copies of the completed Forms 3210, the official Document Transmittal form that accounts for and controls the shipping of this sensitive tax information.

In addition, TIGTA’s review found that steps were not taken to ensure that the Form 3210 tracking acknowledgement was obtained to confirm requester receipt of this sensitive tax information. It also found that management was not performing required quarterly audits of its Forms 3210 processes and procedures to ensure compliance with internal guidelines. As a result, the IRS is unable to identify, notify, and/or offer protection to taxpayers when sensitive tax information is lost in the mail and at risk for potential identity theft.

TIGTA also conducted on-site inspections of 40 packages with large volumes of sensitive taxpayer information that were ready for shipment from the tax processing centers via private delivery carrier. Of those 40, only one included the required properly prepared Form 3210. Twenty-six did not include the required Forms 3210, and 13 contained incomplete Forms 3210.

Employees told TIGTA auditors that that there would be no way to identify specific taxpayers whose information was compromised when shipments of large volumes of sensitive taxpayer information are lost. The review of the lost packages tracked by the tax processing centers between January 2021 through August 2022 identified 11 lost packages during the period. Two were recovered, but seven of the nine lost packages contained sensitive taxpayer information. The IRS was unable to provide Forms 3210 for two of these seven lost packages.

TIGTA made five recommendations including the following: The commissioner of the Wage and Investment Division, Kenneth Corbin, should ensure that the Form 3210 is completed and included in all packages so actions can be taken to protect taxpayers when a shipment is lost; and that he should ensure that function managers for submission processing files conduct quarterly audits of the Forms 3210 acknowledgment process. Further, the chief privacy officer of the Office of Privacy, Governmental Liaison, and Disclosure should revise internal guidelines to reflect that losses associated with a business are not categorized as low risk automatically and provide notification for business data losses categorized as high risk.

IRS management agreed with four of the recommendations and partially agreed with one recommendation.

The IRS plans to issue a notice to remind employees to include a Form 3210 with shipments of large volumes of tax information. In addition, the agency plans to issue a notice to remind employees to include the taxpayers whose information is shipped on the Form 3210. The IRS also plans to send periodic email communications to the Submission Processing Files functions to ensure Form 3210 reviews are being performed.

Further, the IRS plans to develop a process for conducting quarterly reviews in the files functions. The IRS also updated its data breach response plan to reflect that losses associated with a business are not automatically categorized as low risk.

"We recognize the risk associated with shipping documents containing sensitive information from one location to another and take steps to mitigate it," Corbin told Accounting Today in response to the report. "Sensitive information is protected during shipment through double packaging and labeling. The shipment contents are held in a sealed container that is labeled with the delivery information and that container is in turn enclosed in a separate sealed container that is also labeled for delivery. This practice provides an added degree of protection if a parcel becomes damaged during shipment and the outer container or envelope is breached."

He also told Accounting Today that the IRS tracks all shipments, and if a package is lost, procedures are in place to report the incident. He said that the additional funding from the Inflation Reduction Act will help the IRS digitize more of its processes so that it can significantly reduce the need to ship paper documents and fill out forms manually.