TIGTA Faults IRS Oversight of Private Collection Agencies' Data Security

Chris Gaetano
Published Date:
Aug 7, 2018

The Treasury Inspector General for Tax Administration (TIGTA), has issued a report finding that private tax collection agencies, while generally providing a safe environment for taxpayer data, nonetheless needed improvement, as both they and the IRS were not sufficiently covering key vulnerabilities. 

The report noted that the IRS was unaware that one of the four private collection agencies it has contracted with could not provide monthly vulnerability scans of systems containing taxpayer data. Further, the report found that three of the four mailrooms for these collection agencies, where taxpayer correspondence and payments are received, were not included in the IRS’s annual security assessments. 

TIGTA also noted that, under the current statutes, the IRS cannot ensure that it is properly apprised of risk associated with private agencies' vulnerabilities. This is particularly salient, given that TIGTA also found that three of the agencies had let critical and high-risk vulnerabilities go more than the required 30 days before being fixed. 

The report also faulted the IRS for failing to enforce the provisions of Publication 4812—Contractor Security Controls with regard to the collection agencies, particularly requirements for cellphone use in relation to IRS data; nor has the IRS ensured that it had encrypted information before transferring it to private agencies.

With regard to the private agencies themselves, TIGTA said one did not have a secure mail-processing area for payments and did not secure misdirected payments prior to sending them to the IRS. Also, one agency did not back up video footage, and three of them did not back up their video footage to an offsite location. 

TIGTA recommended that the IRS update and enforce Publication 4812 to remediate critical and high-risk vulnerabilities within 30 calendar days, clarify all devices that should have vulnerability scans, and ensure timely communication of scan results to the IRS. The IRS should also require that policies be specific on mobile devices connected to systems containing sensitive information and include a mechanism to enforce the policy. TIGTA also recommended that the IRS perform annual assessments of the collection agencies' mailrooms; perform follow-up assessments for any deficiencies identified; and implement stronger security controls over mailrooms receiving taxpayer correspondence and payments, including enhanced security camera coverage to record all sensitive areas. Finally, the IRS should ensure that all taxpayer data at rest—i.e., in storage—being transferred to the collection agencies are encrypted. 

The IRS generally agreed, but said that, when it came to updating Publication 4812, it is in the middle of revising the policy and so only partially agreed. It also only partially agreed with the recommendation that agencies that do not fix critical problems in 30 days be removed as authorized debt collectors; the IRS said it would update the policies and procedures for private debt collectors, and will consider removing them if they do not fix problems within 30 days. 

The IRS private debt collection program was approved in 2015 as part of a highway appropriations bill and formally began in April 2017. It is the third time the government has tried such a thing since 1996; each previous time it has used private agencies to collect delinquent tax debt, the program was eventually shuttered after having been found to have cost more money to maintain than they were bringing in. 

In a 2014 letter to Congress, National Taxpayer Advocate Nina E. Olson expressed concern about reviving the program, saying that, based on her previous experience with it, "I concluded the program undermined effective tax administration, jeopardized taxpayer rights protections, and did not accomplish its intended objective of raising revenue. Indeed, despite projections by the Treasury Department and the Joint Committee on Taxation that the program would raise more than $1 billion in revenue, the program ended up losing money. We have no reason to believe the result would be any different this time." In her 2017 report to Congress, Olson said that this latest iteration has failed to deliver the revenue that lawmakers anticipated. She said that private debt collectors were able to recover $6.7 million in delinquent tax debt, at a cost of $20 million.

Click here to see more of the latest news from the NYSSCPA.