Your Tax Data at Risk: Why the IRS Must Prioritize Cybersecurity

Our tax system imposes huge time burdens and out-of-pocket costs on taxpayers. Lax safeguards in the Internal Revenue Service's information technology (IT) systems also put taxpayers' information at risk.

The Treasury Inspector General for Tax Administration (TIGTA) new evaluation of the IRS cybersecurity program and found that it was ineffective in 17 of 20 core metrics of security. The Office of Management and Budget, the Council of the Inspectors General on Integrity and Efficiency, the Federal Civilian Executive Branch Chief Information Security Officers, and the intelligence community collaborated to develop these metrics.

Problem areas identified at the IRS include: the handling of the privacy of taxpayer data, managing who has access to the IRS's cloud systems, monitoring and logging information on access to and changes of records. The report also raised the issue of the tax agency's sprawling and fragmented IT system: the IRS does not even have a complete inventory of systems that it has to monitor.

Enhancing IT security is crucial because the amount of financial data vacuumed up every year by the IRS makes the systems a target for cyberattacks and unauthorized access. In addition to the information taxpayers file with their taxes, the IRS receives third-party information from employers and financial institutions. NTUF's newest tax complexity study found that the IRS collects 14 third-party report forms for every single man, woman, and child in the United States. This is almost double from a decade ago. And there are frequent legislative proposals to have even more data sent to the IRS.

All of this data can be at risk if the IRS does not improve its cybersecurity. TIGTA warns why this is so crucial:

The IRS needs to take further steps to improve its security program and fully implement all security program components in compliance with Federal requirements; otherwise, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure. 

There are also real life examples of IRS employees snooping on taxpayer data and other unauthorized access over the years. Last September, the IRS accidentally released information on 120,000 taxpayers who filed form 990-T. In 2021, a massive trove of private taxpayer information was leaked to ProPublica. Nearly two years have passed, and the source of the leak has yet to be publicly identified.

The Inflation Reduction Act locked in $80 billion in additional funding for the IRS over the next ten years. More than half of this amount, $46 billion, is provided for tax enforcement activities, $3 billion for taxpayer services, and $5 billion for business system modernization, an effort to replace the IRS’s aging technology systems. As suggested by the National Taxpayer Advocate and other former IRS officials, some of the enforcement funding should be reallocated to other areas including taxpayer services and IT improvements.

Shifting some of those funds to business system modernization could help the IRS to finally replace the 1960s era computer programming undergirding the Individual Master File, the core system the IRS uses to store and process tax returns. Achieving this long-sought goal would improve both administration of the tax code and services for taxpayers by streamlining access to information. Equally as important in this process, is to boost IT security and internal controls to make sure that taxpayers know their data is safe from unauthorized access by cybercriminals and others with malicious intent.