Last month, a consultant working with the IRS was charged in connection with stealing and leaking to news outlets tax return data on a notable, but unnamed, public official and thousands of the nation’s highest earners.
If one thinks public officials’ tax returns should be a matter of public record or suspects high earners aren’t paying their fair share, they might applaud the leak and leaker.
But those who’d defend the income privacy of public and noteworthy individuals—and all taxpayers, for that matter—would condemn the leak. The exposure of private tax information raises concerning questions about the state of IRS information security and the staffers it engages. The agency needs to conduct an immediate, complete, and transparent audit and security protocol overhaul and reconsider how it vets contractors and employees.
An Era of Data Leaks
The general trend of data leaks and recurring nature of unauthorized data access at the IRS is particularly worrying. In 2015, hackers gained access to the personal tax information of more than 100,000 taxpayers. Last year, an IRS employee noticed the private tax information of more than 120,000 more taxpayers had been publicly available on the IRS website for almost a year—long enough to allow search engines to spider and index the information.
The concept of big data and the technologies required to keep private information private are still in their infancy, relatively speaking. The general frequency of leaks has the potential to desensitize the public to each new exposure.
What the IRS Should Do
The IRS received an $80 billion infusion of cash last year to modernize and improve taxpayer experience. House Republicans and the White House agreed to reduce that amount to $60 billion as part of the deal to raise the debt limit, and Republicans are interested in cuts that go beyond that.
Assuming the IRS budget isn’t whittled away to a toothpick, the agency must focus on enhancing personnel security and data security—especially in the direct file division. The last two widely reported leaks stemmed from a bad actor and an errant snippet of code. Neither of these two causes can be ameliorated entirely, but a transition in staffing strategies can at least lessen the risk.
First, the IRS should shift away from using short-term contractors for work that involves access to private tax information. Classifying a worker as an employee rather than a contractor isn’t a magic wand for eliminating bad actors, but it would allow for more rigorous background checks, and tie in to existing employee training programs and ongoing security audits. It would also raise the risks for employees who access or leak private tax information inappropriately.
The Government Accountability Office has made numerous recommendations to revamp the contractor program since 2010, many of which have gone unimplemented. A GAO report noted 97% of employees completed all threat training goals, while contractors topped out at 74% for one module, illustrating a major disparity.
The IRS announced plans to hire an additional 3,700 employees following the budget expansion under the Inflation Reduction Act. A substantial portion of those employees should be brought on to shift away from the contractor system.
To the extent private tax information is available to employees or contractors who don’t need access to said information, there should also be security protocol reform. The leaker in the aforementioned case worked on data process management—employees in similar positions shouldn’t have access to tax returns.
Finally, the IRS should consider offering so-called bug bounties for private tax information and security vulnerabilities. Tech companies such as Apple Inc. and Meta Platforms Inc. have offered rewards to ethical white-hat hackers who discover vulnerabilities or security holes and report them to the company rather than exploit them for personal gain.
The same can easily be applied to security vulnerabilities in the tax system and be open to IRS employees and outsiders alike. The overarching idea is to provide a legal source of value to counteract the value of selling vulnerabilities or leaked data illegally.
Public Trust and Transparency
Most importantly, the IRS needs to proceed with reforms and a security audit in full view of the public. The agency has a responsibility, and a requirement inherent in our voluntary taxation system, to maintain public trust.
This may need to entail bringing in third-party auditors for accountability purposes. An audit by an unbiased outside entity could help assuage the public’s concern and illuminate shortcomings in the system that may need fresh eyes to find. This is especially important considering private sector pushback against the direct-file system—any future leaks that can be attributed to the system will be used to argue for its dismantling.
Unknown Leaks
It’s easy to become jaded and either think that leaks are inevitable in our data-driven world or allow the unsympathetic nature of the taxpayers who suffered this leak to blind us to the underlying problem. For every leak of a public figure that makes headlines, there may very well have been another less flashy breach of information protocols.
How many vendettas may have been furthered with a quick perusal by a contractor of a personal enemy’s tax information? Perhaps the answer is none, and this was indeed the first such breach. But absent a change in protocol, more will certainly follow.
The question isn’t if, but when, another leak will happen—the IRS needs to be out ahead of the news detailing what they’ve done to make each successive breach more likely to be the last.
Andrew Leahey is a tax and technology attorney, principal at Hunter Creek Consulting, and adjunct professor at Drexel Kline School of Law. Follow him on Mastodon at @andrew@esq.social.
To contact the editors responsible for this story:
Learn more about Bloomberg Law or Log In to keep reading:
See Breaking News in Context
Bloomberg Law provides trusted coverage of current events enhanced with legal analysis.
Already a subscriber?
Log in to keep reading or access research tools and resources.