IRS Sent Unencrypted Emails Containing Sensitive Information on Over 28,000,000 Taxpayers

Posted on November 29, 2016

If you are regular reader of this blog, you are aware that the IRS has been repeatedly hacked and that sensitive taxpayer information has been captured by these hackers.

The IRS has taken steps to tighten up its computer systems in an effort to avoid future hacking. But what about instances where the IRS sends sensitive taxpayer information to other IRS employees, other government agencies, financial institutions and contractors?

That information is also vulnerable to “phishing” unless that information is sent via encrypted emails. According to a recent report by the Treasury Inspector General for Tax Administration (TIGTA), more than 28,000,000 taxpayers in the United States may have had their sensitive personal information transmitted by the IRS to others via unencrypted emails.

TIGTA performed two separate audits of the IRS regarding this issue and found that the IRS did not enforce its own email encryption protocols to protect taxpayer data. In one sampling of the Small Business/Self-Employed Division of the IRS, TIGTA discovered that 49% of the emails sampled were not encrypted.

Of the eighty employees that were monitored, thirty-nine employees sent 326 unencrypted emails containing sensitive taxpayer data for 8,031 different taxpayers. TIGTA verified that the emails identified in the audit violated internal IRS policies and procedures and that the names of the employees that violated this policy were sent to IRS management, alluding to likely disciplinary action against these individuals.

That said, TIGTA did state that there is no allegation of criminal wrongdoing regarding these emails. We find it somewhat shocking that the IRS sent emails that contained sensitive taxpayer data without using proper encryption methods required by its own policies and procedures. We have recently begun using encryption in our emails to our clients in an effort to protect their data. What do you think?