The Internal Revenue Service needs to pick a deadline to stop or reduce the use of Social Security numbers on its outgoing correspondence, according to a new audit report.
The report, issued last week by the Treasury Inspector General for Tax Administration, stated that the IRS plan, which is a response to concerns over protection of personal information, “lacks milestones for progress.”
Taxpayers need to be assured that their private information is being protected, Treasury Inspector General for Tax Administration J. Russell George said in a statement. More than 130 million taxpayers entrust the IRS with their Social Security numbers and other personal and financial information. Nearly 42 million notices, most of which included taxpayers’ SSNs, were mailed out in the first five months of this year.
"A person's Social Security number is the most valuable tool an identity thief can obtain to commit financial fraud, and it becomes even more valuable if it is linked to other personal data, such as information required to prepare a tax return", George said. "The IRS must improve its strategy to effectively ensure the protection of this information.”
The IRS agreed with the recommendations and has implemented “a more strongly organized process” for maintaining documentation related to accomplishing goals in its SSN Elimination and Reduction plan, which was first developed in 2007.
The IRS is focusing first on internal forms that use SSNs and eliminating employees’ SSNs from its system, although the ultimate goal is to reduce the agency's reliance on taxpayers’ SSNs as identifiers. The report states that the IRS will not be eliminating use of SSNs “in the immediate future,” as they are used in connection with more than 500 different computer systems, 6,000 kinds of internal and external forms, and 20 categories of individual taxpayer notices. So far, the IRS has removed or shortened SSNs from a small number of forms and letters.
In a separate report issued earlier this month, the inspector general said two IRS information technology security systems are adequate, but noted that the agency should improve its follow-up and remediation in one area of security control.
The report outlined the results of its annual evaluation of two Non-Intelligence National Security Systems, required by the Federal Information Security Management Act.
The law calls for federal agencies to track and monitor known weaknesses, but the IRS did not include previously identified weaknesses in its Plans of Action and Milestones (POA&M). In addition, weaknesses that had been fixed were not “closed out” in a timely way in the POA&Ms.
“The POA&M process is particularly important because the IRS decided not to perform a new certification and accreditation in Fiscal Year 2010 and to rely instead on its annual testing to ensure a subset of security controls have been implemented and are working as intended,” the report said. The inspector general’s report did not include recommendations, only reporting on the agency's performance under the Office of Management and Budget’s guidelines.