The IRS dropped the ball in administering its Identity Protection Personal Identification Number (IP PIN) Program, leaving millions of taxpayers who were identity theft victims vulnerable and failing to strengthen the application despite a security breach in 2015, according to a recent report by the Treasury Inspector General for Tax Administration (TIGTA).
TIGTA did the audit to evaluate several issues regarding the IP PIN Program. The IRS watchdog repeatedly recommended that the program be shut down after a security breach was identified on May 17, 2015. While the IRS put in place risk mitigation processes, those processes didn’t always work and the program was not deactivated despite security weaknesses.
The IRS did temporarily shut down the IP PIN online tool in March 2016 after reports of a data breach surfaced. The agency restored the IP PIN service four months later with stronger protections in place, including a two-factor authentication process.
During its audit, TIGTA reviewed 32,623 tax returns filed between Jan. 19 and May 24, 2016, with an IP PIN that was viewed online, and identified 12,020 (37 percent) returns that were not manually reviewed as required.
In addition, the IRS failed to generate IP PINs to about 2 million taxpayers who were confirmed as victims of identity theft. And the agency mailed approximately 2.7 million IP PIN notices to taxpayers for tax processing year 2016 that incorrectly told them not to use their IP PIN if they are claimed as a dependent on a tax return.
The IRS launched the IP PIN Program in fiscal year 2011. An IP PIN is a unique six-digit number that the IRS assigns to victims of identity theft or to taxpayers who may be at high risk of becoming a victim to verify their identities come tax time. Taxpayers who receive an IP PIN have to use it on electronic or paper returns for the returns to be accepted by the IRS.
Further, the IRS’s Opt-In Program was intended to help taxpayers in locations where the most identity theft occurs and offer them an IP PIN to help prevent tax-related identity theft. But the IRS hasn’t stayed current on recognizing the identity theft hotbeds, meaning that taxpayers in those locations may not know about the IP PIN Program.
Here’s what TIGTA recommended and how the IRS responded:
1. Complete and document an authentication risk assessment after any security breaches. The IRS agreed with this recommendation and updated its incident response procedures on Jan. 20, 2017, requiring validation of the e-authentication risk assessment. The validation will ensure that the risk assessment reflects the most recently known circumstances concerning any future security-related incidents affecting online applications.
2. All functions must have consistent procedures for adding identity theft markers that create IP PINs. The IRS agreed and is reviewing its processes and identifying inconsistencies with the procedural guidance for identity theft.
The agency also is developing a strategy for responding to security issues that establishes a standard process for treating affected victims, whether they are self-identified, identified by the IRS through return processing activities, or subsequently identified as the result of a security incident.
3. IRS notices must contain accurate information for taxpayers. The IRS agreed with this recommendation. The agency reviewed the IP PIN notice letter for tax processing year 2017 for accuracy and sent it to approximately 3.5 million taxpayers in late December 2016.
4. Determine how to identify taxpayers in locations with high rates of identity theft. The IRS disagreed, saying that given the limitations and costs of the IP PIN Program, meeting this recommendation to change or increase the number of taxpayers eligible for the Opt-In Program wouldn’t be an effective use of resources.
Here’s TIGTA’s reply: “Taxpayers in Connecticut and Missouri faced the highest risk of identity theft in calendar year 2015, according to the Federal Trade Commission. The IRS’s decision to not offer these taxpayers a chance to obtain an IP PIN through the Opt-In Program is contrary to the intent of the program, which is to focus on taxpayers in states and locations with the highest per capita rate of identity theft.”
5. Develop an outreach tactic to increase taxpayer awareness of the Opt-In Program. The IRS agreed, saying it’ll determine if the Opt-In Program will continue and, if so, develop an outreach strategy to increase taxpayer knowledge of it.