The IRS is very, very bad at protecting your personal data
Giving the IRS more power to extract taxes from a host of people, companies, and assorted financial entities has been a long-held dream of many politicians. In their mind, mountains of untaxed cash are waiting to be discovered, and scooped-up, and would be. If only there were more tax collectors on the job.
One big problem with all of that is the IRS itself. As a new inspector general’s report notes, the agency has a very big problem handling its current duties – among them, ensuring the data you had over with your returns is safe from prying eyes, hackers, and other’s up to no good:
Ever since 1996, when what was then known as the General Accounting Office issued a stinging report about vulnerabilities in IRS computers, critics have questioned how well the agency protects all the data it collects. In 2002, Congress adopted the Federal Information Security Modernization Act, or FISMA, which set forth standards all federal agencies were required to meet. How’s the IRS been doing with that? Here’s the IG report:
Until the IRS takes steps to improve its security program deficiencies and fully implement all security program components in compliance with FISMA requirements, taxpayer data could be vulnerable to inappropriate and undetected use, modification, or disclosure.
The wordsmith in me can’t leave unremarked upon the drafters’ clumsy effort to soften the harshness of this judgment. To be “vulnerable” is to be susceptible to harm; a vulnerable person is one who might easily suffer something bad. (Think, the unvaccinated.) Thus the phrase “could be vulnerable” is what my older brother used to call a double impositive. The taxpayer data either are vulnerable or not.
Bottom line: it’s in real danger…
For instance, the legacy systems have persistent vulnerabilities: “Configuration management compliance for Windows and Linux servers is not effective,” the report states flatly. It’s hardly reassuring that the explanation that follows, which occupies a good two pages, has been almost entirely redacted.
Oh, and just in case you’re wondering: “Vulnerabilities open past remediation time frames are not effectively documented and tracked.” In other words, the agency itself isn’t sure which vulnerabilities have been patched — or even which ones exist.
All of which gets back to the idea of giving the IRS even more power to collect far more data:
…it is fair to ask whether there might be a point to the widespread skepticism about such new IRS requirements as the one calling for banks to share ever more information about ever-smaller accounts. Maybe a government hungry for more private data should first meet its own standards for security.
Good luck with that.