Workers from the Treasury Inspector General for Tax Administration (TIGTA) went trash-hunting at IRS offices from several cities in order to perform an audit of the agency's waste-disposal processes. They conclude in their report (PDF) that the Internal Revenue Service fails to properly protect taxpayer information stored on paper from accidental disclosure and dissemination.
One of IRS's pieces of advice to more than 130 million taxpayers it collects information from is to use paper shredders and other methods of destroying sensitive documents before disposal. This is to prevent possible identity theft and misuse of Personal Identifiable Information (PII). However, like in a classic example of the preacher not practicing what they preach, the IRS fails to follow up its own recommendation.
"At every location we visited, we found documents containing PII or other Sensitive But Unclassified (SBU) information in regular waste containers and/or dumpsters," the TIGTA report mentions. "During onsite visits to 15 IRS locations, and in questionnaires provided to 14 Territory Managers, we attempted to determine who was responsible for the oversight and monitoring of the collection and disposal of SBU waste. Answers varied from site to site and, in some instances, we received contradictory answers from Territory Managers and onsite personnel," it also adds.
The audit was performed between September 2007 and May 2008 and, at the time, it was established that in only two cases did the IRS personnel visit the facilities of companies contracted by the agency to handle the waste shredding or burning processes. Furthermore, many of the interviewed Territory Managers were not even able to name these companies, which in turn maintained that they never received an official inspection request from the IRS. One of the facilities even changed its physical location without notifying the agency.
Additionally, the auditors also conclude that performing background checks of the contractor's employees has almost never been performed, even though it is vital for protecting the privacy of taxpayers. "We found no documentation to show that any review of the background investigation files was performed by IRS officials. One contracted shred facility informed us that the IRS had not asked about or checked on the background investigations of their employees in 6 or 7 years, and another stated that the IRS had never done such a check," they write in their report.
As a result of the audit, the Treasury Inspector General for Tax Administration made a number of five recommendations to the IRS management, which agreed with all of them and has since taken important steps to address the deficiencies of the SBU waste-disposal process.
However, this is not the first time that the IRS is put under the microscope and bad security practices are uncovered. Back in September 2008, TIGTA released a report according to which it found 2,093 internal vulnerable web servers on the IRS network, while 1,811 of them were not even authorized. At the beginning of this year, the Government Accountability Office (GAO) reported that the IRS resolved only 49 out of the 115 problems identified during a November 2008 audit regarding the security policies enforced on its network.