Some contract employees providing services to the Internal Revenue Service (IRS) without required background checks had access to taxpayer data, according to a report publicly released today by the Treasury Inspector General for Tax Administration (TIGTA), which oversees the IRS.
IRS policy requires background investigations for contractor personnel who have or require access to Sensitive But Unclassified (SBU) information, including taxpayer information.
The overall objective of this review was to determine the effectiveness of IRS controls to ensure that background investigations were conducted for contractor personnel who had access to SBU information. TIGTA did not review whether unauthorized contractor employees obtained or misused taxpayer data.
TIGTA found that taxpayer data and other SBU information may be at risk due to a lack of background investigation requirements in five contracts for courier, printing, document recovery, and sign language interpreter services. For example, in one contract for printing services, the IRS provided the contractor a compact disk containing 1.4 million taxpayer names, addresses, and Social Security Numbers; however, none of the contractor personnel who worked on this contract were subject to a background investigation.
In addition, TIGTA found 12 service contracts for which employee background checks were required by the contract; however, some contractor personnel did not have interim access approval or final background investigations before they began working on the contracts. Further, TIGTA identified 20 contracts for which some contractor personnel did not sign nondisclosure agreements. The IRS subsequently issued more explicit guidance requiring the execution of nondisclosure agreements.
“Allowing contractor employees access to taxpayer data without appropriate background investigations exposes taxpayers to increased risk of fraud and identity theft,” said J. Russell George, Treasury Inspector General for Tax Administration.
TIGTA made five recommendations to the IRS, including: ensuring that the types of service contracts identified in the report have appropriate security provisions and associated contractor employees have an appropriate interim access approval or final background investigation prior to beginning work on the contract; implementation of enhanced policies and procedures for emergency procurements; training for program office and procurement staff on contractor security requirements; and the necessity for contractor personnel to sign nondisclosure agreements prior to working on a contract. Finally, TIGTA recommended that the Office of Chief Counsel work with the Department of the Treasury Security Office to review the waiver currently in place that exempts contracted expert witnesses from background investigations and determine if the waiver is still appropriate in the current security environment.
The IRS agreed with four of TIGTA’s recommendations, but disagreed with a recommendation to review a waiver that exempts expert witnesses from background investigations. TIGTA believes that waiving the background investigation requirement presents a security risk.