By not following e-mail security practices IRS employees are putting taxpayer information at risk of improper disclosure, an IG report has said, adding that most of the violations it found involved transmission inside the agency, which carries less risk than sending messages outside.
The IG reviewed a sample of 80 employees of the Small Business/Self-Employed (SB/SE) Division over June 2015 and found 275 unencrypted e-mails were sent that contained taxpayer personally identifying and/or tax return information that were sent internally to other IRS employees, plus another 51 sent externally to non-IRS e-mail accounts. “These employees failed to follow Internal Revenue Manual (IRM) requirements and risked exposing the information to unauthorized persons,” it said.
Also, 20 e-mails sent by six employees to personal accounts involved official business and another 193 containing such information were routed via the e-mail system to the Enterprise e-Fax system, which does not use encryption.
It said the IRS agreed with recommendations including to ensure that managers are aware of e-mail violations and take disciplinary action and request an IT update of the e-fax system.
