Lankford, Finance Committee Republicans Press IRS on Data Security Shortcomings

WASHINGTON, DC – Senators James Lankford (R-OK) and Mike Crapo (R-Idaho), along with Senate Finance Committee Republicans, sent a letter calling on the Internal Revenue Service (IRS) for greater accountability, transparency and a detailed explanation of specific steps it is taking to address security weaknesses at the agency following continued oversight reports revealing serious data security concerns.

“Preventing illegal access and disclosure of protected taxpayer data is an essential IRS responsibility, one of its highest priorities and one that is statutorily enshrined in the taxpayer’s bill of rights.  Unfortunately, it is also one that has been disregarded for far too long,” the Senators wrote.

“The IRS must take responsibility and account for failures in these duties.  As part of this, we call upon the IRS to provide a detailed explanation of: the specific steps it has taken since the beginning of this year to address any security weaknesses; a timeline of when each such step was taken; the current status of each recommendation made by TIGTA or GAO related to data and/or IRS system security since January 2020; the next steps and expected timeline for the IRS to address any open recommendations; and all specific actions the IRS has taken or will take to make impacted individuals whole,” the Senators continued.

For years, the Treasury Inspector General for Tax Administration (TIGTA) and Government Accountability Office (GAO) have pointed to significant, unaddressed flaws in the IRS’s data security systems and practices.  In an October 11, 2023 report on “Major Management Challenges” for the IRS for 2024, TIGTA identifies “Protection of Taxpayer Data and IRS Resources” as one of the IRS’s “top management and performance challenges.” In an October 24, 2023 report on “longstanding challenges” at the IRS, the GAO notes the IRS “has struggled with longstanding challenges in . . . safeguarding sensitive information,” with diverse issues still unresolved.

Read the full letter here or below. 

Dear Commissioner Werfel:

We request an update on what steps you are taking to address the serious shortcomings of IRS data security systems and practices, and on the developments involving the recent disclosures of legally protected information. 

On October 12, 2023 an IRS contractor working at the IRS, Charles Edward Littlejohn, pled guilty to the unauthorized disclosure of protected, confidential taxpayer information. This included two instances of disclosing tax information of a high-profile public official, as well as tax returns and return information for “thousands” of targeted taxpayers. These disclosures were widely reported to be the basis behind dozens of articles published by ProPublica since June 2021 that contain confidential taxpayer information. 

The IRS authorized Mr. Littlejohn to access sensitive taxpayer data without any masking or redaction of personally identifiable information. IRS security systems and protocols did not stop him from illegally stealing and disclosing that information, and it took years for investigators to ultimately piece together his crimes and identity.

IRS oversight bodies – including the Treasury Inspector General for Tax Administration (TIGTA), Government Accountability Office (GAO), and this Committee have for more than a decade raised significant concerns with these same systems and protocols – and dozens of their recommendations, including priority ones issued just months ago, appear to remain outstanding.

Preventing illegal access and disclosure of protected taxpayer data is an essential IRS responsibility, one of its highest priorities and one that is statutorily enshrined in the taxpayer’s bill of rights. Unfortunately, it is also one that has been disregarded for far too long.

The IRS must take responsibility and account for failures in these duties. As part of this, we call upon the IRS to provide a detailed explanation of:

• The specific steps it has taken since the beginning of this year to address any security weaknesses;
• A timeline of when each such step was taken; The current status of each recommendation made by TIGTA or GAO related to data and/or IRS system security since January 2020;
• The next steps and expected timeline for the IRS to address any open recommendations; and
• All specific actions the IRS has taken or will take to make impacted individuals whole.

Sincerely,

###