Pursuant to a congressional request, GAO provided information on the
Internal Revenue Service's (IRS) implementation of the Taxpayer Browsing
Protection Act, focusing on: (1) actions IRS has taken to implement the
law; and (2) the number of potential and proven incidents of
unauthorized access by IRS employees that IRS has identified since
enactment of the law, as well as penalties imposed in cases where
unauthorized access was proven.
GAO noted that: (1) the IRS has two approaches for implementing the law;
(2) over the long term, IRS believes that modernizing its core automated
systems offers the best means to prevent and detect unauthorized access
to taxpayer data; (3) according to IRS, modernization will: (a) allow it
to restrict employees' access to only those taxpayer records that they
have a specific work-related reason to look at; and (b) enable it to
detect unauthorized accesses almost as soon as they happen; (4) it will
be several years, however, before this modernization becomes a reality;
(5) in the meantime, IRS has taken several other steps directed at
deterring, preventing, and detecting unauthorized access and ensuring
that consistent disciplinary action is taken when unauthorized access is
proven; (6) between October 1, 1997, and November 30, 1998, the Office
of the Chief Inspector identified 5,468 potential instances of
unauthorized access and completed preliminary investigative work on
4,392 of those leads; (7) of those 4,392 leads, 338 were determined to
warrant further investigation; (8) many of these 338 cases were still
under investigation or adjudication as of January 25, 1999; (9) using
data provided by IRS, GAO identified 36 cases for which investigation
and adjudication had been completed; (10) of those 36 cases, 15 involved
an IRS determination that IRS employees had intentionally accessed
taxpayer data without authorization; (11) in the other 21 cases, IRS
determined that either there was no unauthorized access or the access
was accidental; (12) according to IRS, employees involved in the 15
cases of intentional unauthorized access either resigned in lieu of
termination or were terminated; (13) according to IRS data, proven cases
of unauthorized access that occurred after enactment of Public Law
105-35 have generally been referred to U.S. Attorneys for prosecution,
and these U.S. Attorneys have, with one exception, declined to
prosecute; (14) according to IRS, the one case that was accepted for
prosecution was still open as of February 2, 1999, but the employee had
been removed from the agency; and (15) as required by the law, IRS
notified the three taxpayers whose data the employee had accessed.
Click here for the full GAO Report, PDF Version, 24pgs. 140K
