The Obama administration is compelling private businesses to adopt new standards to protect themselves and the consumers they serve from hackers and cyber theft.
Now federal auditors are scolding the government for not protecting consumers from itself.
In a recent report, the Treasury Department Inspector General for Tax Administration reprimanded the Internal Revenue Service for failing to notify taxpayers in a timely way — if they were told at all —when the tax agency inadvertently exposed their personal information.
IRS records showed 4,081 inadvertent disclosures of taxpayers’ personal information in fiscal years 2009 and 2010.
The IRS sent letters to taxpayers whose privacy was violated 86 days after the fact in 20 percent of the cases auditors examined in a sample of incidents from July 2010 to February 2011.
Draft cybersecurity legislation proposed by the White House this spring would require companies to inform consumers within 60 days if their personal information has been disclosed.
The inspector general considers 45 days to be an acceptable notification period after a breach.
“It is troubling that, although the IRS has many processes and regulations that protect taxpayer information, there are times when [the information] is inadvertently disclosed,” Inspector General J. Russell George said in a statement.
In 5 percent of the leaks auditors evaluated, the IRS could not notify the taxpayers at all because the staff did not document the identities of the people whose information was exposed.
And 10 percent of the time, IRS staff did not notify the affected taxpayers because its definition of sensitive personal information did not include the tax data that was exposed.
Another 21 percent of victims were never told of the data breaches because the information was unintentionally passed on to state officials, law firms, payroll processors or others, including those with power of attorney, who the IRS believed did not pose a threat.
Auditors recommended that the IRS implement a timeliness measure for notifying consumers and controls to make sure every breach is accurately documented. The inspector general also recommended that the IRS educate its employees better on the seriousness of these kinds of disclosures.
The IRS agreed, saying it plans to strengthen procedures to tackle identity theft and improve the time it takes the agency to notify taxpayers of any release of their personal information.