The Obama administration is compelling private businesses to adopt new standards to protect themselves and the consumers they serve from hackers and cybertheft.
Now federal auditors are scolding the government for not protecting consumers from itself.
In a recent report, the Treasury Department Inspector General for Tax Administration reprimanded the Internal Revenue Service for failing to notify taxpayers in a timely way — if at all —when the tax agency inadvertently exposed their personal information.
IRS records showed 4,081 inadvertent disclosures of taxpayers’ personal information in fiscal 2009 and fiscal 2010.
The IRS sent letters to taxpayers whose privacy was violated 86 days after the fact in 20 percent of the cases auditors examined in a sample of incidents from July 2010 to February 2011.
Draft cybersecurity legislation proposed by the White House in the spring would require companies to inform consumers within 60 days if their personal information was disclosed.
The inspector general considers 45 days to be an acceptable notification period after a breach.
“It is troubling that, although the IRS has many processes and regulations that protect taxpayer information, there are times when [the information] is inadvertently disclosed,” Inspector General J. Russell George said in a statement.
IRS spokeswoman Julianne F. Breitbeil called the breaches “isolated incidents” and noted that the agency does not have a “systemic vulnerability” to putting taxpayers at risk for identity theft.
“While any inadvertent disclosure is of great concern,” Breitbeil said in a statement, “Nothing in this report suggests any systemic vulnerability.”
In 5 percent of the leaks auditors evaluated, the IRS could not notify the taxpayers at all because the staff did not document the identities of the people whose information was exposed.
And 10 percent of the time, IRS staff did not notify the affected taxpayers because its definition of sensitive personal information did not include the tax data exposed.
An additional 21 percent of victims were never told of the data breaches because the information was unintentionally passed on to state officials, law firms, payroll processors or others, including those with power of attorney, who the IRS believed did not pose a threat.
Auditors recommended that the IRS implement a timeliness measure for notifying consumers and controls to make sure every breach is accurately documented. The inspector general also recommended that the IRS better educate its employees on the seriousness of disclosures.
The IRS agreed, saying it plans to strengthen procedures to tackle identity theft and improve the time it takes to notify taxpayers of any release of their personal information.