TIGTA: Private debt collectors protect IRS taxpayer data

The two private collection agencies that the Internal Revenue Service hired to pursue delinquent taxpayer debt put in place adequate computer controls to protect taxpayer data, the Treasury Inspector General for Tax Administration said in a report released today. The contractors, Pioneer Credit Recovery and CBE Group received the taxpayer data files securely from IRS and secured them satisfactorily on their systems, TIGTA said. The contractors also controlled their workstations to prevent unauthorized copying of taxpayer information to removable media or transfer through e-mail. They maintained audit trails and performed periodic reviews, including identifying unauthorized access to the taxpayer data. Although the contractors do not delete taxpayer files or remove them from their systems once they close a case or IRS recalls it, the debt collectors protected the data by restricting access to taxpayer data files to only necessary employees, said Michael Phillips, deputy inspector general for audit. “Inadequate security controls over taxpayer data would create increased risks of unauthorized access, misuse, disclosure, modification or destruction of taxpayer data,” he said. Critics, such as the National Taxpayer Advocate, the National Treasury Employees Union and some lawmakers, have faulted IRS for contracting out the collection of taxpayer debt because it can put taxpayer privacy at risk and is an inefficient use of government funds. But TIGTA said that the private debt collectors must assure that their computer systems comply with the Federal Information Security Management Act and the guidance developed by the National Institute of Standards and Technology to implement security controls that govern systems and communication protection, access controls and audit records. “Each contractor implemented a best practice that should be considered by current and future private collection agencies,” Phillips said. One contractor requires a second password, in addition to a standard username and password, before access to the contractor’s collection application is granted. This second password is generated through a password token device, small enough to fit on a key ring, which generates and displays a new password every 60 seconds. The other contractor places files downloaded from the IRS on a dedicated server. As of February, IRS had provided the contractors with about 98,000 accounts representing $911 million in delinquent taxes.