There is no perfect system for keeping your personal federal tax information (FTI) safe that may be disclosed through Obamacare insurance exchanges, says the U.S. Treasury Department’s inspector general for tax information.
In a world of software malware and viruses, there is no lack of news reports of hackers making off with governments’ and businesses’ most sensitive information.
So, with that being said, why should we think that taxpayers’ FTI is somehow locked in an inaccessible government vault?
The inspector general conducted an audit of the IRS’s security measures to protect Obamacare-related FTI. As the audit states:
“IRS efforts can at best provide reasonable, but not absolute, assurance that FTI is adequately safeguarded. Authoritative Federal guidance states that security is never perfect when a system is implemented.”
Under the Affordable Care Act, the IRS must ensure an individual’s income is aligned with the amount of tax credits he or she receives to buy health insurance (which also means that in some cases taxpayers will have to repay the government if they received more credits than their income allows).
The law allows a certain amount of FTI to be shared between the IRS and the exchanges. The inspector general says the systems in place as of yet simply aren’t good enough. That doesn’t mean the IRS isn’t trying, or that it hasn’t done some good things; but what they have done thus far just is not enough.
Reading through the inspector general’s audit could give some an uncomfortable feeling, where government is concerned, as it seems to have a lack of urgency about ensuring, requiring, or otherwise demanding that certain things be done to protect taxpayer information.
On page seven and eight of the audit, it says,
“IRS procedures did not require the Exchanges or other agencies to submit an initial independent Security Assessment Report (SAR) that could help evaluate risk levels at the individual agencies and be used to prioritize on-site reviews. Moreover, although the IRS has a requirement that agencies complete signed security authorizations prior to receiving FTI, the IRS does not require these authorizations be submitted to the IRS prior to approval, and on-site reviews revealed that authorizations were not always satisfactorily completed.”
Some of the reporting on the inspector general’s audit reflected such concerns. The Hill, which covers Capitol Hill, wrote in its Oct. 23, 2014 story:
“The agency also didn’t require that top officials at state exchanges promise in writing that they understood the risks and importance of protecting the tax information. Plus, exchanges might not get on-site reviews of new systems to protect tax data for up to three years.
“The inspector general said that meant the IRS didn’t have enough assurances that the state exchanges had internalized all the risks involved in protecting taxpayer data.”
On a more positive note, the IRS agreed with all four of the inspector general’s security improvement recommendations. However, between the agreement and the act of making changes there is a time lag. One thing the IRS doesn’t need, along with its other well-publicized difficulties, is a loss to hackers of what is supposed to be secure taxpayer information.
In short, whatever the time lag, there’s not a moment to lose.
The Treasury Department Inspector General for Tax Information Report can be found here.
Share