WASHINGTON, July 19 (UPI) -- Federal auditors told the IRS it must tell taxpayers when personal information is exposed, much as the U.S. government would require private businesses to do.
The Treasury Department's inspector general for tax administration recently reprimanded the IRS for failing to notify taxpayers in a timely manner -- if at all -- when the tax agency accidentally exposed taxpayer personal information, The Washington Post reported Tuesday.
IRS records indicated more than 4,000 instances of inadvertent disclosures of taxpayers' personal information during fiscal years 2009 and 2010. Letters were sent 86 days after the fact in 20 percent of cases auditors examined in a sample of incidents from July 2010 to February 2011. The inspector general said he considered 45 days an acceptable notification period.
"It is troubling that, although the IRS has many processes and regulations that protect taxpayer information, there are times when [the information] is inadvertently disclosed," Inspector General J. Russell George said in a statement.
Draft cybersecurity legislation proposed by the White House would require companies to tell consumers within 60 days if personal information was revealed.
In 5 percent of the breaches auditors evaluated, the IRS could not notify the taxpayers because of poor documentation, the Post reported. In 10 percent of the instances, the IRS didn't notify taxpayers because its definition of sensitive personal information did not include the data exposed. Twenty-one percent of victims weren't told of the data breaches because the information was unintentionally passed to state officials, law firms, payroll processors or others the IRS didn't believe posed a threat.
Auditors recommended the agency initiate a timeliness measure for notifying consumers and controls to ensure all breaches are documented accurately. The inspector general also recommended the IRS educate its employees better.