House Ways and Means Committee leadership has urged the IRS to supply documents and information relating to two incidents last year when roughly 120,000 individuals had sensitive data from their exempt organization business income tax returns improperly disclosed due to programming and human error. (Reps. Smith, Schweikert Letter to IRS, 3/2/2023)
In August 2022, the IRS mistakenly included some machine-readable Form 990-T data in the downloads section on the Tax-Exempt Organization Search (TEOS). Tax-exempt entities use the form to file their business tax returns reflecting income from certain investments or unrelated activities. According to a September 2 letter from Anna Canfield Roth, the acting assistant secretary for management at the Treasury Department, individual names and business contact information attributable to non-Code Sec. 503(c)(3) organizations were publicly disclosed.
Per the Federal Information Security Modernization Act (FISMA) and Office of Management and Budget guidance, the IRS was required to notify Congress. “The IRS took immediate steps to address this issue. The agency removed the errant files from IRS.gov, and the IRS will replace them with updated files in next few weeks,” read the letter, which also was reflected in a public IRS statement. “The IRS also will be working with groups that routinely use the files to update remove the erroneous files and replace them with the correct versions as they become available.”
According to a September 23 report from the IRS, the data was online and undetected for about eight months as a result of a programming error. Two Republican lawmakers, House Ways and Means Committee Chair Jason Smith of Missouri and Oversight Subcommittee Chair David Schweikert of Arizona, wrote as much March 2 in a letter. Preparer tax identification numbers and some financial and compensation information was also compromised.
Later in November, the data was republished and remained available until December thanks to Accenture, a contractor given the reigns for managing the database. Reportedly, instead of uploading the revised list of files given by the IRS, Accenture instead reuploaded the old files.
“The fact that the IRS improperly published confidential taxpayer information once is bad enough,” Smith and Schweikert told Acting IRS Commissioner Doug O’Donnell in their letter. “The fact that the agency put months into resolving the issue only to republish the exact same confidential taxpayer information again raises alarms about whether the agency is capable of upholding the fundamental principles—both legal and ethical—that are supposed to be part of the agency’s core mission.”
O’Donnell and the IRS were allotted a March 16 deadline to provide to Ways and Means “all documents and communications” involving the two incidents, including the terms of the agreement between the IRS and Accenture, as well as the names of employees responsible.
“These disclosures should have never happened,” the lawmakers wrote. “More must be done to prevent such disclosures from happening in the future and to protect confidential taxpayer information.”
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.