IRS' POLICY
The IRS' policy on unauthorized access of taxpayer information is simple: IRS employees are prohibited from accessing information not needed to perform their official tax administration duties. Unauthorized access of taxpayer information violates both privacy and disclosure rules. IRS employees are only permitted to access information in order to carry out their duties. There are no exceptions. Shortly after I became Commissioner in May of 1993, the IRS Chief Inspector brought to my attention his concerns about unauthorized access of taxpayer information by IRS employees. Since that time, we have repeatedly emphasized to employees the IRS policy against unauthorized access of taxpayer information. (See Appendix.) The Service has also adopted procedures to educate employees about the policy and to detect and punish unauthorized access of taxpayer accounts. I have consistently stressed both inside and outside the Service that the IRS does not tolerate unauthorized access of taxpayer accounts by IRS employees. In addition to written communications to all employees, I have consistently emphasized in virtually every meeting, teleconference or other opportunity I have had to speak to employees that the IRS cannot and will not tolerate such behavior.
The IRS has strengthened and clarified penalties to be imposed for violations of the Service's policy. Warning messages have also been added to the "sign-on" screens for employees with access to the principal database that employees use. Additional steps the IRS has taken to prevent unauthorized access include expanding the ability to detect unauthorized accesses through the Electronic Audit Research Log (EARL) on the Integrated Data Retrieval System (IDRS), sending memoranda to all employees reiterating the Service's policy, and developing and supporting legislative changes that affirm criminal penalties for violations.
The American federal income tax system is based upon self-assessment. Confidentiality of tax returns and tax return information is part of the foundation of the self-assessment system. Public confidence that the personal and financial information given to the IRS for tax administration purposes will be kept confidential is vital to that system. Although unauthorized access might not involve unauthorized disclosure by an IRS employee of taxpayer information to a non-IRS employee, such actions can undermine taxpayer confidence in the tax administration system.
IRS ACTIONS
Since 1993, the IRS has taken a number of steps to ensure that unauthorized access of taxpayer information by IRS employees does not occur. For example, each time an employee logs onto the taxpayer account data base (IDRS), a statement warns of possible prosecution for unauthorized use of the system. (See page 29 of Appendix.) All new users receive training on privacy and security of tax information before they are entitled to access the IDRS. They are required to review and sign an acknowledgment that they have read and understand the Automated Information Systems (AIS) Security Rules. (See pages 30 and 31 of Appendix.) The Service has also installed automated detection programs that monitor employees' actions and accesses to taxpayers' accounts, identify patterns of use, and alert managers to potential misuse.
The EARL system, which detects potential unauthorized accesses by analyzing the audit trails of each of the transactions on IDRS, is currently the key to detection. Because of the volume of transactions -- about 1.5 billion annually -- and the extremely small percentage of potential unauthorized accesses, the Service continues to refine the EARL software to more efficiently and effectively identify such potential unauthorized accesses. The IRS is also contacting "state-of- the-art" private sector organizations with the aim of identifying the feasibility of various security "prevention" systems and their approaches to managing technology risks. This approach will enable the Service to better control access to information through "up front" authorizations and ultimately rely less on after-the-fact detection. The feasibility of monitoring potential unauthorized accesses on systems other than IDRS that can be used to access taxpayer data is also being assessed. In this regard, the IRS has initiated efforts to contract for feasibility assessments of all systems that are used to access information (e.g., the Integrated Collection System and the Totally Integrated Examination System) to monitor the full extent of unauthorized accesses of taxpayer information beyond IDRS and develop both prevention and detection measures.
Administratively, since 1993, the IRS has been engaged in a vigorous campaign to let employees know that unauthorized accesses will result in disciplinary action, including removal from the Service. As recently as last month, I issued a memorandum to all executives and employees stating: Unauthorized access to accounts, absent mitigating circumstances, is serious misconduct and would normally warrant removal. It is also a violation of 18 USC 1030 (fraud and related activity in connection with computers), which can result in criminal prosecution. (See page 2 of Appendix.)
At the same time, IRS executives were charged to support the organization's commitment to taxpayer privacy and the security of tax data by: -Assessing personally on a periodic basis the consistency of discipline for unauthorized access of taxpayer information within their offices. -Electronic Audit Log Research cases will now be sent directly to Heads of Offices, either initially or after investigation by Inspection for appropriate review and action. -Personally ensuring that employees receive the required training and orientation within their offices; and -Personally taking every opportunity to communicate the Service's expectations, and to explain IDRS systems monitoring capabilities, to all their employees. (See page 4 of Appendix.)
In January, the Service centralized responsibility for all privacy and systems security issues in the Office of Systems Standards and Evaluation (SSE). Recognizing the critical need to enforce federal law and regulations on privacy and non-disclosure of confidential tax information, SSE was created to assume responsibility for establishing and enforcing standards and policies for all major security programs including, but not limited to data security. In this regard, SSE provides IRS with a proactive, independent security group that is directly responsible for the adequacy and consistency of security over all IRS operations. Mr. Len Baptiste was appointed as the National Director of SSE. His past GAO systems evaluation management experience, including security issues, will provide the leadership needed to carry out his new duties. In March 1997, Mr. William Hadesty was appointed as SSE's Director of Security Standards and Evaluations. Mr. Hadesty's private- and public-sector computer security experience includes over 10 years with the General Accounting Office where he led comprehensive computer security reviews at numerous government agencies, including his review of IRS facilities.
Although a clear policy, communication and training, and effective detection are important ways of institutionalizing a policy against unauthorized access, strong disciplinary and judicial-support are essential to reinforce the seriousness and consequences of violating the policy. In pursuing strong disciplinary actions before administrative tribunals, the results thus far have been mixed. For example, the cases in which employees have improperly accessed information, but not used such information for anyone's gain or detriment, financial or otherwise, have not always been viewed as seriously as we believe they should be.
Because nothing is more important to the operation of the tax system than protecting taxpayer information, I want to renew my request that Congress clarify the law on criminal sanctions. The IRS continues to support the legislation marked up by the House Ways and Means Committee last week and similar legislation introduced in the Senate which would do just that. The IRS has supported enactment of a criminal misdemeanor penalty for the willful, unauthorized inspection of returns and return information since 1994. In fact, in 1994, the IRS developed two legislative proposals on this issue. The first proposal recommended amending Title 18, the Criminal Code, so that unauthorized inspection of computer records would be punishable by a misdemeanor. The second proposal recommended amending the Internal Revenue Code to provide a misdemeanor penalty for unauthorized inspection of returns or return information in any medium.
In response to the IRS' request for legislation, Senator Glenn introduced S. 670, the "Taxpayer Privacy Protection Act," during the 104th Congress. It provided a misdemeanor penalty for unauthorized inspection. Unfortunately, Congress did not pass that legislation. However, Congress did pass, and the President signed, the Economic Espionage Act of 1996 (P.L. 104-294). This Act amended Title 18 to provide criminal penalties for anyone who intentionally accesses a computer without authorization, or exceeds authorized access, and thereby obtains information from any department or agency of the United States (18 USC 1030(a)(2)).
Because the Economic Espionage Act applies only to unauthorized access of computer records, the IRS continued to seek legislation clarifying the criminal sanctions for unauthorized access or inspection of tax information in section 7213 of the Internal Revenue Code -- whether that information is in computer or paper format -- and ensuring that the entire confidentiality scheme respecting tax information and related enforcement mechanisms would be appropriately found in the Internal Revenue Code. Therefore, the IRS has worked with the staff of the Senate Governmental Affairs Committee to help develop the "Taxpayer Privacy Protection Act" introduced on April 8, 1997, by Senator Glenn. Similar legislation was introduced in the House of Representatives.The House bill would apply to the unauthorized inspection of paper returns and related tax information. By clarifying the criminal sanctions for unauthorized inspection of tax information in section 7213 of the Internal Revenue Code, whether that information is in computer or paper format, the entire confidentiality scheme respecting tax information and related enforcement mechanisms would be found appropriately in the Internal Revenue Code. The Service fully supports such an amendment and believes that it would serve important tax administration objectives. While I have stated in the past that one unauthorized access is one too many, I believe it is important to put the numbers that were recently reported in the press into some context. There are 1.5 billion accesses annually on IDRS. During FY 1996 there were 1,374 cases that were identified as potential unauthorized accesses. Of that number, upon further investigation, 411 were determined to have been authorized. Of the remaining 963 cases, disciplinary actions were taken in 862 cases and 101 are still being reviewed.
I want to reaffirm that the Internal Revenue Service understands that safeguarding taxpayer information is essential to the operation of our country's self-assessment system. The Service welcomes the proposed legislative changes and hopes that you will assist us in addressing the problem of unauthorized access.
Mr. Chairman, this concludes my statement. I would be happy to respond to any questions.