You may not. A report issued by the Treasury Inspector General for Administration (TIGTA) (downloads as a pdf) found that the IRS does not always act promptly to notify taxpayers when personal and private taxpayer information has been accidentally disclosed.
Information can be inadvertently disclosed a few ways. Mix-ups can happen at the return level: for example, accidentally mailing a tax return to the wrong taxpayer. Taxpayers may provide the wrong fax number for purposes of providing transcripts – or the IRS could dial the wrong number. If you’ve ever worked in an office, you know that it’s not impossible to get things mixed up. Considering that the IRS processes more than 140 individual tax returns alone, not counting compliance and accuracy issues, there’s a lot of papers flying around those offices.
So, mistakes happen. And at IRS, just as with most offices, it’s not so much an issue that mistakes happen but how those mistakes are addressed. TIGTA believes that, on that score, the IRS has room for improvement.
TIGTA randomly sampled case files from 2009 and 2010 and found that the IRS did not properly notify taxpayers in a timely manner when privacy was breached. In 5% of the cases, taxpayers were not notified of the disclosure because IRS employees did not identify whose data had been actually been disclosed. In 10% of the cases, the IRS did not notify taxpayers of a breach of privacy because only tax account information was disclosed and – believe it or not – IRS procedures do not consider tax account information as “Personally Identifiable Information.” Strictly speaking, “Personally Identifiable Information” includes any information linkable to an individual, such as medical, educational, financial and employment. One would think that would include tax account information, a point that the IRS has now conceded, but it wasn’t considered as such in 2009 or 2010.
TIGTA also found that, in 21% of incidents that required taxpayer notification, the IRS closed the matter without giving notice because the IRS believed that the disclosures – which were made to powers of attorney, state agencies, law firms or payroll processors – did not pose a likely risk of identity theft or other harm to taxpayers. Kind of the “no harm, no foul” mentality – but at IRS’ discretion.
Even when communications to taxpayers were made, TIGTA found that, in 74% of the incidents that required notification, communications to taxpayers were not made in a reasonable amount of time. TIGTA considers a reasonable amount of time to be 45 days after the disclosure. However, actual notifications from the IRS averaged nearly twice that long: 86 days.
As a result, TIGTA recommended that the IRS increase employee education when dealing with inadvertent disclosures. TIGTA also recommended that the IRS revise their procedures to include tax account information in the definition of “Personally Identifiable Information.” Finally, TIGTA wants the IRS to speed up the notification process for taxpayers who have had data disclosed.
In the response to the report, the IRS has agreed to all of the recommendations. You can read the entire statement here as Appendix VII.
Curiously, the IRS response to the draft report is dated May 9, 2010. I’m assuming they meant May 9, 2011, since the statement was stamped as received on May 10, 2011. In the grand scheme of things, it’s just a typo, I’m sure and not an attempt to rehash an old memo. It’s just a bit ironic that it happened in an exchange of information promising to be more conscientious about making mistakes…