“Sensitive documents were discarded with regular trash.”
“We identified during our site visits that some bins were unlocked, altered, and/or damaged which permits direct access to the discarded sensitive documents.“
On Thursday the official IRS watchdog called out the IRS for its sloppy handling of sensitive taxpayer files. It is the latest evidence the agency does not care about taxpayer privacy despite an enormous infusion of taxpayer funds.
To prevent unauthorized disclosure, the IRS is supposed to safeguard sensitive tax files from the moment they are received to the moment they are securely disposed. The IRS must “properly shred, burn, mulch, pulp, or pulverize sensitive documents beyond recognition and reconstruction.”
But the IRS is failing taxpayers in this area.
In a report titled Improved Secure Document Safeguarding and Destruction Procedures Are Needed the Treasury Inspector General for Tax Administration (TIGTA) found:
Failure to maintain secure bins: “The IRS did not maintain secure bins as required for sensitive documents waiting to be destroyed. The IRS used open containers and bins with disposal slots that have been altered or were in poor condition, allowing access to discarded sensitive documents.”
Sensitive taxpayer documents out in the open: “We identified during our site visits that some bins were unlocked, altered, and/or damaged which permits direct access to the discarded sensitive documents.”
Sensitive files thrown in the regular trash can: “Sensitive documents were discarded with regular trash.”
Below: Actual photos in TIGTA report:
Files with personally Identifiable Information (SSNs, etc.) found in regular trash cans: TIGTA found “examples of trash containers being used for all waste, including sensitive documents that contained tax information and Personally Identifiable Information.”
In the big IRS facility in Ogden, Utah — IRS employees were too lazy to walk the sensitive files over to secure bins, so they threw the secure files in the regular garbage cans by their desks. TIGTA wrote: “IRS management instructed employees at this facility to store sensitive documents in these open containers, so employees did not have to leave their desks to throw the sensitive waste in the secured sensitive document destruction bins.” The IRS employees even mocked the concept by taping a sign on the regular trash can that said, “CLASSIFIED TRASH ONLY.” See below.
Risk of unauthorized access to sensitive taxpayer files: The use of these open trash containers exposes sensitive documents for anyone (employees, contractors, or visitors) to retrieve, which can cause a potential unauthorized access and disclosure incident. Once the trash leaves the IRS facility, it is possible someone could access sensitive information. The purpose of having locked and secured sensitive document destruction bins is to protect all sensitive documents once they are no longer needed by the employee and should be destroyed by the subcontractor. This control ensures that only authorized personnel have access to this sensitive information until it is destroyed.”
Bins had slots so big that anyone could reach right in and grab sensitive files: “Our site visits identified bin disposal slots that were altered or in poor condition allowing access to discarded sensitive documents. We found bins that our evaluators were able to reach their hands through the bin disposal slot and easily retrieve discarded sensitive documents.”
Failure to train employees on the proper treatment of sensitive taxpayer files: “The IRS has not established or communicated to personnel at its various facilities the standard operating procedures for sensitive document destruction to ensure uniformity and consistency. IRS officials did not know what specific sensitive document destruction procedures were used at 110 of its facilities.”
Below: Excerpt from TIGTA report:
Failure to conduct onsite inspections to ensure document destruction protocols are followed: “The IRS no longer performs on-site inspections at facilities where sensitive documents are brought for destruction to ensure proper disposal.”
Failure to plan and budget for the appropriate number of secure bins per location: “Specifically, the IRS did not: Determine the optimal number, type and/or size of bins needed at its facilities. As such there is no business justification supporting the bin types and sizes located at its various facilities.”
Failure to ensure the secure bins that were paid for with taxpayer funds were actually retrieved: “Specifically, the IRS did not: Implement appropriate processes and procedures to ensure that billing is accurate. For example, our review of invoices paid for October 2023 identified charges for more bins than reported by the vendor as being retrieved for destruction.”
IRS staff tipped off TIGTA that due to a recent billing methodology change, taxpayers were being ripped off by an IRS vendor: “IRS staff at two tax processing centers that this billing change resulted in the IRS paying twice as much per month for sensitive document destruction.”
IRS tried to claim they do not have enough money to carry out inspections to ensure protocols are followed. Amazingly, after receiving tens of billions of dollars during the Biden administration, the IRS tried to claim it does not have enough “resources” for inspections: TIGTA wrote: “Officials cited a lack of resources as to why these on-site inspections are no longer conducted.”
In its conclusion, TIGTA urged the IRS to, “develop standard operating procedures for sensitive document safeguarding and destruction; immediately evaluate the 110 facilities to ensure that sensitive document safeguards and destruction procedures are in place; replace bins that have been damaged and altered; perform annual inspections of all facilities used by subcontractors for sensitive document destruction; complete a cost-benefit analysis to ensure optimal bin size and number of bins at all facilities; and develop processes and procedures to ensure that the IRS is only paying for full bins serviced.”
The TIGTA report is dated Dec. 23, 2024 and was published to the TIGTA website on Dec. 26, 2024.
