Safeguarding Taxpayer Data

The Internal Revenue Service (IRS) collects more information on more individuals than any other government agency. The information is not only financial but personal, potentially including information about health care needs and decisions; the caregivers, disabilities and foreign birth of children; the educational progress and felony convictions of students; and one’s religious and charitable associations. In acknowledging the vast quantity of information held by the IRS, and the necessity of taxpayers trusting tax administrators with their information, Congress provided greater protection for taxpayer information under the Internal Revenue Code (IRC) than it was provided under the Privacy Act. Congress obligated IRS employees to keep taxpayer information confidential, and authorized felony charges and damages suits, including punitive damages for inappropriate disclosures of taxpayer information. These special protections were enacted almost 50 years ago, long before the spread of the internet and emergence of cybercrime. This Article proposes updating the IRC’s special protections for taxpayer information to reflect the cybersecurity objectives of the Federal Information Security Modernization Act (FISMA), and the frequent audits of the IRS by its Inspector General that show the IRS’s persistent failures to comply with FISMA guidance, such as failing to encrypt taxpayer data, secure mainframe platforms, regulate system access, remediate known vulnerabilities and assist victims of data breaches.