Calls to IRS Not Secure, Agency Sting Discovers

The Internal Revenue Service’s efforts to solve tax problems for individuals by telephone, rather than by mail, has raised serious problems in protecting confidential taxpayer information, according to an internal IRS audit obtained by The Times.

A team of internal auditors, operating a sting this year, found that individuals could easily obtain income data on other taxpayers over the telephone--using only a name, address and Social Security number, according to the report the IRS completed Sept. 30. The auditors successfully obtained confidential tax information in 96 out of 109 telephone calls, including those in which investigators posed as other taxpayers.

“Test calls showed that impostors can obtain tax and income information with a simple phone call,” the report says. In a reply to the audit, IRS officials acknowledged the problems and said they have moved to tighten procedures.

Outside experts warn, however, that business conducted over the telephone is generally less secure than by mail.

The internal investigation marks at least the second time the besieged tax agency’s efforts to become more “consumer friendly” have backfired with potential compromises of security.

Last year, the IRS hastily withdrew a computer system, designed to allow taxpayers to file returns over the Internet, after a General Accounting Office audit found serious breaches in security that could have compromised private information.

The agency earlier this year was stung by another audit showing that its employees browsed through taxpayer records, looking into the incomes of celebrities, relatives and former spouses. As a result, Congress passed legislation making such browsing a federal crime.

Privacy is considered a cornerstone of the tax system, and experts have warned that the nation’s entire tax system would be undermined if the public comes to distrust the IRS’ ability to protect confidentiality.

Sen. William V. Roth Jr. (R-Del.), the chairman of the Senate Finance Committee who convened recent hearings into taxpayer abuses, said the report “underscores our concern for taxpayer privacy protection.”

“While I am gratified to learn that the IRS checks their own systems for the ability to keep taxpayer information private, I am concerned that the IRS seems to have failed the test,” Roth said. “I am even more certain now of the need for a thorough overhaul of this troubled agency.”

An IRS spokesman said the agency did not have any information on whether impostors have breached confidentiality. Under the Tax Code, it is a federal crime for IRS employees to give tax information to unauthorized parties. The tax code, however, apparently does not outlaw attempts by individuals to obtain such information.

In a response contained in the audit, IRS management said it began in July to ask individuals for their date of birth and up to two additional pieces of identification-verification information. The more stringent practices are scheduled to be entered into the IRS’ tax manual for employees next month.

Nonetheless, the report warns that the agency’s efforts to improve customer service by moving away from paper correspondence toward telephone calls “brings greater risks.”

“Our review identified weaknesses in the way the service discloses information over the telephone,” the report said. “As phone usage grows to better serve customers, protecting privacy is a concern.”

The IRS is often called the world’s largest financial institution, operating toll-free telephone lines that handled 45 million calls in 1996 and that will handle an estimated 60 million calls this year.

The agency is being pushed to assist people over the telephone much the way banks and credit card companies do. Until recently, the agency has not done so, largely because of outdated telephone and computer systems.

*

Nonetheless, IRS telephone representatives can obtain by computer adjusted gross income, taxable income, withholding and tax paid for an individual, an IRS spokesman said.

The internal auditors conducted test calls from 17 offices throughout the agency’s Northeast and Western regions, placing 109 calls from July 1996 to February 1997.

In at least a portion of the calls, the audit team obtained the permission of other taxpayers to take on their identities, including a schoolteacher, sports announcer, mayor, building contractor, school principal, IRS service center director, dentist and IRS worker.

The auditors then obtained addresses and Social Security numbers for the individuals on the Internet. The report noted that Social Security numbers have become widely available and that a number of states now use Social Security numbers on driver’s licenses.

In 79 telephone calls, the IRS agreed to mail tax records to an address different from the one recorded in the agency’s own electronic files. The audit also warns that in test calls placed from the Western region, three callers were able to file address changes over the telephone, a potentially serious security breach that could open the door to theft of tax returns.

The IRS policy on telephone disclosures, including the newly instituted tightening of procedures, may lag behind the safeguards taken by many private financial institutions.

American Express Co., for example, asks a series of questions to authenticate calls and periodically changes its list of questions to foil con artists, company spokeswoman Emily Porter said.

“Fraudsters are always trying to find ways to get information,” she said.

*

Some banks require account numbers and personal identification numbers, as well as a mother’s maiden name, for identification. Some financial institutions also require code words, as well as using caller identification.

The IRS instituted its tighter procedures without announcing them, but tax preparers say they have already noticed the change and are encountering problems with it, said Joseph F. Lane, a past president of the National Assn. of Enrolled Agents, which represents tax preparers who are licensed by the Treasury Department to represent taxpayers before the IRS.

“Within the last couple of weeks, we have started to get complaints from members who say the IRS is demanding to know the date of birth of their client,” said Lane, who practices in Menlo Park, Calif. “Generally, that is not a question that a tax preparer asks a client.”

Lane said he was unsure how the IRS could ever be absolutely certain that callers are not impostors and that it is a risk that any financial institution runs when it deals with customers over the phone.

The report also found that the IRS lacks a consistent policy on whether to allow suspended or disbarred taxpayer representatives, such as attorneys, accountants and other preparers, to access information.

The audit reported that customer service representatives believe that no information should be given to individuals under sanction, while the IRS’ director of practice indicates that censured practitioners are able to receive information.