Taxpayers aren't always notified when the Internal Revenue Service inadvertently discloses personally identifiable information to others who shouldn't have it, says the Treasury Inspector General for Tax Administration.

In a report dated May 24--but only posted online July 14--TIGTA says a statistical sample of 98 incident case files shows that 5 percent of incidents were closed without notification because IRS employees did not document, or lacked, the identity of the affected individual.

Extrapolating to the 4,081 known incidents of inadvertent disclosures in fiscal years 2009 and 2010, there may have been 204 incidents in all where a breach occurred without taxpayers being notified. A single incident can affect more than one taxpayer; the 1,493 incidents in those two fiscal years that required notification under IRS rules affected 2,812 individuals, TIGTA states.

In some cases, the IRS employee reporting the breach should have known the identity of the affected individual, but the report acknowledges that there may be times when an employee is unable to determine identity.

"For example, an employee may be stuffing notices into envelopes and realize, after the fact, a notice is missing and must have been stuffed into an envelope addressed to another taxpayer that had already gone out with the mail," the audit states.

The audit also takes to task the IRS for not notifying taxpayers in the possible 408 incidents where the inadvertent disclosure was tax account information only. The IRS says tax account information isn't personally identifiable information, an assertion TIGTA disagrees with. In response to an TIGTA recommendation, the IRS told auditors it will "study the possible expansion of the notification process."

The report also finds that not all incidents were considered and processed, due to lack of a single incident tracking system. Instead, the IRS has relied on four separate systems to capture incident-related information, requiring employees to manually key in data from one system to the next.

The IRS told auditors it will consolidate data for the "most serious" incidents.

For more:  
- download the audit, 2011-40-054 (.pdf)

Related Articles:
TIGTA: Programming errors at IRS complicate tax processing 
IRS has cybersecurity material weakness, says GAO 
TIGTA: E-file saves the IRS money, but it could be saving more