TIGTA: Private debt collectors protect IRS taxpayer data

The two private collection agencies that the Internal Revenue Service hired to pursue delinquent taxpayer debt put in place adequate computer controls to protect taxpayer data, the Treasury Inspector General for Tax Administration said in a report released today.

The contractors, Pioneer Credit Recovery and CBE Group received the taxpayer data files securely from IRS and secured them satisfactorily on their systems, TIGTA said. The contractors also controlled their workstations to prevent unauthorized copying of taxpayer information to removable media or transfer through e-mail. They maintained audit trails and performed periodic reviews, including identifying unauthorized access to the taxpayer data.

Although the contractors do not delete taxpayer files or remove them from their systems once they close a case or IRS recalls it, the debt collectors protected the data by restricting access to taxpayer data files to only necessary employees, said Michael Phillips, deputy inspector general for audit.

“Inadequate security controls over taxpayer data would create increased risks of unauthorized access, misuse, disclosure, modification or destruction of taxpayer data,” he said.

Critics, such as the National Taxpayer Advocate, the National Treasury Employees Union and some lawmakers, have faulted IRS for contracting out the collection of taxpayer debt because it can put taxpayer privacy at risk and is an inefficient use of government funds.

But TIGTA said that the private debt collectors must assure that their computer systems comply with the Federal Information Security Management Act and the guidance developed by the National Institute of Standards and Technology to implement security controls that govern systems and communication protection, access controls and audit records.

“Each contractor implemented a best practice that should be considered by current and future private collection agencies,” Phillips said.

One contractor requires a second password, in addition to a standard username and password, before access to the contractor’s collection application is granted. This second password is generated through a password token device, small enough to fit on a key ring, which generates and displays a new password every 60 seconds. The other contractor places files downloaded from the IRS on a dedicated server.

As of February, IRS had provided the contractors with about 98,000 accounts representing $911 million in delinquent taxes.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.