TIGTA: Private debt collectors protect IRS taxpayer data

The two private collection agencies that the Internal Revenue Service hired to pursue delinquent taxpayer debt put in place adequate computer controls to protect taxpayer data, the Treasury Inspector General for Tax Administration said in a report released today.

The contractors, Pioneer Credit Recovery and CBE Group received the taxpayer data files securely from IRS and secured them satisfactorily on their systems, TIGTA said. The contractors also controlled their workstations to prevent unauthorized copying of taxpayer information to removable media or transfer through e-mail. They maintained audit trails and performed periodic reviews, including identifying unauthorized access to the taxpayer data.

Although the contractors do not delete taxpayer files or remove them from their systems once they close a case or IRS recalls it, the debt collectors protected the data by restricting access to taxpayer data files to only necessary employees, said Michael Phillips, deputy inspector general for audit.

“Inadequate security controls over taxpayer data would create increased risks of unauthorized access, misuse, disclosure, modification or destruction of taxpayer data,” he said.

Critics, such as the National Taxpayer Advocate, the National Treasury Employees Union and some lawmakers, have faulted IRS for contracting out the collection of taxpayer debt because it can put taxpayer privacy at risk and is an inefficient use of government funds.

But TIGTA said that the private debt collectors must assure that their computer systems comply with the Federal Information Security Management Act and the guidance developed by the National Institute of Standards and Technology to implement security controls that govern systems and communication protection, access controls and audit records.

“Each contractor implemented a best practice that should be considered by current and future private collection agencies,” Phillips said.

One contractor requires a second password, in addition to a standard username and password, before access to the contractor’s collection application is granted. This second password is generated through a password token device, small enough to fit on a key ring, which generates and displays a new password every 60 seconds. The other contractor places files downloaded from the IRS on a dedicated server.

As of February, IRS had provided the contractors with about 98,000 accounts representing $911 million in delinquent taxes.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.