TIGTA: Private debt collectors protect IRS taxpayer data

The two private collection agencies that the Internal Revenue Service hired to pursue delinquent taxpayer debt put in place adequate computer controls to protect taxpayer data, the Treasury Inspector General for Tax Administration said in a report released today.

The contractors, Pioneer Credit Recovery and CBE Group received the taxpayer data files securely from IRS and secured them satisfactorily on their systems, TIGTA said. The contractors also controlled their workstations to prevent unauthorized copying of taxpayer information to removable media or transfer through e-mail. They maintained audit trails and performed periodic reviews, including identifying unauthorized access to the taxpayer data.

Although the contractors do not delete taxpayer files or remove them from their systems once they close a case or IRS recalls it, the debt collectors protected the data by restricting access to taxpayer data files to only necessary employees, said Michael Phillips, deputy inspector general for audit.

“Inadequate security controls over taxpayer data would create increased risks of unauthorized access, misuse, disclosure, modification or destruction of taxpayer data,” he said.

Critics, such as the National Taxpayer Advocate, the National Treasury Employees Union and some lawmakers, have faulted IRS for contracting out the collection of taxpayer debt because it can put taxpayer privacy at risk and is an inefficient use of government funds.

But TIGTA said that the private debt collectors must assure that their computer systems comply with the Federal Information Security Management Act and the guidance developed by the National Institute of Standards and Technology to implement security controls that govern systems and communication protection, access controls and audit records.

“Each contractor implemented a best practice that should be considered by current and future private collection agencies,” Phillips said.

One contractor requires a second password, in addition to a standard username and password, before access to the contractor’s collection application is granted. This second password is generated through a password token device, small enough to fit on a key ring, which generates and displays a new password every 60 seconds. The other contractor places files downloaded from the IRS on a dedicated server.

As of February, IRS had provided the contractors with about 98,000 accounts representing $911 million in delinquent taxes.

About the Author

Mary Mosquera is a reporter for Federal Computer Week.


    sensor network (agsandrew/Shutterstock.com)

    Are agencies really ready for EIS?

    The telecom contract has the potential to reinvent IT infrastructure, but finding the bandwidth to take full advantage could prove difficult.

  • People
    Dave Powner, GAO

    Dave Powner audits the state of federal IT

    The GAO director of information technology issues is leaving government after 16 years. On his way out the door, Dave Powner details how far govtech has come in the past two decades and flags the most critical issues he sees facing federal IT leaders.

  • FCW Illustration.  Original Images: Shutterstock, Airbnb

    Should federal contracting be more like Airbnb?

    Steve Kelman believes a lighter touch and a bit more trust could transform today's compliance culture.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.