The Public Eye with Eric Chabrow

Is IRS Legally Free to Expose Private Info?

Tax Agency Finds Itself Between a Rock and a Hard Place
Is IRS Legally Free to Expose Private Info?

By exposing tens of thousands of Social Security numbers on government websites, the Internal Revenue Service finds itself between the proverbial rock and a hard place.

See Also: Live Webinar | Securing Mobile Endpoints to Protect IP in the Pharma Industry

The public interest group says it discovered the IRS postings, which the IRS confirmed. It then removed the database containing the Social Security numbers from public view.

How did the numbers get posted?

It seems the IRS was merely following procedures. A notice published on the Internal Revenue website clearly warns filers that it legally cannot remove personally identifiable information from documents destined to be publicly posted on its website. Here's a statement issued July 10 from the IRS:

"The law requires the IRS to publicly post forms, such as Forms 8871, 8872 and 990, that are submitted by section 527 (campaign) organizations. The IRS frequently and routinely reminds organizations of the public disclosure of these forms and urges them not to include personal information, including Social Security numbers, in their public filings."

Section 527 is the part of the IRS code that requires campaign groups to identify contributors. It's been in the news recently because organizations such as those affiliated with the Tea Party and other political groups sought exemption under another part of the tax code, 501(c)(4), that shields donors names from disclosure.

But guidance from the Office of Management and Budget, citing the Federal Information Security Management Act and the Privacy Act, requires agencies to safeguard personally identifiable information from disclosure:

"As is required ... each agency must take appropriate steps necessary to protect personal information from unauthorized use, access, disclosure or sharing."

In its statement, the IRS said it decided "out of an abundance of caution" to temporarily remove public web access to the records. That statement raises a number of questions:

  • Why did the IRS wait to display such an abundance of caution only after revealed that the Social Security numbers were exposed?
  • If IRS officials believe they're legally obligated to post the documents as is, including Social Security numbers, should they have blocked access to the database?
  • If they feel the tax agency should not reveal such information, why did it do so in the first place?

The IRS says it's assessing the situation and exploring available options. The option is simple: Post the documents with personally identifiable information redacted, as allowed under FISMA and the Privacy Act. It's inconceivable that the government would lose a lawsuit from a plaintiff contending it has the right to individuals' Social Security numbers, especially in this era of sensitivity about IT security and privacy.

About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.