The IRS is in the hot seat for many reasons, such as why it isn’t firing employees over willful tax violations.   The latest is computer security weaknesses that allowed the theft of personal financial information for reportedly 104,000 taxpayers.

Identity theft can wreak havoc on an individual’s finances and take years to clean up.  The IRS has tremendous responsibility to protect taxpayer information from thievery.   In the latest case, it’s unclear whether the IRS took all necessary steps to secure the online portal used for the information theft before the portal went live for taxpayer use.  

I wrote to the IRS commissioner with questions about the data breach:  How did the IRS assess the risk of the online portal used for the information theft before it went online for taxpayer use?  When did the IRS achieve the capability to authenticate a taxpayer’s identity with the level of security required for an interactive online account?  As of March 2013, the IRS did not have such capability.  What other interactive services are available on the IRS website and what steps is the IRS taking to protect taxpayers in any other interactive web services, as well as steps to prevent the misuse of information accessed in the current breach?

The IRS commissioner needs to respond in writing.  I’ll also have the chance to ask him questions in person at a Finance Committee hearing this week. 

Computer security concerns at the IRS aren’t new, which makes the IRS’ work to shore up security more critical than ever and any lags in fixing the problem unacceptable.  I wrote to the IRS in April with concerns about weaknesses in computer systems that create opportunities for taxpayer or employee data to be lost, corrupted or stolen.  The IRS has not responded.  This line of inquiry is far from over.