[Congressional Record Volume 143, Number 40 (Tuesday, April 8, 1997)]
[Senate]
[Pages S2844-S2846]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]

      By Mr. GLENN:
  S. 523. A bill to amend the Internal Revenue Code of 1986 to prevent 
the unauthorized inspection of tax returns or tax return information; 
to the Committee on Finance.


                    irs systems security legislation

  Mr. GLENN. Mr. President, the date of April 15 is indelibly etched in 
the minds of most Americans. For it is on or by that day that honest, 
hard-working citizens voluntarily share their most personal and 
sensitive financial information with their Government.
  All Americans should have unbridled faith that their tax returns will 
remain absolutely confidential and zealously safeguarded. That is the 
foundation of our taxpaying system. If this trust is breached, then the 
bonds that tie citizens with their Government may break, with 
disastrous consequences for us all.
  In 1993 and 1994, as chairman of the Governmental Affairs Committee, 
I held hearings which first exposed that vulnerability. We found out 
that hundreds of IRS employees had been investigated for what I term 
``computer voyeurism'', where they call up returns of friends, enemies, 
celebrities, relatives, or neighbors just to snoop and satisfy their 
own prurient interests. Even worse, in some cases, IRS employees either 
altered their own returns to get refunds, or conspired with other 
taxpayer friends to change their returns and get a kickback from those 
refunds.
  My investigation revealed serious flaws in the IRS' ability to 
monitor, prevent, and detect browsing.
  In response, the IRS Commissioner pledged a zero tolerance policy to 
protect taxpayer privacy and vigorously discipline those who abuse this 
trust. The Commissioner also implemented a new system called EARL--
Electronic Audit Research Log--to help identify inappropriate and 
unauthorized access to taxpayer information stored in the IRS' main 
computer system.
  That primary system, IDRS--Integrated Data Retrieval System--handles 
more than 100 million transactions per month and is used by over 55,000 
IRS employees. At least one-third of those employees are authorized to 
input adjustments to tax account records.
  I had asked the General Accounting Office [GAO] to review the 
progress made by the IRS in reducing computer security risks and in 
curbing browsing. Earlier this year, GAO produced that report. However, 
because some of the specific details could jeopardize IRS security, 
that report was designated for ``Limited Official Use'' with restricted 
access.
  Due to my involvement in this important issue, and because I believe 
the public has a right to know, I requested that GAO issue a redacted 
version of the report suitable for public release. I would like to 
thank GAO for their hard work in this matter and also the IRS for their 
cooperation in making this possible.
  The findings of GAO's report are disturbing. Even more important, 
their findings are reaffirmed by the IRS in a comprehensive internal 
report of their own compiled last fall.
  Before I get to the specifics, I just want to say a couple of things.
  Point One. The vast majority of IRS employees are dedicated and 
committed to their jobs, and labor in extremely difficult conditions 
with very outmoded systems. Unfortunately, in this day and age, they 
must also fear for their own personal safety.
  Some 99.9 percent of them would never engage in such snooping or 
fraud. It is not as if every American has reason to believe that his or 
her privacy and tax return information has been compromised. But even 
just a single incidence of this behavior is one too many and cannot be 
tolerated.
  Just last year, in Tennessee, a jury acquitted a former IRS employee 
who had been charged with 70 counts of improperly peeking at the tax 
returns of celebrities such as Elizabeth Taylor, Dolly Parton, Wynonna 
Judd, Michael

[[Page S2845]]

Jordan, Lucille Ball, Tom Cruise, President Clinton, and Elvis Presley.
  More recently, just a few weeks ago, a Federal appeals court in 
Boston reversed the conviction of a former employee who had been found 
guilty of several counts of wire and computer fraud by improperly 
accessing the IRS taxpayer database. It was reported that he had 
browsed through several files, including those of a local politician 
who had beaten him in an election, and a woman he once had dated. The 
Government had alleged this worker was a member of a white-supremacist 
group and was collecting data on people he thought could be Government 
informers.
  In both of these cases, because of a loophole in the law, no criminal 
penalties could be meted out. The reason? No disclosures had been made 
to third parties.
  I doubt these kinds of decisions give great comfort to honest, law-
abiding citizens. That is why today I am reintroducing my legislation--
the Taxpayer Privacy Protection Act--to close this gap and ensure that 
any unauthorized access or inspection of return information, in 
whatever form, is punishable as a criminal offense and that employees 
so convicted are fired immediately.
  I know that the chairman of the House Ways and Means Committee is 
interested in passing such a bill as are several of my Senate 
colleagues including Senator Coverdell. I commend everyone for their 
interest and looking forward to making this bill--finally--a reality.
  Let's pass this by April 15 and send a signal across the land that 
those who violate the privacy of tax paying Americans will be fined, 
will be fired, and will be jailed. The public rightfully expects no 
less.
  Point Two. The IRS has recognized this serious issue and has 
undertaken some responsive actions. Warnings of possible prosecution 
for unauthorized use of the system appear whenever employees log onto 
the taxpayer account database. They have installed automated detection 
programs in some of their systems to monitor employee use and alert 
managers to possible misuse. And, the IRS has just created a new Office 
of Systems Standards and Evaluations to centralize and enforce IRS 
standards and policies for all major security programs. I have 
confidence that this Office, if given the proper resources, will be a 
positive force in this effort.
  The problem, however, is that these efforts, while well-intentioned, 
have come too late and fall far short of the commitment, management, 
and determination sorely needed to confront this matter head-on.
  The sad fact is that with 1 week to go until tax returns are due, one 
thing is clear: the IRS has flunked its own audit and has let down the 
American people.
  The agency promised zero tolerance for browsing. Today's information 
suggests that they have failed to live up to that pledge--1,515 new 
cases of browsing have been identified since our last report. Of those 
only 27 have resulted in employees being fired. I don't know what kind 
of new math they may be using, but that doesn't sound like zero 
tolerance to me.
  GAO even found that the 1,515 figure may drastically underestimate 
actual incidents because--and I quote--the agency's ``ability to detect 
browsing is limited''.
  Overall, GAO found that IRS' approach to computer security is not 
effective. Serious weaknesses persist in security controls intended to 
safeguard IRS computer systems, data, and facilities and expose tax 
processing operations to the risk of disruption and taxpayer data to 
the risk of unauthorized use, modification, and destruction. Further, 
although IRS has taken some action to detect and prevent browsing, the 
fact remains that the IRS has no effective means for measuring the 
extent of the browsing problem, the damage being done by browsing, or 
the progress being made to deter browsing.
  This finding is candidly confirmed in IRS' own internal report:

     progress in developing efficient prevention and detection 
     programs has been painfully slow. The program has suffered 
     from a lack of overall consistent, strong leadership and 
     oversight.

  Quite distressing to me is the finding, as stated in the IRS' own 
report, that employees, when confronted, indicate that they browsed 
because they do not believe it is wrong and that there will be little 
or no consequence to them if they are caught.
  Before summarizing the major findings, I also want to point out 
another facet of this report. That is, the effectiveness of controls 
used to safeguard IRS systems, facilities, and taxpayer data. GAO found 
serious weaknesses in these efforts, especially in the areas of 
physical and logical security.
  For example, the facilities visited by GAO could not account for 
about 6,400 units of magnetic storage media, such as tapes and 
cartridges, which might contain taxpayer data. Further, they found that 
printouts containing taxpayer data were left unprotected and unattended 
in open areas of two facilities where they could be compromised.
  I really don't want to say much more on this portion of the report 
than I have already. Except that these matters, and the others referred 
to by GAO, must be dealt with swiftly and effectively.
  I have summarized GAO's findings in a handout. Where appropriate, I 
have also included references from IRS' own recent internal report on 
their browsing deterrence and detection program. As I mentioned 
earlier, that report--[Electronic Audit Research Log (EARL) Executive 
Steering Committee Report, Sept. 30, 1996]--and I commend the IRS for 
its candid and frank evaluations in it--affirms most of GAO's findings, 
conclusions, and recommendations.
  I will briefly highlight the major findings in these attachments:


      the irs system designed to detect browsing [earl] is limited

  GAO found that the system used to monitor and detect browsing is 
ineffective because it can't distinguish between legitimate work 
activity and illegal browsing.
  Moreover, EARL only monitors the main taxpayer database. There are 
several other systems used by employees to create, access, or modify 
data which, apparently, go unsupervised. This is something I have asked 
the GAO to look into further.
  According to GAO:

     because IRS does not monitor the activities of all employees 
     authorized to access taxpayer data . . . IRS has no assurance 
     that these employees are not browsing taxpayer data and no 
     analytical basis on which to estimate the extent of the 
     browsing problem or any damage being done.

  In fact, according to the IRS' EARL report:

       The current system of reports does not provide accurate and 
     meaningful data about what the abuse detection programs are 
     producing, the quality of the outputs, the efficiency of our 
     abuse detection research efforts, or the level of functional 
     management follow through and discipline. This impedes our 
     ability to respond to critics and congressional oversight 
     inquiries about our abuse detection efforts.

  IRS Progress in Reducing and Disciplining Browsing Cases is Unclear

  The systems used by the IRS cannot report on the total number of 
unauthorized browsing incidents. Nor do they contain sufficient 
information to determine, for each case investigated, how many taxpayer 
accounts were inappropriately accessed or how many times each account 
was accessed.
  Consequently, for known incidents of browsing, IRS cannot efficiently 
determine how many and how often taxpayers' accounts were 
inappropriately accessed. Without such information, IRS cannot measure 
whether it is making progress from year to year in reducing browsing.
  Internal IRS figures show a fluctuation in the number of browsing 
cases closed in the last few years: 521 cases in fiscal year 1991; 787 
in fiscal year 1992; 522 in fiscal year 1993; 646 in fiscal year 1994, 
and; 869 in fiscal year 1995.
  More distressing, however, is the fact that in spite of the 
Commissioner's announced zero tolerance policy, the percentages of 
cases resulting in discipline has remained constant from year to year, 
averaging 29 percent.
  IRS itself reported that almost one-third of the cases detected were 
situations where an employee accessed their own account, which, 
according to the report, is ``generally attributable to trainee 
error''.
  Their answer creates simply more questions, however. Why are 
employees accessing their own accounts? Is this a wise policy?


           Penalties for Browsing are Inconsistent Across IRS

  Despite IRS policy to ensure that browsing penalties are handled 
consistently across the agency, it appears

[[Page S2846]]

that there are disparities in how similar cases are decided among 
different offices.
  For instance, the number of browsing cases resulting in employees 
being terminated in the last year surveyed ranged from 0 percent at one 
facility to a high of only 7 percent at another.
  The percentage of browsing cases resulting in employee counseling 
ranged from 0 percent at one facility to 77 percent at another.
  Even more incredible to me--and quite distressing--is the extremely 
low percentage of employees caught browsing each year who are fired for 
their offense, according to the IRS' own figures. Would you believe 
that, for all of the browsing cases detected and closed each year, the 
highest number of employees fired in 1 year has been 12. Between fiscal 
year 1991 and fiscal year 1995, only 43 employees were fired after 
browsing investigations. That is generally 1 percent of the total 
number of cases brought each year. Even if you include the category of 
resignation and retirement, the highest percentage of employees 
terminated through separation or resignation/retirement in any 1 year 
has been 6 percent.
  I could go on and on, but I think you get the idea.
  Taxpayer privacy is being jeapordized and the IRS is not doing enough 
to address it.
  A new law to make browsing a crime will be an important tool and I 
have worked with the IRS and the Justice Department in crafting my 
legislation.
  I will also be looking forward to Thursday's hearing of the Senate 
Governmental Affairs Committee when the IRS will be testifying and this 
issue is likely to come up.
  In closing, I do not want to be standing up here again next year 
talking about browsing. Although the computer age makes guarding 
taxpayer privacy more difficult and complex, the fact remains: the IRS 
can and must do better. The American people expect and demand nothing 
less.
                                 ______