WASHINGTON – U.S. Senator Mike Crapo (R-Idaho), Ranking
Member of the Senate Finance Committee, and U.S. Senator Chuck Grassley
(R-Iowa), Ranking Member of the Judiciary Committee, asked Internal Revenue
Service (IRS) Commissioner Charles Rettig for an update on the recent major
potential data leak at the IRS, questioning whether the IRS has fulfilled its
legal requirements under the Federal Information Security Modernization Act
(FISMA) of 2014.
It has been months since the media outlet
ProPublica first said it had obtained private taxpayer data, and the IRS has
had more than two months to determine whether their systems had been breached
by internal or external actors. Crapo and Grassley ask Commissioner
Rettig whether a breach has been discovered, and whether IRS and Treasury--to
his knowledge--have fulfilled reporting responsibilities put forward in
FISMA. At a time when Democrats are proposing to have financial
institutions monitor and report on bank and financial accounts of virtually all
American taxpayers, it is imperative to know how and why private taxpayer
information appears to have been exposed.
“We still do not know
whether IRS systems, which contain personal and sensitive information on
Americans across the income, wealth, and political spectra, have been breached
by internal or external hackers, though IRS systems analysts almost surely know
by now. The threats to Americans’ privacy and our national security that
could result from theft and exploitation of such data are of extreme
concern.”
“Recall that in a very
recent security breach at the Treasury Department, and suspected possible
breach at the IRS, Congress was timely informed, in accord with FISMA
requirements. Specifically, toward the end of last year, numerous federal
agencies were affected by security compromises associated with SolarWinds Orion
products.”
“In stark contrast, the
Senate Finance Committee has not received reports from Treasury, the IRS,
TIGTA, the Cybersecurity and Infrastructure Security Agency (CISA), or any
other agency of government indicating whether or not there has or has not been
a major information security incident in association with ProPublica’s claim to
have obtained a vast trove of sensitive, private, and legally-protected data
stemming from IRS files.”
Among other requirements, FISMA assigns
responsibilities to federal agencies for reporting all security incidents,
including major incidents, to committees of Congress not later than seven days
after the date on which there is a “reasonable basis” to conclude that a major
incident has occurred. In the letter, the senators ask Commissioner
Rettig a series of clarifying questions regarding its legal responsibilities
related to the potential massive data leak.
Read the letter
here
or below:
August 10, 2021
The Honorable Charles P. Rettig
Commissioner
Internal Revenue Service
1111 Constitution Avenue, NW
Washington, DC 20224
Dear Commissioner Rettig,
We are concerned about harms to Americans’ privacy,
possible threats to national security, and an undermining of confidence in the
self-reporting nature of our tax system stemming from a possible major
data-security breach at the IRS.
Stories have been produced by ProPublica that
apparently use sensitive, legally-protected, and private taxpayer information
purportedly derived from Internal Revenue Service (IRS) files.
ProPublica’s claim it has obtained a “vast trove of Internal Revenue Service
data on the tax returns of thousands” of Americans implies that there has been
a major information security incident.
The veracity of ProPublica’s claims remain unknown,
and we have not received responses to our requests for more information.
To our knowledge, there is no publicly available basis for determining whether
innocent Americans, including law-abiding citizens of our home states, have had
their private, legally-protected, and sensitive information leaked into the
hands of journalists and activists, or obtained by foreign agents or others.
IRS systems analysts and others have had nearly two
months to investigate. Yet, we still do not know whether IRS systems, which
contain personal and sensitive information on Americans across the income,
wealth, and political spectra, have been breached by internal or external
hackers. Americans deserve answers. The threats to Americans’ privacy and
our national security that could result from theft and exploitation of such
data are of extreme concern.
ProPublica’s claims raise different possibilities.
One is that someone inside the IRS, including contractors or researchers,
breached the legal protections afforded taxpayers’ private information and provided
the information to outside individuals. Another is that sophisticated
outside hackers, possibly including hostile foreign actors, breached IRS
systems to obtain private, legally-protected, and sensitive taxpayer
information.
These two possibilities would involve a breach
consistent with the definition of an “incident” contained in the Federal
Information Security Modernization Act (FISMA) of 2014 (P.L 113-283).
Among other requirements, FISMA assigns responsibilities to federal agencies for
reporting security incidents, including major incidents, to committees of
Congress not later than seven days after the date on which there is a
reasonable basis to conclude that a major incident has occurred.
The ProPublica claims of having obtained a vast
trove of IRS data were first published on June 8, 2021, which curiously was
immediately prior to a Senate Finance Committee hearing on the IRS’s fiscal
year 2022 budget. The claim of possession of tax information of at least
thousands of people provides a reasonable basis to conclude that a major
incident might have occurred, posing imminent threats of violation of security
policies, procedures, or acceptable data usage.
In a very recent breach of security at the Treasury
Department, and suspected possible breach at the IRS, Congress was timely
informed, in accord with FISMA requirements. Specifically, in December of
2020, numerous federal agencies were affected by security compromises
associated with SolarWinds Orion products.
The Treasury Department and IRS, including Chief
Information Officers from each agency, responded promptly to the incident with
reporting to congressional committees and briefings. This included timely
responses to the Senate Finance Committee to, in part, assure that no private taxpayer
information at the IRS had been breached.
Treasury and the IRS at the end of last year appear
to have fully and timely complied with all reporting requirements and timelines
called for in FISMA in association with the SolarWinds Orion incident. In
addition, in response to inquiries from Congress, the Treasury Inspector
General for Tax Administration (TIGTA) subsequently confirmed on December 23,
2020, that no sensitive, private, and legally-protected taxpayer data appeared
to have been exposed.
In stark contrast, the Senate Finance Committee has
not received any reports from Treasury, the IRS, TIGTA, the Cybersecurity and
Infrastructure Security Agency (CISA), or any other agency of government
indicating whether or not there has been a major information security incident
in association with ProPublica’s claim to have obtained a “vast trove” of
sensitive, private, and legally-protected IRS data.
One inference from this inaction is that there has
not been, in the assessment of the Treasury and IRS, an information security
incident that should have been reported according to FISMA requirements.
This could mean that neither Treasury nor the IRS has discovered, to date, that
there has been an internal or external hack of IRS systems that could have led
to sensitive, legally-protected, and private taxpayer information ultimately
finding its way to ProPublica.
Please respond to the following clarifying
questions by August 24, 2021.
1.
Have Treasury and
the IRS fulfilled all legal responsibilities, including those set forward in
FISMA, for reporting any threat of a data breach (“incident”) to the Secretary
of Homeland Security, CISA, or the Director of the Office of Management and
Budget?
2.
Have Treasury and
the IRS fulfilled all legal responsibilities, including those set forward in
FISMA, for reporting to committees of jurisdiction, including the Senate
Finance Committee?
3.
Is it true that
neither Treasury nor the IRS have determined that there has been an internal or
an external breach of systems that would lead to unlawful public revelation of
sensitive, legally-protected, private taxpayer information?
4.
Has the IRS
Computer Security and Incident Response Center identified any reason to believe
there has been a breach of IRS systems that would lead to unlawful public
revelation of sensitive, legally-protected, private taxpayer information?
5.
Please provide
documentation of the criteria utilized by the IRS to determine whether an
“incident” as defined by FISMA has occurred that would require reporting to
Congress.
Sincerely,
-30-