What Are the Major Tax Data Security Threats?
Each state has its own tax or revenue department with its own culture and technology environments. Sometimes, those agencies are under the supervision of a central IT department for the state, and in other cases operate more autonomously in states with decentralized IT governance.
However, their parent organization is the Federation of Tax Administrators, a nonprofit organization that started in 1937 with a mission to “improve the quality of state tax administration by providing services to state tax authorities and administrators.” FTA members include principal tax collection agencies of the 50 states, the District of Columbia, Philadelphia and New York City.
Verenda Smith, deputy director of FTA, told the National Association of State Chief Information Officers that when it comes to tax cybersecurity threats, revenue agencies want to know how malicious actors might be getting into tax databases and applications.
“What information did they have, and where did they get it, that allowed them to successfully masquerade as a taxpayer? What didn’t an agency do that would have kept them out, or that would have thwarted a bot attack?” she says. “How is the affected agency or business communicating the breach or security threat to taxpayers or customers?”
Mostly, she says, FTA members “want to know where the weaknesses reside because many of them share the same processes.”
For example, she notes, all tax agencies store data at rest. It used to be an acceptable practice not to encrypt data at rest, since that data was “already protected deep inside a tax agency’s most secure systems.” However, that approach changed following a 2012 “cyberattack at South Carolina’s tax collection agency that exposed the personal data of nearly 4 million individual filers and 700,000 businesses,” as the Associated Press reports. That led state tax departments to ramp up their encryption efforts.
Another threat tax agencies face is phishing attacks, something that FTA members were briefed on how to defend against at an FTA technology conference in 2019. For example, Smith says, tax agencies sometimes receive fake emails from CEOs of companies asking for payroll information from employees, and in the past some attacks have been “frighteningly successful.”
Tax agencies have been conducting anti-phishing trainings to ensure that users do not click on suspicious links. “From that we learned that tax agency employees have been trained and know not to click on links in an email,” she says. “And, of course, there are other technology-based tools in use as well that seek to make it impossible for a human to make an inadvisable move with an email.”
How to Ensure Tax Data Security
Taxpayer data is often stored in databases held within tax agencies’ systems. “The concept of data warehousing consists of a collection of multi-dimensional integrated databases that are used to provide accessible information to clients or end users,” IRS Publication 1075 notes.
“The data can be manipulated through different categories or dimensions to facilitate analyzing data in relational databases. The result can provide the client or end user with an enterprise view or snapshot of the information,” the IRS states. “Security requirements apply to data warehousing environments, as well as to typical networked environments.” From a security perspective, the IRS says that security controls for such data warehouses are derived from the National Institute of Standards and Technology’s approach to securing federal information systems.
“When all controls are implemented and managed, these controls provide effective safeguards for the confidentiality, integrity, reliability and availability of the data,” the IRS states.
According to the IRS, those controls include risk assessments; detailed security planning; and certification, accreditation and security assessments. “State and local agencies shall develop a process or policy to ensure that data warehousing security meets the baseline security requirements defined in the current revision of NIST SP 800-53,” the IRS notes. “The process or policy must contain the methodology used by the state or local agency to inform management, define accountability, and address known security vulnerabilities. Risk assessments must follow the guidelines provided in NIST Publication 800-30, Risk Management Guide for Information Technology Systems.”
Further controls include data backups, configuration management, incident response and security awareness and training for staff. Additionally, state agencies need to have policies and procedures in place “that describe the cleansing process at the staging area and how the [extract, transform and load] process cleanses the FTI when it is extracted, transformed, and loaded.”
Other technical controls include authentication. “Business roles and rules shall be imbedded at either the authentication level or application level. In either case, roles must be in place to ensure that only authorized personnel have access to FTI information.”
Access control technology is another critical element of tax data security. “Access to systems shall be granted based upon the need to perform job functions. Agencies shall identify which application programs use FTI and how access to FTI is controlled,” the IRS states. “The access control to application programs relates to how file shares and directories apply file permissions to ensure that only authorized personnel have access to the areas that contain FTI.”
State revenue departments are required to put security controls in place that include “preventive measures to keep an attack from being a success,” according to the IRS. Agencies also need “detective measures in place to let the IT staff know that an attack is occurring,” and “if an interruption of service occurs, the agency shall have additional security controls in place that include recovery measures to restore operations.”
Within the data warehouse, the agency “shall protect FTI as sensitive data and be granted access to FTI for the aspects of its job responsibilities.”
Revenue departments are required to “enforce effective access controls so that end users have access to programs with the least privilege needed to complete the job. The agency shall set up access controls in its data warehouse based on personnel clearances.”
Tax data security is not a simple task, but it is vital. State tax and revenue departments have the tools at their disposal to ensure that taxpayer data is as secure as possible at a time when threats are increasing.