Jun 16 2020

State Revenue Departments Need to Ensure Tax Data Security

Revenue departments across the country must maintain taxpayer security and ensure the protection of secure tax data.

With most state governments following the lead of the IRS and extending their 2020 tax filing deadlines to July 15 due to the coronavirus pandemic, state tax and revenue agencies are about to see a rush of filings and attendant taxpayer data.

In April, the IRS warned that identity thieves were aiming to take advantage of the pandemic to target tax professionals and steal taxpayer data and other financial information. That makes taxpayer security and tax cybersecurity more crucial than ever. 

Both the IRS and state revenue departments have a vested interest in tax data security. The IRS has a special unit, the Office of Safeguards, whose mission is “to promote taxpayer confidence in the integrity of the tax system by ensuring the confidentiality of IRS information provided to federal, state, and local agencies.”

The office verifies compliance with IRC 6103(p)(4) safeguard requirements “through the identification and mitigation of any risk of loss, breach, or misuse of Federal Tax Information held by external government agencies.” FTI, the most critical of secure tax data, is categorized as “sensitive but unclassified” information and may contain personally identifiable information, such as taxpayers’ names, addresses and Social Security numbers.

For state tax and revenue departments, there is something of a bible to follow when it comes to tax cybersecurity: IRS Publication 1075, which lays out in meticulous detail “guidance to ensure the policies, practices, controls, and safeguards employed by recipient agencies, agents, or contractors adequately protect the confidentiality of FTI.”

What Are the Major Tax Data Security Threats?

Each state has its own tax or revenue department with its own culture and technology environments. Sometimes, those agencies are under the supervision of a central IT department for the state, and in other cases operate more autonomously in states with decentralized IT governance. 

However, their parent organization is the Federation of Tax Administrators, a nonprofit organization that started in 1937 with a mission to “improve the quality of state tax administration by providing services to state tax authorities and administrators.” FTA members include principal tax collection agencies of the 50 states, the District of Columbia, Philadelphia and New York City.

Verenda Smith, deputy director of FTA, told the National Association of State Chief Information Officers that when it comes to tax cybersecurity threats, revenue agencies want to know how malicious actors might be getting into tax databases and applications.

“What information did they have, and where did they get it, that allowed them to successfully masquerade as a taxpayer? What didn’t an agency do that would have kept them out, or that would have thwarted a bot attack?” she says. “How is the affected agency or business communicating the breach or security threat to taxpayers or customers?”

Mostly, she says, FTA members “want to know where the weaknesses reside because many of them share the same processes.”

For example, she notes, all tax agencies store data at rest. It used to be an acceptable practice not to encrypt data at rest, since that data was “already protected deep inside a tax agency’s most secure systems.” However, that approach changed following a 2012 “cyberattack at South Carolina’s tax collection agency that exposed the personal data of nearly 4 million individual filers and 700,000 businesses,” as the Associated Press reports. That led state tax departments to ramp up their encryption efforts.

Another threat tax agencies face is phishing attacks, something that FTA members were briefed on how to defend against at an FTA technology conference in 2019. For example, Smith says, tax agencies sometimes receive fake emails from CEOs of companies asking for payroll information from employees, and in the past some attacks have been “frighteningly successful.”

Tax agencies have been conducting anti-phishing trainings to ensure that users do not click on suspicious links. “From that we learned that tax agency employees have been trained and know not to click on links in an email,” she says. “And, of course, there are other technology-based tools in use as well that seek to make it impossible for a human to make an inadvisable move with an email.”

MORE FROM STATETECH: Find out why ransomware awareness is up but training lags. 

How to Ensure Tax Data Security

Taxpayer data is often stored in databases held within tax agencies’ systems. “The concept of data warehousing consists of a collection of multi-dimensional integrated databases that are used to provide accessible information to clients or end users,” IRS Publication 1075 notes.

“The data can be manipulated through different categories or dimensions to facilitate analyzing data in relational databases. The result can provide the client or end user with an enterprise view or snapshot of the information,” the IRS states. “Security requirements apply to data warehousing environments, as well as to typical networked environments.” From a security perspective, the IRS says that security controls for such data warehouses are derived from the National Institute of Standards and Technology’s approach to securing federal information systems.

“When all controls are implemented and managed, these controls provide effective safeguards for the confidentiality, integrity, reliability and availability of the data,” the IRS states.

According to the IRS, those controls include risk assessments; detailed security planning; and certification, accreditation and security assessments. “State and local agencies shall develop a process or policy to ensure that data warehousing security meets the baseline security requirements defined in the current revision of NIST SP 800-53,” the IRS notes. “The process or policy must contain the methodology used by the state or local agency to inform management, define accountability, and address known security vulnerabilities. Risk assessments must follow the guidelines provided in NIST Publication 800-30, Risk Management Guide for Information Technology Systems.

Further controls include data backups, configuration management, incident response and security awareness and training for staff. Additionally, state agencies need to have policies and procedures in place “that describe the cleansing process at the staging area and how the [extract, transform and load] process cleanses the FTI when it is extracted, transformed, and loaded.”

Other technical controls include authentication. “Business roles and rules shall be imbedded at either the authentication level or application level. In either case, roles must be in place to ensure that only authorized personnel have access to FTI information.”

READ MORE: Follow these tips to protect users who are teleworking. 

Access control technology is another critical element of tax data security. “Access to systems shall be granted based upon the need to perform job functions. Agencies shall identify which application programs use FTI and how access to FTI is controlled,” the IRS states. “The access control to application programs relates to how file shares and directories apply file permissions to ensure that only authorized personnel have access to the areas that contain FTI.”

State revenue departments are required to put security controls in place that include “preventive measures to keep an attack from being a success,” according to the IRS. Agencies also need “detective measures in place to let the IT staff know that an attack is occurring,” and “if an interruption of service occurs, the agency shall have additional security controls in place that include recovery measures to restore operations.”

Within the data warehouse, the agency “shall protect FTI as sensitive data and be granted access to FTI for the aspects of its job responsibilities.”

Revenue departments are required to “enforce effective access controls so that end users have access to programs with the least privilege needed to complete the job. The agency shall set up access controls in its data warehouse based on personnel clearances.”

Tax data security is not a simple task, but it is vital. State tax and revenue departments have the tools at their disposal to ensure that taxpayer data is as secure as possible at a time when threats are increasing.

imagedepotpro/Getty Images