With tax season around the corner, the Internal Revenue Service (IRS) has begun its yearly campaign to educate taxpayers on the importance of protecting their personal information. However, a recent audit of the agency’s email use reveals the awkward truth that even the IRS does not always follow best practices when it comes to protecting taxpayers’ sensitive information.

On November 17, 2016, the Treasury Inspector General for Tax Administration (TIGTA) released its October report on an audit of emails sent by 80 randomly selected IRS employees in the Small Business/Self Employed (SB/SE) division during a four-week period in the spring of 2015. The audit revealed that 39 of the 80 employees sent a total of 326 unencrypted emails containing 8,031 different taxpayers’ personally identifiable information (PII).

The Office of Management and Budget defines PII as any information that can be “used to distinguish or trace an individual’s identity,” such as names, Social Security numbers, birth dates, or tax return information. The TIGTA report observed that loss, theft, or unauthorized disclosure of PII places individuals at risk for invasion of privacy and identity theft.

Of the 326 unencrypted emails identified by TIGTA, IRS staff sent 275 within the agency and 51 to non-IRS email accounts, including some emails to agents’ personal email accounts, for reasons that are unclear. Most of the internal emails were sent using the IRS’ Enterprise e-Fax system, which allows employees to fax documents from their computers, but which does not have encryption capability.

In its report, TIGTA extrapolated the results of the 80-employee sample to the entire IRS staff and estimated that, over the same four-week period, 11,416 IRS employees sent 95,396 unencrypted emails with private information of 2.4 million taxpayers. If this rate is typical, TIGTA determined, it could mean that the IRS annually sends more than 1.1 million unencrypted emails with private information of 28.2 million taxpayers. The IRS has established penalties for employees who send unencrypted emails with taxpayers’ personal information, ranging from warning to termination; however, neither the TIGTA nor the IRS has said whether anyone has been disciplined.

In its response, the IRS noted that TIGTA’s review did not identify any instances where unencrypted information was sent to an unintended recipient or fell into the wrong hands. Karen Schiller, Commissioner of the SB/SE division, also observed that, because most of the emails were sent internally, they remained “within the extensive protections of the IRS firewall” and therefore posed “a minimal risk of disclosure or access.” Nonetheless, Schiller and the agency recognized that the TIGTA audit reveals areas where the IRS can improve, including in its use of encryption, and emphasized that the IRS is committed to ensuring the privacy and security of taxpayer information against external threats.

The inspector general’s report made several recommendations, including technology upgrades—such as encrypting emails by default and updates to the e-Fax system to allow it to handle encrypted messages, improved training for employees and managers, and disciplinary action for violators.

A separate TIGTA report from October, also released November 17, further revealed that the IRS failed to protect taxpayer information when it transferred data externally to other agencies and contractors. TIGTA found that the IRS did not always share sensitive data through secure file transfer and identified a number of vulnerable IRS servers: 61 servers with “high-risk vulnerabilities,” 32 servers missing important security patches—of which four were “deemed as critical,” and 10 servers with outdated operating systems.

As April approaches, we will continue to monitor threats facing the privacy and security of taxpayer information and efforts by the IRS to educate the public—and its staff—on ways to guard against these threats.