IRS Yanks Data Security Guidance for State Revenue Agencies (1)

The IRS has removed guidance from its website that directs state, local, and tribal governments on their data security responsibilities when handling federal tax information, raising questions for some revenue directors about the federal agency’s objectives.

IRS has pulled down Publication 1075, Tax Information Security Guidelines for Federal, State and Local Agencies (Rev. 11-2021). The webpage that previously hosted the guidelines now reads “Page Not Found.”

An IRS spokesperson declined to comment, but the agency acknowledged the guidance is offline in an emailed message to all state revenue departments, said New Mexico Secretary of Taxation and Revenue Stephanie Schardin Clarke. The message said the IRS intends to eventually repost the guidelines, according to Clarke.

Publication 1075 provides guidelines designed to prevent disclosure of federal tax information, or FTI, which the IRS provides to more than 250 state, local, and tribal revenue agencies. The guidelines include specific requirements and best practices for information handling, storage, and security. The IRS Office of Safeguards describes the publication as “guidance to ensure the policies, practices, controls, and safeguards employed by recipient agencies, agents, or contractors adequately protect the confidentiality of FTI.”

David Harris, director of the Illinois Department of Revenue, said the removal of Publication 1075 is perplexing because it is a “straightforward document” that hasn’t been particularly controversial, and conveys critical requirements for all states aimed at the protection of taxpayer information. Harris emphasizes the document when he meets with new employees joining his agency.

“I tell them there will be no harassment, there will be no intimidation, and if you violate the strictures of Pub 1075, that is a serious infraction of our rules that could cost you your job,” Harris said in an interview.

The Federation of Tax Administrators had no understanding of why IRS removed Publication 1075, but federation spokesperson Joe Starr said it serves as an important “compliance framework for agencies that receive federal tax information for tax administration purposes.”

The removal of the guidance is “not helpful” from the perspective of state compliance, said Miles Fuller, director of government solutions for the tax and accounting software firm TaxBit.

“It just may make compliance more difficult if there is not an easy reference for certain groups,” said Fuller, a former senior counsel in the IRS Office of Chief Counsel.

New Mexico’s Clarke said she first noticed the guidelines were missing March 21. Until the IRS provides further guidance to the states, she said, New Mexico “will continue to follow all requirements of IRS Publication 1075 and of State law to protect our data.”

State revenue officials in California, Connecticut, and New York said the removal of the guidance wouldn’t affect their treatment of federal tax data.

“CDTFA will continue to follow all tax information security guidelines in accordance with California law and Publication 1075,” said Tamma Adamek, a spokesperson for the California Department of Tax and Fee Administration.

The IRS, through the Office of Safeguards, generally audits state agencies every three years on their compliance with the Publication 1075 standards. The IRS communicates some of this audit information to Congress in an annual report evaluating the data security conduct of state agencies and their contractors.

Last summer the Treasury Inspector General for Tax Administration reviewed IRS’s administration of the standards and concluded its “efforts to oversee State agencies’ access to FTI were generally successful.”