Members of the House Committee on Oversight and Government Reform on Wednesday intensely questioned officials from the Internal Revenue Service (IRS) and the Department of Education (ED) about details leading up to and resulting from the IRS Data Retrieval Tool (DRT) outage, including exactly when officials became aware of a data breach, and how they plan to prevent such security threats in the future.
During the three-hour hearing, Republican members of the committee focused their questions on the timeline of events leading up to the agencies’ decision to take the data tool offline, and whether IRS and ED officials’ actions about when to notify Congress about the breach violated federal law. Meanwhile, Democrats used the time primarily to question the officials about issues with federal student loan servicing, debt relief scams, and ED’s recent decision to withdraw several Obama-era loan servicing reform memos.
“It appears to me at the end of the day you're either in denial of what happened, or you're incompetent, or you’re just untruthful in what’s happening here,” said Rep. Jody Hice (R-GA). “The abuse that’s been inflicted on American citizens by the IRS is inexcusable and it’s time that there’s accountability and some change that takes place at the IRS.”
This was the first congressional hearing that specifically addressed the issues surrounding the DRT outage. Lawmakers from both sides of the aisle have for several weeks been asking the IRS and ED for more information about the timeline of events, when the data tool will be functioning again, and what can be done to protect taxpayer information in the future. NASFAA President Justin Draeger noted in a statement submitted for the hearing that the DRT outage has been “especially harmful” in the first year of “Early FAFSA” and the use of prior-prior year income data.
“The DRT outage harms students and families in multiple ways, making the FAFSA more difficult to complete, making more students subject to verification, and leaving families with fewer available financial aid office resources for help navigating the financial aid process,” the statement said. “... We understand that legitimate security concerns cited by ED and the IRS led to the tool being disabled. However, we are looking for an explanation of why users of the tool and other key stakeholders were not informed of this outage until nearly a week after the system went down. It is also unclear why federal agencies took no action to correct these issues if vulnerabilities were identified months previously.”
James Runcie, chief operating officer of ED’s Office of Federal Student Aid (FSA), said during the hearing that the agency will be putting in place new security measures, such as an encryption solution to better protect individuals’ personal information.
ED also announced on Monday that the DRT will be available for use for the 2018-19 FAFSA cycle beginning on October 1, 2017, but that the security solution “will limit the information that displays to the applicant in order to enhance the security and privacy of sensitive personal data transferred to the FAFSA from the IRS.”
“This solution will encrypt the taxpayer’s information and hide the information from the applicant’s view on both the IRS DRT web page and on the FAFSA web pages,” the announcement said. “While students and parents will still be able to electronically transfer their IRS tax return information into the FAFSA, the information will not be visible to would-be malicious actors.”
The tool will be available toward the end of May for student loan borrowers who may need it to apply for income-driven repayment plans. Runcie told lawmakers that with the new security measures in place, the DRT will not be susceptible to the same kinds of misuse that caused officials to take the tool offline in March. IRS Commissioner John Koskinen said during a separate hearing in April that 100,000 individuals may have been affected by the data breach, and that as many as 8,000 fraudulent tax returns had been issued – for a total of $30 million – using the information stolen by identity thieves.
“While the IRS was able to identify 100,000 individuals impacted by the data theft, it may not be possible to measure the impact of the DRT outage on students who may have missed a financial aid deadline or never even completed a financial aid application because of this issue, and whose college plans may have been compromised as a result,” Draeger’s statement said. “Perhaps most troubling is the fact that this situation could have been avoided with better decision making in September, 2016, when the potential for abuse of the DRT was first identified.”
IRS officials on Wednesday expanded on the timeline of events that led to the decision to take the tool offline. Koskinen said in April that the IRS first noted security concerns about the DRT in September, and notified ED in October, but decided not to take action because there was not concrete evidence of criminal activity. Koskinen at the times said it later became clear there was criminal activity occurring.
Timothy Camus, deputy inspector general of the Treasury Inspector General for Tax Administration (TIGTA), on Wednesday said in his written testimony that the IRS again noticed suspicious activity toward the end of January, and that ED “told the IRS that they believed the activity was related to student loan consolidation activity.” At the end of February, a citizen – who officials later confirmed was an IRS employee – informed the IRS that he received a copy of his tax transcripts with a letter of his request, but that he had made no request for a copy.
“When his tax account information was researched, we learned that the complainant’s AGI had been accessed through the FAFSA and the DRT process,” Camus’ testimony said. “As a result, we determined that the January activity that the IRS observed was proof that an exploitation was under way. Initial analysis showed there were 8,000 questionable accesses at that time.”
Several Republican members of the committee also grilled IRS and ED officials about why they did not notify Congress sooner about the possibility of a data breach. The lawmakers repeatedly mentioned the Federal Information Security Management Act (FISMA) to argue that ED did not notify Congress in the appropriate amount of time. The lawmakers and officials tussled over the timing of when it was officially established that a breach had occurred, as opposed to awareness of general security concerns.
At the end of the hearing, Rep. Virginia Foxx (R-NC), who chairs the House Committee on Education and the Workforce, said the committee will be asking the officials exactly how many fraudulent returns were filed as a result of the breach, and when the individuals received that information.
“It has been extraordinarily difficult today to get any kind of specific answer out of any of you,” Foxx said. “The American people, frankly, are tired of this kind of display of incompetence.”
Publication Date: 5/4/2017