In response to increasing concerns about data security at the Internal Revenue Service (IRS), Senator John Thune (R-SD) introduced the Ensuring No Devices Bear Your Own Data (END BYOD) Act in May of this year. This legislation, H.R. 4257, aims to prohibit IRS employees, volunteers, and contractors from accessing sensitive taxpayer information on their personal devices — something particularly important given the IRS’s recent lapses in protecting taxpayer data.
The IRS began exploring the bring-your-own-device (BYOD) program in September 2010 with a proof of concept to validate the feasibility of allowing mobile devices onto its network. By May 2013, the program had grown to include 460 participants with 519 devices registered. Following a cost-benefit analysis, the IRS decided to expand the program in June 2016.
Senator Thune, the ranking member of the Subcommittee on Taxation and IRS Oversight, has expressed ongoing concerns about the IRS’s handling of taxpayer data. The current BYOD program, which allows IRS personnel to access sensitive data on personal computers and phones, has been identified as a potential risk to data security. Thune has emphasized the need for American taxpayers to have confidence that their personal information is secure.
Earlier this year, Senator Thune wrote a letter to IRS Commissioner Daniel Werfel, referencing a report from the Treasury Inspector General for Tax Administration (TIGTA). The report identified significant issues with the IRS's compliance with the Office of Management and Budget’s (OMB) No TikTok on Government Devices Act, issued on February 27, 2023. This guidance outlines steps to remove TikTok from federal government devices. While the IRS blocked access to TikTok on IRS computers and some mobile devices, TIGTA found that 23 devices in the IRS’s Communications and Liaison group could still access TikTok. Although the IRS took corrective action upon notification, broader issues remain, particularly concerning the BYOD program and devices used by the Criminal Investigation unit.
TIGTA’s findings showed that the IRS had not updated its BYOD policies to comply with the OMB guidance, leaving a gap in informing participants about the TikTok prohibition on personal devices. Additionally, more than 2,800 mobile devices used by the Criminal Investigation Unit and approximately 900 CI employees' computers still had access to TikTok, highlighting significant non-compliance. Despite recommendations from TIGTA, the IRS has not fully blocked access to TikTok on these devices or sought the required exception from the Department of the Treasury.
The urgency of the END BYOD Act is underscored by the recent conviction of former IRS contractor Charles Littlejohn. In February, Littlejohn was sentenced to five years in prison for stealing tax return information associated with thousands of individuals and corporations while working at the IRS as a government contractor. He downloaded the information onto personal devices, including an iPod, and provided it to the New York Times and the activist organization ProPublica. This incident highlighted the vulnerabilities in the IRS's data security protocols.
The policies in Senator Thune’s END BYOD Act would address the security and privacy of taxpayers’ data by prohibiting IRS employees from using any personal device, such as laptops and cellphones, for work purposes. Restricting access to sensitive data to official IRS devices would prevent potential data breaches and misuse of personal information.