Congress should enact a “a carefully targeted” exception for identity theft tax refund fraud (IDTTRF)  to IRC Section 6103. That would enable the companies to share information under the ISAC. It should also “grant the IRS the authority to establish and enforce security standards for our tax system,” the community recommended.

ETAAC says Congress needs to fund the Information Sharing and Analysis Center. The ISAC includes the IRS, state and industry membership with the number of participating organizations increasing from 18 in 2017 to more than 60 in 2018.

The reports says the center “enables the IRS, state revenue agencies and industry to identify, report, analyze, distribute and act on IDTTRF activity in real time.” 

ETAAC also wants increased participation in the Security Summit from the payroll community. The committee noted the lack of a “basic security standard applicable to the business tax area to guide companies and employers.”

The Security Summit’s STAR Work Group, including its Payroll Subgroup, is developing best practices around security controls based on the National Institute of Standards and Technology (NIST) Cybersecurity Framework.

However, ETAAC said the IRS should have the independent legal authority to develop, implement and enforce appropriate information security standards and practices in the tax administration area, including the business tax and payroll areas. 

The report called for better use of current community calls and meetings with payroll organizations and “Communicating more clearly and systematically with Payroll Community stakeholders on relevant topics and risks in these channels.” That means using payroll terminology and discussing issues such as the use of self-service portals.

The IRS also needs to reassess the direction of the Payroll SubGroup, which the report describes as not being aligned on the focus on developing standards under the NIST framework.