Welcome to “Perspectives from Partners” a monthly blog post featuring
interviews from NASCIO’s partner organizations.
For our introductory post in the heart of the individual income tax
filing season, we met with Federation of Tax Administrators (FTA) Deputy Director Verenda Smith. Verenda serves as the liaison to the Internal
Revenue Service (IRS) and works on issues related to IRS Publication 1075, which dictates security and safeguarding requirements
state agencies must follow when handling federal tax information.
Prior to FTA, Verenda served in the
Illinois Department of Revenue.
We asked Verenda her perspective on issues facing tax administrators
and common CIO issues like consolidation and cybersecurity.
About the FTA:
The Federation of Tax Administrators (FTA) is a nonprofit
organization created in 1937 with a mission to “improve the quality of state
tax administration by providing services to state tax authorities and
administrators.” Membership at FTA includes principal tax collection agencies
of the 50 states, the District of Columbia, Philadelphia, and New York City.
What would you like
to tell state CIOs? What are you hearing from your membership about
consolidation or centralization?
Tax agencies don’t control federal requirements. These are
as hard for tax agencies to live with as it is for CIOs. We have more
experience and background with these requirements, but, like the CIOs, we can’t
tell the IRS what to do. At the end of the day, it’s their data, and they
control its use.
As computers become more sophisticated and consolidation
becomes more desirable, the first thing CIOs are recognizing is what tax
agencies have always known: tax agencies are different. They have unique
requirements that don’t necessarily make sense from a “computer” standpoint. They’re
not being unreasonable. It’s just that they have their own structures that they
work within and often must meet requirements that are new to CIOs.
FTA members are called in to the CIO’s office and hear, “We’re
ready to consolidate you and bring you in the fold,” and they find themselves being
the bearer of bad, difficult news. I hear that all the time. CIOs are ready to hear about the usual issues
like governance, who pays, continued access to data and services, charging for
services, budget issues. But then they find they have to learn the history and
background of federal tax information, specifically why the requirements for
holding federal tax information that they are entrusted with goes beyond
keeping information safe and secure.
Needless to say, FTA members are getting to know their
working partners [CIOs] much more closely these days.
What issue(s) is FTA
monitoring?
Generally, we keep an eye on Congress, especially if we
identify anything that might affect states.
We are watching the federal budget. Congress is increasingly
challenged to generate a budget. When one does appear, it is already halfway
through the budget year. That undermines the ability for the IRS to make smart
purchases. And when you have IT projects that are constantly stop and go –
execution falters, gets delayed, rushes ahead — those of us who are working
with IRS and federal agencies get a little worried about what that [delayed
federal budget] means and how that will affect our work.
This is especially detrimental to the federal government’s
efforts to keep up with IT needs. By the time an agency’s funding gets to where
it needs to be, it has been delayed so many times that the technology is
obsolete. It is a frightful model.
What’s on the
horizon?
Forty-two states and the District of Columbia have an income
tax so most states are battling income tax refund fraud.
We needed a new way to think about data. Starting more than
a year ago, we brought together three sectors in a partnership: people who
design software for preparation and filing of tax returns, states, and the IRS
– and we’ve been coming together in a new way. Instead of each of us working independently
on fraud identification, we’re working on fraud issues together. Much of that
comes down to the use of the data and understanding what’s in each other’s data, what’s useful and what’s not.
What’s new is that we are spending time doing deep dives
into information that the others have, instead of just working with our own
data. Also, we are learning from one another, figuring out not only what data
might be useful to me, but asking how do you generate it? What does it mean and
not mean? How do I use that data and combine it with something else to make it
useful? Understanding what the data is has been one of the main keys to making
this Summit approach effective.
So we now have multiple sources of data coming from multiple
points, and our analyses needs are sky rocking, so we’ll be getting an ISAC
hosted by the IRS. It will be done in partnership with everyone (tax software
companies, states, and the IRS) and it’s on behalf of everyone, but IRS has to
host it. Implementation will happen in stages but this ISAC will be available in
the foreseeable future.
The main mission of the ISAC is to do the best possible job
in a more efficient way of performing our current tasks. The ISAC will improve
our ability to analyze data and find trends. Trend-seeking is one of the great
tools in fraud detection and prevention. We have high expectations for the ISAC to
efficiently receive and crunch much more data in one location, which we can
then push out to everybody that needs it.
What are your
members’ views on cybersecurity?
Our members don’t look to us to explain cybersecurity best
practices, but we do facilitate sharing of ideas, problem-solving and so forth,
and nowadays when we push information out to them, they jump on it. When we
hear that there’s been a security breach, they’re all on the phone immediately
to ask ‘Can you help us learn from this? Can you put us in touch with someone?’
What are some lessons
you’ve shared about cybersecurity?
What our members want to know is: how did the bad actors get
in? What information did they have, and
where did they get it, that allowed them to successfully masquerade as a
taxpayer? What didn’t an agency do that would have kept them out, or that would
have thwarted a bot attack? How is the affected agency or business
communicating the breach or security threat to taxpayers or customers? But
mostly, FTA members want to know where the weakness reside because many of them
share the same processes. For example, they all have data at rest and there was
a time when it was considered ok to not encrypt data at rest — data that was
already protected deep inside a tax agency’s most secure systems — but that
stopped with South Carolina. Very few days passed before state agencies were
adopting new encryption practices.
There have been so many different examples this year of
stolen information being used to facilitate refund fraud – just in the last two
weeks, we’ve been dealing with fake phishing emails from CEOs of companies
asking for payroll information from employees.
It has been frighteningly successful.
So tax agencies are wholly engaged in dealing with
cybersecurity, in all possible ways. We had an interesting case last year where
one state tax employee received a suspicious email. He shared the email with his colleagues,
urging them to be on the lookout for the same, noting that “they” knew too much
and that it was tempting him to click on a suspicious link. He even shared the phishing attempt with all
other tax agencies with an alert. A few hours later, everyone learned that the
email was a test. His office had created
the email to probe weaknesses in their system. Fortunately, nobody clicked.
From that we learned that tax agency employees have been trained and know not
to click on links in an email. And, of course, there are other technology-based
tools in use as well that seek to make it impossible for a human to make an
inadvisable move with an email.
For more information
on items mentioned in this post:
IRS
Commissioner Koskinen announces ISAC
IRS
“Dirty Dozen” tax scams for 2016
CEO
phishing scam, seeking employee payroll info
CEO
phishing scam…happened to Snapchat