Current Federal Tax Developments

View Original

Chief Counsel Establishes Procedures to Use S/MIME and Encrypted ZIP to Communicate with Taxpayers With Matters Before Counsel's Office

In Chief Counsel Norice 2020-002 the IRS Chief Counsel provides for two methods to use secure email to communicate personally identifiable information (PII) and return information with taxpayers and representatives involved in Tax Court litigation or in regard to letter ruling and closing agreements.[1]

The notice provides the following changes in procedures to communicate with taxpayers for Chief Counsel employees:

Effectively immediately, Chief Counsel employees may exchange PII and return information with taxpayers or their representatives during Tax Court litigation and letter ruling or closing agreement processes, using one of two email encryption methods:

1. The LB&I Secure Email System (SEMS), which authorizes the exchange of encryption certificates under specific circumstances, allowing the exchange of fully-encrypted emails and attachments, and

2. SecureZIP encrypted email attachments, allowing the sending of password-protected encrypted email attachments to anyone with a compatible zip utility.[2]

Before either system can be used, the notice requires the Chief Counsel employees to comply with the following initial steps:

Before using either SEMS or SecureZIP to send email containing encrypted PII or return information to taxpayers or their representatives, Counsel employees must first discuss the use of encrypted email with the taxpayer or representative and confirm the identity of the email recipient. This can be done in a face-to-face meeting or by telephone. To further ensure that Counsel is dealing with the taxpayer or authorized representative, all initial email communications with the taxpayer or representative used in establishing the MOU and in establishing the associated list of email addresses authorized to receive encrypted content should be made only to the specific email address or telephone number (i) included in Petitioner’s Tax Court pleading signature block pursuant to T.C. Rule 23(a)(3), or (ii) in the original request for a letter ruling, closing agreement, or accompanying Form 2848, Power of Attorney and Declaration of Representative. See CCDM 32.3.2.3; IRB 2019-1 §7.01(15).[3]

The SEMS program is based on a secure message transfer system that has been built into most major email clients (including Microsoft Outlook) for years, but which is not widely used except by those with access to on-site IT support—Secure/Multipurpose Internet Mail Extensions (S/MIME).  As the notice describes the issues:

LB&I’s authorized SEMS program is intended for use by authorized taxpayer representatives (but not individual taxpayers) that have the technical ability to exchange email encrypted with Secure/Multipurpose Internet Mail Extensions (S/MIME) certificates. SEMS encrypts both attachments and the body of emails and is the type of encryption used with internal IRS email. External parties must exchange S/MIME certificates with the Counsel employees with whom they will be emailing. This requires the external party to use a compatible email system such as Microsoft Outlook, and to have the technical sophistication to exchange and install S/MIME certificates.[4]

Note that this system requires the taxpayer or representative to have an S/MIME certificate from a recognized authority to send to the IRS, since this system only allows sending secured emails to recipients who have provided the sender with such a certificate.  Obtaining and installing such a certificate often trips up individuals without access to IT support.

The IRS employees are warned that SEMS does on encrypt the subject of the message, only the text.  For this reason, personally identifiable information should not be included in the subject of any email sent via SEMS.

The IRS employees must take the following specific steps to use SEMS:

Before Counsel employees may use SEMS to send email containing PII or return information to taxpayer representatives, the taxpayer (not merely the representative) must execute a MOU acknowledging the risks inherent in use of email and authorizing the exchange of encrypted email with their representative.

The required MOU language for SEMS is contained in Attachment A.

The taxpayer must return the executed memorandum to Counsel before any encrypted email containing PII or return information may be sent, and the MOU must be retained in the case file.[5]

The SecureZIP system works by using encrypted ZIP files to hold the confidential information.  As the notice describes the system:

SecureZIP is a compression utility that allows the password-enabled encryption of email attachments and other files. To use SecureZIP, both the sender and recipient must have SecureZIP or a compatible decompression/decryption utility installed (several compatible free utilities exist, including PKWARE's ZIP Reader). Counsel employees may use SecureZIP to email encrypted attachments to authorized external stakeholders, including taxpayers and taxpayer representatives unable to use the LBI Secure Email Program. As noted above, if a taxpayer representative is able to use the LBI Secure Email Program, that method of encryption should be used instead of SecureZIP.[6]

As the last sentence notes, this system is not the preferred method.  But it’s likely many small taxpayers and advisers in firms that don’t have sufficient IT support will end up only being able to use this system.

Under this system, the information to be sent must be placed in a separate document and then encrypted using a password.  The password must be communicated to the receiving party but should not be sent via email since that defeats the purpose—any party that intercepts the emails would be able to decrypt and read the confidential information.  This password problem is a key reason why this system is less preferred—S/MIME does not require an exchange of passwords.

Unfortunately, while the IRS notes the password problem, the agency only requires the password not be in the email that contains the zip file.  The notice reads:

The password should never be sent in the same email with the encrypted attachment. It should be provided to the recipient by telephone or in a separate email. Never put the password in the body of the email with the encrypted attachment. [7]

Advisers should only agree to use this program if the IRS employee agrees not to send the password via email but uses another method to deliver it to the adviser.

The IRS employees are given the following information on using the program:

Because SecureZIP will not encrypt either the subject line or the body of the email, all PII, return information, and other information about specific tax matters must be included only in the encrypted attachment.

With SecureZIP enabled, after clicking “send,” a dialogue box opens asking if the user would like to zip the message. Select the “encrypt attachments” and “include unzip instructions” checkboxes and click “next.” The next dialogue box will ask the user to type and confirm an 8-character minimum password. Record the password for future reference.[8]

The following are the steps that must be taken before SecureZIP is to be used by IRS employees:

Before Counsel employees may email encrypted email with encrypted attachments containing PII or return information to taxpayers or taxpayer representatives, the taxpayer must execute a MOU acknowledging the risks inherent in use of email and authorizing the exchange of encrypted email attachments.

The MOU for SecureZIP is contained in Attachment B.

The taxpayer must return the executed memorandum to Chief Counsel before any encrypted email attachments containing PII or return information may be sent, and the MOU must be retained in the case file.[9]

Given the IRS preference for S/MIME and the questionable advice being given to IRS employees about transferring passwords when ZIP files are used, advisers who work cases that involve communication with the Chief Counsel’s office should consider obtaining and installing certificates to enable the use of S/MIME in their mail program.


[1] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[2] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[3] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[4] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[5] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[6] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[7] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[8] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdf

[9] Chief Counsel Notice 2020-002, October 18, 2019, https://www.irs.gov/pub/irs-ccdm/cc-2020-002.pdff