TIGTA flags ICE safeguard gaps before 42,695 IRS disclosures
The audit turns safeguard paperwork into litigation evidence once agencies move federal tax data before closing known gaps.
TL;DR
FedScoop reports that the Treasury Inspector General for Tax Administration found Immigration and Customs Enforcement (ICE) did not meet Internal Revenue Service (IRS) safeguarding standards before the agencies signed their April 2025 data-sharing memorandum of understanding. Open findings from a November 2023 safeguard review had no Corrective Action Plan before signing. The transfer later yielded a court finding of roughly 42,695 unauthorized taxpayer-address disclosures, making safeguard closure a litigation fact for agency counsel, CISOs and support contractors.
FedScoop’s report is mainly about sequencing. According to the outlet’s account of a partially redacted Treasury Inspector General for Tax Administration (TIGTA) report, Immigration and Customs Enforcement (ICE) had already been through a November 2023 safeguard review because the Internal Revenue Service (IRS) had an agreement with the Department of Justice to share federal tax information (FTI) that was then redisclosed to ICE. Some findings remained open, with the number redacted. ICE did not submit a Corrective Action Plan (CAP) before signing the April 2025 memorandum of understanding (MOU) with the IRS. By July 2025, ICE provided information on documented actions, but no implementation date. In this dispute, TIGTA supplied the first documented version of the control failure: review completed, findings open, transfer approved. That is the compliance fact pattern lawyers recognize: known gap, no documented closure, data moved anyway.
The numbers turned the review into an exposure analysis. In June 2025, ICE asked for more than 1.2 million IRS records. The IRS used an automated process to match ICE data with its own records and returned last known addresses for roughly 47,000 people. A federal court later said the IRS broke federal law approximately 42,695 times when it disclosed taxpayer addresses through Taxpayer Identification Number matching. TIGTA also said the IRS could not accurately and consistently match ICE records because ICE data formatting lacked uniformity. A data-quality problem sat inside a tax-disclosure statute, which is where small field errors stop being small.
TIGTA’s narrowness matters. The watchdog said it reviewed IRS processes and controls, rather than the legality of the MOU, and it made no recommendations to the IRS. It plans to share concerns with the Department of Homeland Security (DHS) Office of Inspector General. That restraint still leaves a damaging record: a high-risk sharing deal executed over unresolved safeguard findings and without a dated corrective-action path from the receiving agency. The follow-up question is whether ICE ever submitted a CAP for those findings and what enforcement action, if any, TIGTA recommends next.
For agency counsel, state CISOs and contractors supporting interagency transfers of personally identifiable information (PII) or FTI, the practical lesson is dull and important. Pull the safeguard review before the MOU is signed. List every open finding. Require a CAP with dates. Document who accepted any residual risk. If the data moves first and remediation becomes a future promise, the audit file may become a plaintiff exhibit.
Published ·Deep Fathom