On April 12, 2024, as required under I.R.C. § 7431, the Internal Revenue Service notified over 70,000 taxpayers that their tax return information was subject to a data breach perpetrated by an IRS independent contractor (see GT Alert for details). Last week, the IRS issued supplementary letters to affected taxpayers who requested more information about the data breach. The IRS acknowledges that it has a duty to protect taxpayer information and that this data breach has put many taxpayers in a difficult situation. In this letter, the IRS identifies limitations on providing full information, provides additional facts on the data breach that occurred, and identifies additional measures the IRS will be taking to address this data breach and prevent similar incidents in the future.
Limitations on IRS Providing Information to Affected Taxpayers
According to the IRS, certain legal and practical limitations have prevented it from immediately providing full information to affected taxpayers. First, the IRS states that it did not have access to information about the affected taxpayers when the Treasury Inspector General for Tax Administration (TIGTA) criminal investigation of Mr. Littlejohn was pending. It only gained access to this information after Mr. Littlejohn was sentenced in February 2024. Second, the IRS states that the data set it received from TIGTA is voluminous and complex. It is working with TIGTA to identify the taxpayers affected by the breach and the information disclosed by Mr. Littlejohn. This process has taken time.
Additional Facts Regarding Data Breach
The IRS provides some additional facts to assist affected taxpayers in responding to the data breach. The IRS reiterates that Mr. Littlejohn stole the return information during 2018 through 2020 and made unauthorized disclosures to ProPublica and The New York Times. The IRS directs affected taxpayers to the court filings in the criminal case for more details on Mr. Littlejohn’s disclosures. The IRS then clarifies that if a taxpayer is receiving the letter, it means that Mr. Littlejohn disclosed information related to their taxpayer identification number stored on an IRS database. According to the IRS, it does not know the full scope of disclosure. However, the IRS’s current information suggests that (i) Mr. Littlejohn only disclosed the return information to ProPublica and The New York Times; and (ii) the affected taxpayers’ information has not been used for identity theft or fraud. Finally, the IRS confirms that the government has recovered the return information from Mr. Littlejohn.
Next Steps for the IRS
The IRS continues to work with TIGTA to understand the full impact of the data breach. The IRS’s next steps involve identifying and notifying additional taxpayers who were affected by the data breach, including taxpayers who received Schedules K-1 from affected entities. The IRS states that it has adopted additional procedures to identify potential identity theft or fraud in connection with this data breach. Taxpayers can also take steps to safeguard their identities by consulting with their own advisors and periodically monitoring their tax transcripts to identify fraudulent activity. The IRS reiterates that affected taxpayers can request further information by emailing Notification.7431@irs.gov.
IRS Measures to Prevent Future Unauthorized Disclosures
The IRS is taking steps to prevent similar data breaches. On May 10, 2024, the IRS issued a statement identifying 10 areas where it has improved taxpayer protections. The measures include (i) implementing additional restrictions for accessing sensitive taxpayer information; (ii) enhancing protective security controls; (iii) performing more frequent data reviews; (iv) improving firewalls; (v) continuously monitoring data usage; (vi) acquiring new security tools using Inflation Reduction Act funding; (vii) restricting the use of removable media such as thumb drives; (viii) strengthening email controls; (ix) retaining detailed access logs; and (x) monitoring information printed from IRS computers.
Conclusion
Unknowns remain for taxpayers affected by the IRS data breach. Currently, two affected taxpayers have filed lawsuits against the IRS for the unauthorized disclosures. Despite the IRS’s representation that Mr. Littlejohn appears to have only disclosed the tax information to two news organizations and that there is no evidence the taxpayer information was used for identity theft or fraud, affected taxpayers should still take steps to safeguard their personal identity and minimize future consequences from this data breach. Congress is aware of the data breach. In response, the House Ways and Means Committee has proposed legislation to increase the criminal penalties for unauthorized disclosures as follows: (i) the maximum fine would increase from $5,000 to $250,000; and (ii) the maximum prison sentence would increase from five years to 10 years. Additionally, the legislation would treat the disclosure of each affected taxpayer’s information as a separate violation. It remains to be seen what will happen with this legislation, but it highlights the widespread impact of the IRS data breach.