It used to be that everyone respected, or at least feared the IRS. In the old days, when people couldn't be convicted of dangerous crimes, they were convicted of tax fraud (e.g., Al Capone). Then came Rashia Wilson, the "Queen of Tax Fraud", Wesley Snipes, Willy Nelson, Pete Rose, and Leona Helmsley. It seems that no one fears the IRS anymore.
The IRS confirmed this theory when it announced that hackers had stolen the identity of over 100,000 taxpayers in order to steal money from the IRS by filing fake returns. This is not the classier approach of the crooks mentioned above (i.e., simply not paying the taxes); these latest criminals apparently stole enough identification information to retrieve past tax returns and file fraudulent returns in an effort to take actual money from the IRS. The losses from the false returns are currently estimated at $50 Million.
The breach sets up a number of interesting interplays. First, how will the Federal government handle breach notification when the notification procedures are currently set by state laws? In some states, there are specific details that must be provided to the consumer/victim. In some states notice must be sent to the attorney general of the State. In other states, certain language must be included in the letter. In still other states, the reporting letter must be sent within a certain period of time. Will the IRS abide these various sets of reporting rules?
Second, will the IRS be subject to the same penalties as ordinary businesses if it doesn't comply? For ordinary businesses, the penalties of not complying with data breach notification statutes can be very expensive.
Third, ordinary tax fraud cases are investigated by the IRS Criminal Investigations Unit and then enforcement is handled by the Department of Justice or the U.S. Attorney's office. Will this newer type of identity theft/data breach be handled in a separate manner from old-fashioned tax fraud?
I went to the IRS' website for the IRS' press release, but there is no mention of the breach that I could find, not even under "News & Events." I imagine all eyes will be on the IRS as it handles this mess. Myself, I'm wondering if I can file on paper next year.
Prudence dictates reviewing your privacy practices regularly, including reviewing your credit card processing practices to make sure they are up-to-date. Of course the easiest way to prevent a data breach is not to collect the data in the first place! That is not always an option of course. The OECD (Organisation for Economic Co-operation and Development) publishes a set of privacy principles that can serve as a useful starting point for designing your own privacy practices. These principles include: collecting data fairly and with consent, collecting only data relevant to the purpose that data is being collected, telling customers how you will use/collect data, protecting personal data from disclosure, using reasonable security safeguards, be open about how you use data, allow consumers to find out if data is collected about them and have it destroyed, and designating an officer to manage data privacy protection.
An additional resource is available in a checklist published by Experian for preparing for data breaches.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
