AT Think

Protect your clients and your firm after massive IRS data breach

Former IRS contractor Charles Littlejohn was sentenced in January to five years in prison for organizing one of the largest data thefts in the history of the federal government. 

Littlejohn's crime involved the illicit acquisition and distribution of sensitive data from the Internal Revenue Service, targeting some of the wealthiest individuals and entities in the United States. This breach not only exposed the personal tax information of thousands but also highlighted vulnerabilities within IRS's systems. More than four years after the incident, the agency has only just begun notifying affected taxpayers. As trusted advisors, tax professionals and accounting firms have a responsibility to help lead their clients through this crisis and take proactive steps to help protect their sensitive information now and in the future.

Littlejohn used his position within the IRS to access and illegally copy tax returns and related documents, which he then provided to the investigative news site ProPublica. This breach has significant implications, not only because of the sensitivity of the data involved but also due to the delayed notification to the affected taxpayers, which only started in April 2024, long after the breach was discovered and following Littlejohn's sentencing. 

The extent of how many taxpayers were affected by the breach was unknown until now. Littlejohn admitted taking tax information from thousands of wealthy Americans between 2018 and 2020. It's the largest documented data theft at the IRS in history. Notification letters are now being sent by the IRS to affected taxpayers. Expect a number of additional lawsuits from taxpayers who were not previously aware that their information was compromised.

Congress seeks increased penalties for leaks

Republicans on the House Ways and Means Committee introduced the Taxpayer Data Protection Act (H.R. 8292) on Thursday in response to the lenient one-year prison sentence and $5,000 fine imposed on Littlejohn. The proposed legislation seeks to significantly increase the penalties for unauthorized disclosure of tax information. Currently, the maximum penalty is a $5,000 fine and five years in prison. The new bill would raise the maximum fine to $250,000 and increase the potential prison sentence to 10 years.

Additionally, it clarifies that each instance of a taxpayer's data being disclosed unlawfully constitutes a separate violation of the law. In Littlejohn's case, although data from thousands of taxpayers was stolen, he faced only a single count of unauthorized disclosure. This limited the judge to the current five-year maximum sentence. Under the new bill, Littlejohn could have been charged with thousands of violations — one for each taxpayer affected — allowing for a much harsher sentence.

Immediate steps for tax pros to consider

As tax professionals, it's our responsibility to guide our clients through the aftermath of this breach. Here are specific actions to consider:

  • Recommend clients apply for an IP PIN, A common tactic following a data breach is for criminals to use stolen Social Security numbers to file fraudulent tax returns and claim refunds. An Identity Protection Personal Identification Number can help prevent this. The IP PIN is a six-digit number assigned by the IRS that must be used when filing a return to block identity thieves. Encourage all your clients affected by the breach to apply for an IP PIN through the IRS website at irs.gov/ippin. Remind them to keep their IP PIN secure and never share it, even with you.
  • Obtain and review client tax transcripts, The IRS maintains detailed transcripts of each client's tax filings, payments and other account activity. Regularly reviewing these transcripts can uncover any suspicious or fraudulent activity. Advise clients to request their tax transcripts through the IRS Get Transcript service and review them carefully for any irregularities. As their tax preparer, you can also obtain transcripts on their behalf to monitor their accounts. If you identify any issues, work quickly with the client and the IRS to address them.
  • Recommend freezing credit and/or use identity protection monitoring services. While an IP PIN and tax transcript review can safeguard against tax-related fraud, clients also need protection from other identity theft risks, such as fraudulent loan applications. Encourage them to enroll in an identity-monitoring service from a reputable provider. These services scan the dark web, public records and other sources to detect any suspicious activity linked to the client's personal information. Many also provide insurance and assistance if identity theft does occur. In addition, consider suggesting they freeze their credit with the three credit bureaus — TransUnion, Equifax, and Experian.
  • Consider legal action. Some clients may want to explore legal action against the IRS or other parties responsible for the data breach. High-profile figures like hedge fund Citadel CEO Kenneth Griffin (in the case Griffin v. Internal Revenue Service et al) have already filed lawsuits, alleging the IRS failed to properly secure taxpayer data. Advise clients that under the Internal Revenue Code, they have two years from the date they discovered the breach to file a lawsuit. However, the decision to litigate is one that requires careful consideration of the costs, publicity and potential outcomes. As their advisor, you can provide guidance on the process and help connect them with legal counsel.
  • Strengthen your firm's cybersecurity. This breach is a stark reminder that tax professionals and accounting firms are prime targets for cybercriminals. It's crucial to take steps to secure your own systems and data to protect both your clients and your practice. Start by conducting a comprehensive security risk assessment to identify your firm's most sensitive data and vulnerabilities. Implement robust data protection measures, such as encryption, access controls, and secure backup and disposal procedures. Ensure all devices, software and networks are kept up to date with the latest security patches. Consider engaging a cybersecurity specialist to assist with these efforts. Many professional liability insurers also offer guidance and resources to help accounting firms strengthen their defenses. 

Stay vigilant and proactive

The IRS data breach has further shaken the public's trust in the tax system. As tax professionals, we have a critical role to play in helping our clients protect their confidential data. We should encourage clients to proactively monitor their tax and financial accounts. and assist them in obtaining transcripts, applying for IP PINs and addressing any suspicious activity. In an era of escalating cyber threats, proactive risk management is essential to protect both your firm and your clients.

For reprint and licensing requests for this article, click here.
Tax IRS Cyber security Data breaches
MORE FROM ACCOUNTING TODAY