April 30, 2015
The tax industry has an identity theft problem. According to the Government Accountability Office (“GAO”), the IRS estimates that in 2013 it paid out approximately $5.8 billion in tax refunds to filers later determined to be identity thieves.
Very generally, the basic scheme is that thieves use stolen identities to file early tax returns using the names and social security numbers of unsuspecting taxpayers, which claim low amounts of income and high amounts of deductions and withholdings, in order to take advantage of the earned income tax credit and obtain the resulting tax refunds. The IRS has acknowledged that the true amount of false tax refunds paid annually likely is much larger than its 2013 estimate, given that much identity theft goes undetected.
Now, a pair of taxpayers is seeking to hold responsible the software makers who serve as an intermediary between the IRS and the taxpayer through a class action lawsuit, thereby suggesting that the problems of the IRS can become the problems of private businesses.
The Lawsuit: Diaz vs. Intuit
The case – a putative class action lawsuit recently filed against Intuit, Inc. (“Intuit”), the company behind the popular TurboTax return preparation software – underscores the problem and highlights practical areas of concern for tax industry professionals. In the complaint, two taxpayers argue that TurboTax did not effectively protect them against fraudsters who filed returns in their names. The first plaintiff alleges that she last used TurboTax for her 2010 joint returns; the second alleges that she never has used the service. Nonetheless, according to the complaint, in March of 2015 both plaintiffs received bills from TurboTax for the purported e-filing of their 2014 returns. The complaint alleges various state law claims, including breach of contract (stemming from allegations that defendants did not adhere to TurboTax’s terms of service), negligence, violations of California’s unfair competition and consumer records laws, and aiding and abetting and negligent enablement of fraud. Ultimately, the complaint asks the court to certify a class action against Intuit, in which plaintiffs would represent taxpayers who either (1) had fraudulent tax returns filed in their names through TurboTax, or (2) had their “data . . . accessed by unauthorized persons” “while that data was being held by Intuit.”
The complaint further catalogs recent high-profile security breaches, purportedly impacting hundreds of millions of individuals and small businesses. Nonetheless, it does not rely on any express allegation that TurboTax or Intuit have themselves ever been victim to a mass data breach. Rather, the plaintiffs seem primarily focused on the problem of imposters accessing TurboTax using data apparently stolen from elsewhere, and the allegation that Intuit obtained increased fees from the use of Turbo Tax by fraudsters and failed to take steps to curb such use. (Intuit maintains that it does not get paid through the refund transfer process unless IRS accepts the return as valid, so Intuit’s incentive is to minimize fraudulent use of its services.)
For its part, Intuit – after briefly suspending filings of state tax returns in February due to high numbers of suspicious filings detected by state authorities – announced that it did not believe that the activity resulted from a breach of Intuit’s own systems. The FBI has launched its own investigation into the source of the sham returns.
Data Protection Concerns at the IRS
The TurboTax lawsuit comes amidst continuing concerns regarding the IRS’s own data protection woes. A GAO report released in March documented many data security failures at the Service, including failing to timely install appropriate security updates, not requiring users to employ strong passwords, not requiring passwords to expire after 90 days, and granting employees access that exceeded that required by the employees’ duties. In a podcast discussing the report, co-author and GAO director of information technology Gregory Wilshusen warned that the IRS computer systems contain a “treasure trove” of taxpayer data that could be used by cybercriminals. The month before the GAO report was released, IRS Commissioner John Koskinen reportedly told the Senate Finance Committee in prepared remarks that $346 million in fiscal 2015 budget cuts “mean[ ], among other things, that aging IT systems will not be replaced and new taxpayer protections against identity theft will be delayed.”
The estimated loss of $5.8 billion in detected fraud, plus unquantified additional undetected losses, arises in part from the increased prevalence of e-filing (which the IRS requires most paid tax return preparers to use), along with the IRS’s policy of prompt refund payments. The IRS seeks to pay refunds within 45 days of a return’s filing (thereby avoiding paying interest under the Internal Revenue Code). To meet this goal, the IRS must disburse refunds before returns have been completely vetted. This practice inevitably results in payments quickly being distributed to filers who are belatedly found to be imposters.
Data Security and Tax Professionals
These developments serve as a reminder to return preparers and other tax professionals to remain vigilant and follow best practices when it comes to protecting their clients’ data. Although the complaint against Intuit appears to focus on an alleged failure to prevent fraudsters from using previously-stolen data to file false tax returns claiming refunds, the collection, storage, and transmission of sensitive client data can itself represent an opportunity for such data to be stolen in the first instance. Accordingly, return preparers and other tax professionals should develop a data protection policy appropriate to their operation, and – importantly – ensure that it is consistently followed.
At a minimum, that policy should require them and their agents to store client data securely, judiciously limit and carefully track who can and does access it, avoid sending private data via unprotected channels such as unencrypted email, and dispose of records properly. The policy should likewise require return preparers and other professionals to identify and react appropriately to red flags suggesting that a client’s data has been compromised. Other measures that should be considered include mandatory security training and/or background checks for employees, password requirements, strict controls to avoid malicious attacks (such as through malware or phishing), and rules governing storage of sensitive information. Finally and crucially, if a return preparer or tax professional suspects a breach or other fraud with respect to their clients’ data, they should run the issue to the ground and ensure that, at a minimum, they follow all applicable state and federal reporting requirements if a suspected breach has occurred.
Should you have any questions about this matter, or about related issues, please contact Peter D. Hardy at (215) 587-1001 or firstname.lastname@example.org, Abraham J. Rein at (215) 587-1057, or email@example.com, and/or Carolyn H. Kendall at (215) 587-1470 or firstname.lastname@example.org.
Disclaimer: this E-Flash does not offer specific legal advice, nor does it create an attorney-client relationship. You should not reach any legal conclusions based on the information contained in this E-Flash without first seeking the advice of counsel.
About the Authors:
Peter D. Hardy co-founded and serves as Co-Chair of Post & Schell’s Data Protection/Breach Practice Group, which works with clients to prevent or minimize data security breaches before they happen, and assist clients in responding to such breaches if they do occur. He is also a Principal in the Firm's Internal Investigations & White Collar Defense Practice Group, and has focused legal knowledge and experience in tax fraud, voluntary disclosures to the IRS, financial institution crime, money laundering, mortgage fraud, securities fraud, health care fraud, identity theft, public corruption, and allegations of civil fraud. Learn More >>
Abraham J. Rein is an Associate in the Firm's Internal Investigations & White Collar Defense and Data Protection/Breach Practice Groups. His national practice defends clients in a broad spectrum of industries, including health care, pharmaceutical, medical device, hospitality, insurance, financial services, securities, communications, defense, and transportation. Mr. Rein's work has focused on representing individuals and businesses facing government scrutiny, ranging in scope from securities regulation to insider trading, tax, immigration, False Claims Act, and complex regulatory matters. A former founder and managing partner of a web development firm prior to his career in law, he brings a keen understanding of the internet and technology to his practice. Learn More >>
Carolyn H. Kendall is an Associate in the Firm's Internal Investigations & White Collar Defense and Data Protection/Breach Practice Groups. She conducts internal investigations and defends corporations, officers and other individuals facing criminal and civil investigation. Her work includes matters involving pharmaceutical, manufacturing, and financial companies, relating to potential criminal tax and money laundering violations, as well as allegations involving securities violations, the Federal Anti-Kickback Statute, and other fraud and regulatory statutes. Learn More >>