The legal woes of the Internal Revenue Service continue to mount, including not only Congressional inquiries and investigations by third parties, but a slew of lawsuits. The most recent of these is a suit brought by Beck Welborn and Wendy Windrich, individually and on behalf of a proposed class, against Internal Revenue Service (IRS) and IRS Commissioner John A. Koskinen.
This is a case the IRS needs to lose.
I don’t have any particular grudge against the IRS, which for the most part seems to be staffed by decent people trying to do a tough job. The last tea party I attended was the one my sister forced me to participate in when I was six years old. I think that the courts can sort out the Lois Lerner scandal, the targeting of political candidates, the illegal seizures of property, and other scandals without my input or opinion.
But the IRS needs to lose this case for the callous way they disregarded the importance of safeguarding taxpayer information from data thieves, and because it would finally set a legal precedent for organizations to be held fiscally responsible for losses caused by such disregard.
The IRS case has more facets than the Hope Diamond:
- For months earlier this year, the IRS sat by and watched as hackers plundered the tax filings of 330,000 taxpayer accounts. The damage, though, could be even greater, since each account may be tied to the information of all family members on that account. Which means that millions of Americans may be at risk.
- It wasn’t as though the IRS didn’t know the risk. The Treasury Inspector General for Tax Administration (TIGTA) had already warned that “[u]ntil the IRS takes steps to improve its security program deficiencies and fully implements all 11 security program areas required by the FISMA, taxpayer data will remain vulnerable to inappropriate use, modification, or disclosure, possibly without being detected.” They knew, but instead of acting on the problem they chose to mount a public campaign to blame identity theft on tax preparers and spend millions on a campaign to force said preparers to be licensed and regulated by the IRS.
- Nor is the IRS alone. In the dozen years since passage of the Federal Information Security Information Act (“FISMA”), the majority of Federal agencies – including the DOJ, Department of Health and Human Resources, the Department of Veterans Affairs, and the Department of Defense – have failed their security audits and been hacked. An estimated 38 percent of these hacks revealed personal information about Americans that can be used by data thieves.
- The worst data breach to date was the recent one suffered by the federal Office of Personnel Management, in which the information of more than 21.5 Americans was stolen. The affected people included military personnel, present and former government employees, and individuals who have undergone background security checks. The director of the OPM, whose previous experience was as a national political director for President Obama’s 2012 campaign, resigned.
The bottom line is that nearly two-thirds of the major federal agencies have ignored the security of the data they collect from you, while at the same time demanding the right to collect ever more of it. For more than a dozen years, across two administrations, both Republican and Democrat. And when this inevitably results in the theft of your data, they need only to offer you twelve months of monitoring for your credit report – the federal equivalent of closing the barn door after the horse has escaped. No one gets fired. No one is held accountable. No one but you assumed responsibility for the financial losses suffered.
That is why the IRS needs to lose this case, and why other cases should be brought against the agencies and individuals responsible.
The situation goes deeper. In the past two years, organizations that include AOL, Home Depot, Target, Uber, Abode, Apple, Vodaphone, eBay, Anthem, and dozens of other companies have had their consumer data hacked. Again, by agreement with the Federal government, their maximum liability is to report the data breach and offer credit report monitoring.
Despite these very public breaches, companies continue to make every effort to collect your personal information, largely so they can compile a database that can be sold to marketers and identity thieves for a handsome profit. In some cases, companies can make a higher profit by selling your information than actually selling products to you.
If the IRS case does establish a precedent for fiscal responsibility for the losses, identity theft would virtually cease to exist. The companies that fail to safeguard the information they demand from consumers will have an incentive to shore up their defenses or suffer catastrophic penalties. Law enforcement, including the Department of Justice, will have a new incentive to give identity theft a higher priority. It will dampen some of the enthusiasm of companies to demand your data before they will do business with you, because they can’t be sure it is worth the risk of being bankrupted by a negligence lawsuit.
I don’t have a grudge against the government, and don’t particularly dislike business organizations, large or small. I just firmly believe that those who willfully practice negligence should be held accountable for their actions.