"What should have been a trustworthy digital service had been compromised and is yet the latest sign that the U.S. Government cannot be relied upon to keep the personal data of its citizens safe."
That's the allegation made this week in a lawsuit filed by plaintiffs Beck Welborn and Wendy Windrich, individually and on behalf of a proposed class, against Internal Revenue Service (IRS) and IRS Commissioner John A. Koskinen. The action was filed following an announcement by IRS that 330,000 taxpayer accounts were illegally accessed by criminals using the "Get Transcript" application on the IRS web site.
The complaint alleges that the illegal access of the system "would have been prevented, had the IRS fixed the known security deficits in its data storage system." The complaint further alleges that IRS security was inadequate despite the fact that IRS "knew that cyber-criminals were highly motivated to hack the IRS system in order to steal taxpayer information that has significant value in the black market." Finally, the suit says that IRS "deliberately and intentionally decided not to implement the security measures needed to prevent the subject data breach."
The suit specifically referenced recommendations issued by the Treasury Inspector General for Tax Administration (TIGTA) to IRS which the IRS did not implement. For example, TIGTA warned that "[u]ntil the IRS takes steps to improve its security program deficiencies and fully implements all 11 security program areas required by the FISMA, taxpayer data will remain vulnerable to inappropriate use, modification, or disclosure, possibly without being detected." With that knowledge, IRS did not act to protect taxpayers, according to the plaintiffs who allege that the failure to act was deliberate and not related to a cut in financial resources.
According to the complaint, the illegal access of taxpayer information "did not require significant funding, technology, or intelligence" but mere access to "knowledge-based authentication" (KBA)" involving so-called "out of wallet" information. That information, used by banks and other web-based applications, can be determined by mining information online, including from social media sites.
The damage to taxpayers and their spouses could be significant. At a June 2, 2015, hearing of the Senate Finance Committee after the breach, Chairman Orrin Hatch noted that "These taxpayers, and their families, must now begin the long and difficult process of repairing their reputations. And they must do so with the knowledge that the thieves who stole their data will likely try to use it to perpetrate further fraud against them." As a result, the plaintiffs are seeking damages to compensate them for not only current losses (it's not yet clear what those are) but future losses. The plaintiffs are also requesting injunctive relief "to fix the IRS’s security protocol" as well as directing IRS to follow TIGTA’s audit recommendations.
Curiously, the suit also seeks "adequate credit monitoring services for a sufficient time period" for the plaintiffs. As part of its initial statement following the breach, the IRS has promised to free credit protection for affected taxpayers.
Finally, the plaintiffs are asking for "after-the-fact identity repair services" and identity theft insurance, as well as attorney's fees and other damages.
According to the complaint, plaintiff Wendy Windrich has never used or accessed the "Get Transcript" application on the IRS website. Windrich learned that her personal information was used to file a fraudulent tax return claiming a $9,300 tax refund. Since she had no reason to believe that her personal information had been stolen prior to the Get Transcript incident, Windrich believes that the information could only have come from the Get Transcript application.
Similarly, Plaintiff Becky Welborn was alerted that her personal information had been used to file a duplicate joint return. When pressed, the IRS representative explained to Wellborn that her transcript had been accessed using the Get Transcript application. Despite the fact that she was promised follow-up, Welborn says she has not received any written notification of the breach from the IRS.
Why just two plaintiffs? The plaintiffs are bringing the action as part of a proposed class for a class action lawsuit. By law, you need at least one named plaintiff in order to represent a class. If the court allows the matter to proceed as a class action, then all taxpayers who were affected by the breach (including spouses and dependents) will potentially be included. The plaintiffs claim that there could be "500,000 or more members of the class located throughout the United States."
Since the nature of the allegations should be the same or similar from all taxpayers involved in the breach, the plaintiffs intend to represent the class. If the court approves the class, all affected taxpayers would be automatically included in the lawsuit unless they opt out under the rules. The plaintiffs also request that their counsel represent the class. Currently, there are four law firms who purport to represent the class including McCuneWright, LLP of Southern California; Abbott Law Group, P.A., of Jacksonville, Florida; Morgan & Morgan, of Tampa, Florida; and Rhine Law Firm, P.C., of Wilmington, North Carolina.
The IRS has not issued a comment in response to the suit.
You can read a copy of the complaint here.
