The announcement states that copies of the current tax year and the previous six years are available. The instructions are fairly specific in terms of what a taxpayer, or authorized representative, must include along with the request. A chart covers what return information will be visible on the copy versus redacted. For example, the names of the taxpayer, spouse, and any dependents on the return will be redacted except for the first four letters of the last name. SSNs, ITINs, and EINs will also be redacted except for the last four digits. Additionally, phone numbers and bank numbers will be redacted expect for the last four digits. The entire address will be redacted minus the street name. The names and addresses of “other persons” or entities listed on the return will be completely redacted along with the numbers associated with the tax return preparer or third party designee.

The redactions appear appropriate in light of the disclosure statute and Chief Counsel guidance, although, arguably, the restrictions may go further than required under section 6103 with respect to “other persons,” namely return preparers. The instructions indicate that a request will be returned if the address listed does not match the requestor’s IRS address of record. There are certainly instances when a victim’s IRS address of record is changed due to no fault of his own. For example, the address of record may not be correct when the Service processes an identity theft return and does not receive a paper filed return from the true owner of the SSN for the same tax year. Taxpayers whose requests are rejected due to an address mismatch will be instructed to change their address of record by filing a Form 8822, Change of Address. The request may be resubmitted after the Service processes the address change.

During the initial phase of this new program, the Service will probably take longer than the reported 90 day average to effectively process and respond to requests for copies of fraudulent returns, as the volume is unpredictable and the cases complex. Undoubtedly many requestors will experience processing holds due to open identity theft issues, and a significant number of requests will likely be returned as a result of address mismatches or failure to follow the instructions. Nonetheless, in an era of perceived dysfunction in tax administration, it’s important to acknowledge when a positive policy change occurs through multifaceted advocacy efforts.

My previous post optimistically noted that after almost a decade of annual increases, the volume of IRS identity theft incidents finally declined by roughly 42 percent in 2014 compared to its peak of 1,901,105 in 2013. Considering the attention and resources focused on this problem, the marked decline in 2014 showed promise.  Unfortunately, the NTA’s June report indicates that the number of open identity theft cases impacting taxpayers in IRS inventory (as of May 2015) swelled again to near May 2013 levels—up 69 percent from May 2014.

The NTA attributes the recent rise in open identity theft cases back to levels observed in 2013 to “the overreach of the TPP [Taxpayer Protection Program] filters and understaffing of the TPP phone lines.” The TPP is responsible for detection, evaluation, and prevention of improper refunds related to identity theft. During the 2015 filing season, TPP return processing filters identified 1,558,874 potentially fraudulent returns using 196 distinct filters that flag returns when certain characteristics are identified. The false positive rate was around 34 percent, meaning that a third of electronically filed tax returns that TPP stopped from posting to a particular account were filed by legitimate taxpayers who expected timely receipt of their tax refunds. These taxpayers received a TPP notice instructing them to call a particular phone number to resolve the issue; however, most that called during the peak of tax season in February were unable to get through at all to a live phone assistor. For those that did get through, there average wait time was between 20 minutes to over an hour.

Immediately after the May 2015 data breach scandal (which turned out to affect around 250,000 more taxpayers than initially reported), we learned that earlier in the Spring, Commissioner Koskinen convened key officials from state taxing authorities and the private tax industry together for a Security Summit to discuss the significant challenges facing tax administration as a result of tax-related identity theft, and potential coordinated strategies. It was widely reported that an agreement was reached among the participants “to form a public-private partnership committed to protecting the nation’s taxpayers and the tax system from IDT [identity theft] refund fraud.” In June, a 9 page report was released detailing the goals of each of the working groups formed from the Security Summit, outlining recommendations, listing existing proposals for congressional consideration, discussing next steps, and describing the participants. This partnership is certainly an innovative approach, and it will be interesting to see how this collaboration plays out.

The Social Security Identity Defense Act was introduced in May and is aimed at amending section 6103 to make it easier for victims of identity theft and law enforcement officials to receive information pertaining to tax-related incidents of identity theft from the FBI and DOJ. Although it is unlikely to be enacted, this bill has reignited discussion regarding the intersection of identity theft and section 6103 disclosure issues. For example—to what extent is the victim taxpayer entitled to information from the Service regarding the incident? Presently, under PMTA 2012-005, Chief Counsel takes the position that once an invalid return is submitted, it becomes the return information of both the true owner of the SSN and the identity thief because the information relates to the potential investigation of liability with respect to both parties. Therefore, the victim of identity theft should have a right to a copy of the bad tax return as long as disclosure would not impair federal tax administration.

In confirmed or suspected cases of identity theft, a taxpayer’s account is marked with various types of identity theft indictors. When such an indicator is present, taxpayers and their representatives may find it difficult to obtain copies of tax returns or related tax transcripts from the Service because employees are trained to safeguard taxpayer information protected by section 6103. Disclosure violations carry the threat of civil fines and even potential criminal charges. Despite Chief Counsel guidance indicting that the bad return is the return information of both the victim and the alleged identity thief, the IRM “instructs employees to not  to provide . . . copies of tax returns when identity theft indicators are present on the requestor’s account.” In May of 2015, Senator Ayotte wrote a letter to Commissioner Koskinen expressing her concern “with IRS’s refusal to provide tax identity theft victims with copies of the fraudulent returns filed in their names.” She referenced the 2012 Chief Counsel memorandum to support her complaint and request for the Service to change its non-disclosure practices. Commissioner Koskinen acquiescence in a written response issued later the same month and stated that the Service would develop procedures to allow victims of identity theft to request and receive (redacted) copies of tax returns filed under their SSNs.

The hearing held in August covered familiar and fairly bleak territory as well as some encouraging announcements about major programmatic changes regarding identity theft cases processing. A taxpayer testified about the bureaucratic nightmare she endured dealing with IRS and other agencies when her e-filed return was rejected because her deceased child’s SSN was used to file multiple fraudulent returns (it is worth noting that none of the fraudulent filings actually got passed IRS filters). Christopher Lee, TAS Senior Attorney Advisor; J. Russel George, TIGTA; and Commissioner Koskinen testified about the general state of refund-related identity theft—the broad consensus was that despite its many gains in terms of detection and prevention of refund-related identity theft, the Service still has a long way to go in order to get ahead of the overall identity theft crisis.

In addition to the jump in the number of incidents during the 2015 filing season, and the TPP false positive rate, lengthy delays in case processing and poor customer service are stubborn problems (although the situation is certainly not as bad as it once was in the early part of the decade). A study conducted by TAS of cases closed in 2014 found that 179 days was the average resolution time for an identity theft case from a taxpayer’s perspective. The Service’s slow progress towards improvement of case processing times is partly attributable to the increasing complexity of identity theft cases. Such cases require the involvement of multiple functions under the Service’s decentralized case management structure, which has been in operation for several years. The same 2014 TAS study found that approximately 30 percent of cases involve multiple issues.

TAS has repeatedly called for the Service to set-up “a sole point of contact system” for victims with complex identity theft cases. While the Service has announced its final phase of a plan to re-engineer its approach to victim assistance, moving towards a more centralized model, the prospects for adoption of this particular TAS recommendation appear dim. Commissioner Koskinen’s version of a “single point of contact” described during the hearing involves yet another specialized toll free phone line, as opposed to the TAS model of one designated employee to handle a particular victim’s case.

The Commissioner’s testimony reminded stakeholders that sophisticated cyber criminals present momentous challenges to the Service in an era of archaic IRS technological systems and strained financial resources. Still, he pledged that the Service is continuing to work diligently on efforts to combat identity theft, and he announced some specific plans for 2015-2016. One is the roll out of the Identity Theft Assistance organization, a consolidation of various identity theft programs into one division aimed at unifying the Service’s victim assistance and identity theft compliance activities. Another is an improved case resolution average of 120 days. Further, new protections for electronic filing, developed by the Security Summit working groups, were promised before the 2016 filing season.

The Service requested additional money for improved cyber security and revamped identity theft initiatives, which is reflected in the President’s FY 2016 Budget pending before congress. All tax administrators who testified at the hearing agree that the IRS needs more funding to address the identity theft epidemic. They also share the view that congress should take a more active role in enacting various legislative tools to assist the IRS in combating this pervasive problem.

In terms of tax administration, identity theft is a relatively new phenomenon—emerging in the early 2000s along with the rise in e-filing. There are two types of tax-related identity theft: refund-related and employment-related. The latter occurs when an individual uses the SSN of another in order to gain employment, which often causes IRS problems because of the wages earned and reported by employers under the wrong SSN.  Most attention and resources are focused on refund-related, which involves the use of stolen personal data to obtain improper refunds causing economic damage to individual taxpayers and the treasury. IRS figures estimate the cost of undetected refund-related identity theft at approximately $5 billion a year. Until tax year 2013, the numbers of taxpayers affected by (broadly defined) tax-related identity theft each year rose at an alarming rate. According to a 2013 TIGTA report here in calendar year 2010, there were roughly 440,581 IRS identity theft incidents compared to 1,901,105 in 2013.

From 2004 to 2013, the NTA identified tax-related identity theft as one of the “‘Most Serious Problems” faced by taxpayers in nearly every annual report submitted to Congress here. In addition to the various audits TIGTA conducts each year on the Service’s information security programs, TIGTA has aggressively audited IRS handling of identity theft and its ongoing efforts to stop it before a taxpayer is victimized. At the beginning of the decade refund-related identity theft overwhelmed the IRS. Victim taxpayers generally waited over a year to receive their refunds and, often, had to submit numerous copies of the same evidence to IRS in order to resolve their cases. A review of TIGTA and TAS reports shows that the peak of lost revenue and the length of case processing for victims occurred in 2010 through 2012. The volume of actual incidents (both employment and refund-related) was the highest in 2013 and, finally, declined by roughly 42% by the end of 2014 here. Since 2012, the IRS has made combating identity theft a top priority and steady progress has been made on both prevention and victim services. The IRS used a variety of methods to attack the problem, including: novel technology detection and prevention models,  increased criminal investigations/prosecutions, increased cooperation with the private sector, redevelopment of case processing procedures, expansion of programs to assist victims, and added personnel dedicated to handling identity theft cases. In April 2015, the most recent TIGTA audit on refund-related identity theft here reported $22–24 billion of fraudulent tax refunds were prevented during the 2013 filing season. Still, around $5.75 billion was lost as a result of this crime during the same period. These figures are based on IRS estimates, which generally capture higher figures than TIGTA audits. Most practitioners who regularly work these cases will tell you that processing times have improved (down to a not so impressive average of 6–8 months), and IRS employees are better equipped to handle identity theft claims. The darkest days of tax-related may have already passed, although vulnerabilities in IRS information technology programs could certainly turn the tide.

May’s data breach represented a shift in sophistication by identity thieves. Instead of using personal data stolen from external sources to steal refund money by e-filing fraudulent tax returns, hackers used a hybrid theft model. First, previously stolen information such as names, dates of birth, and addresses, were used to access the “Get a Transcript” feature on the IRS website. This tool was launched in January of 2014 to streamline taxpayer requests for prior year tax transcripts—reducing IRS call volume and providing instant data to the requestor. By accessing these transcripts, cyber-attackers obtained specific details about their victims filing histories. Such information was used (or planned to be used) to circumvent the Service’s return processing identity theft detection filters. It’s worth noting that the IRS has approximately 144 such filters. In his June 2nd testimony before the Senate Finance Committee on this incident here, Commissioner Koskinen stated the Service’s cyber security team detected suspicious activity on the “Get a Transcript” application in mid-May and shut down the feature on May 21st. IRS investigation revealed that roughly 100,000 taxpayer accounts were affected, resulting in around 13,000 suspect tax returns filed. About $39 million in fraudulent refunds were paid out. Another 23,500 returns from these compromised accounts were stopped by IRS fraud filters.

Shifting blame to the IRS for this cyber attack is easy. Much of the agency’s information technology systems are antiquated and known vulnerabilities continue to exist (detailed in TIGTA’s June 2nd written testimony here). Any time there is a high profile problem identified in tax administration, we hear a familiar parade of horribles launched at the agency. This massive disclosure violation merits a more thoughtful response. Indeed, last week IRS announced a formal agreement to work collaboratively with state tax administrators and leaders of the private electronic tax industry. Details of the agreement were developed after Koskinen convened a Security Summit with IRS representatives and these external stakeholders on March 19th, and include new initiatives in the areas of taxpayer authentication; fraud identification; information sharing/assessment; cybersecurity framework; and taxpayer awareness and communication here. These coordinated efforts sound promising but there is a missing player in this partnership to fight back against tax-related identity theft.

Since 2011, at least a dozen congressional hearings on this topic were held, yet no meaningful legislation has emerged to combat tax-related identity theft. The well-treaded path of investigation, condemnation, cost cutting, and added responsibilities will not suffice—legislative solutions are needed. Koskinen mentioned several in the June 2nd hearing: approval of the President’s FY 2016 Budget request (“with $101 million specifically devoted to identity theft and refund fraud, plus $188 million for critical information technology infrastructure”); passage of legislation to “accelerate information return filing deadlines” for improved detection of fraudulent filings during tax season; and criminal and civil penalty deterrence statutes. On June 4th, Senate Finance Committee Chairman, Orrin Hatch, and Ranking Member, Ron Wyden, released a statement outlining the Committee’s work on this issue here. Legislation introduced by Senator Marco Rubio in March of 2015 here aimed at curtailing tax-related identity theft may also merit consideration. Lawmakers should act to implement legislation and better safeguard the public fisc from this pervasive crime.

*In 2014, JP Morgan Chase spent $250 million on cyber security and still experienced a large scale data breach here. In comparison, the IRS spent around $141.5 million on cyber security in the same year here.