Happy Tax Day everyone. Across the United States, millions of taxpayers are scrambling to meet the midnight filing deadline. Here in New York City, almost 2.5 million file in the days leading up to April 15. Most years, I am one of those last-minute filers. This year, however, my clients scared me into filing early. In February, I began receiving call after call from individuals reporting that they were the victim of fraudulent tax return filings. Lifetime New Yorkers contacted me reporting the receipt of Internal Revenue Service (IRS) inquiries about the tax returns they allegedly filed in Texas. There was the client in Connecticut who opened his mail to find a letter from the Oklahoma Tax Commission requesting more information before it could process “his” return. And there was even an Arizona client who managed to get his hands on the false return filed under his name. Somehow the thieves not only had his name, place of employment and Social Security number, but they also knew how much he made in 2013 and declared a 2014 income that was $6,000 greater. The return generated by this false filing was deposited directly onto a reloadable MasterCard. When my client confronted the IRS, he was told that he was in unlawful possession of another filer’s return!
I could continue with dozens more stories. Is it a coincidence that tax fraud has swept the nation in the wake of the massive healthcare breaches at Anthem, Inc. and Premera Blue Cross? Roughly 90 million individuals were affected by those two hacks — over one-fourth of the U.S. population. In each of the incidents, the most sensitive personal information was compromised — Social Security numbers, medical identification numbers, and enough identifying data to obtain credit reports, apply for unemployment benefits, obtain medical treatment, and commit all other manner of fraud.
Tax Fraud Causes Significant Societal Harm
Fraudulent tax return filings are not new, of course. In 2013, the IRS paid an estimated $5.2 billion in tax refunds obtained from identity theft. But 2015 feels different. In early February, shortly after Anthem announced it was breached, TurboTax temporarily suspended electronic filings of state tax returns. Intuit, the maker of TurboTax, explained that its actions were in response to a sharp rise in suspicious filings. Minnesota’s Department of Revenue temporarily stopped accepting returns submitted through TurboTax. And on February 8, the Connecticut tax commissioner publicly urged taxpayers to file their returns as quickly as possible to, in essence, beat fraudulent filers to the punch. In this environment, it is a surprise that anyone waited until April to file.
Tax fraud exacts a tremendous toll on individuals and the public as a whole. The IRS routinely tells our clients to expect a six month review process before the fraud is resolved. Delayed payment may not matter much to some, but there are millions of taxpayers who have budgeted for their expected return. One of my clients was expecting to use his return to resolve an outstanding debt. Now he is pleading with his creditor for more time. Even if his repayment plan is extended, interest will surely continue to accrue. This is not to mention the countless hours spent on the telephone, completing paperwork, and undergoing audits — just to return to the status quo. Ultimately, even if every taxpayer receives his or her return, we are all collectively going to lose because the IRS will pay billions in fraudulent filings and in administrative expenses correcting those filings.
Fraudulent Tax Filings are the Result of the Breach at Anthem and Premera
Anthem and Premera bear some responsibility for this mess. Individuals entrusted those companies with their most sensitive confidential data, and Anthem and Premera lost it. What is more, there is reason to believe that companies like Anthem and Premera knew their cybersecurity protections were inadequate. Between 2007 and 2013, Anthem and its affiliates have lost confidential customer data at least half a dozen times, either because their security systems were breached or because employees carelessly handled customer data. In Premera’s case, the federal government audited its cybersecurity systems just weeks before Premera was hacked and told the company that it was vulnerable to a data breach. These warnings fell on deaf ears. Security experts are not surprised. On the whole, the healthcare industry lags far behind other industries when it comes to cybersecurity. Martin Walter, senior director at RedSeal Networks, has explained that healthcare companies “in comparison spend significantly less on security, making them relatively easy targets.” This should be highly disturbing given the highly sensitive data these companies store.
Will the Courts Protect Victims’ Rights?
The big question, of course, is whether tax-fraud victims will be thrown out of court when they seek redress against defendants like Anthem and Premera. A concerning number of trial courts are dismissing data breach victims on the pleadings, ostensibly for lack of standing. Plaintiffs with evidence of actual tax fraud, however, should easily clear Article III injury prerequisites. Even under the most stringent standing jurisprudence — the Third Circuit’s Reilly v. Ceridian decision — tax fraud surely constitutes “misuse” of personal information.
But what about causation? Victims of the Anthem and Premera data breaches will present strong circumstantial evidence linking the data breach and subsequent tax fraud, but will it be enough? And if the courts throw these cases out for lack of a “smoking gun,” what message will that send to companies that fail to place a premium on customer privacy? Data breaches exact a significant societal toll, and companies can and should do more to protect the information that they store. Companies have little incentive to change, however, unless the civil justice system forces them to do so. Time will tell whether the courts respond to this growing societal harm.
1. http://cityroom.blogs.nytimes.com/2015/04/13/new-york-today-tips-for-tax-day/?module=BlogPost-Title&version=Blog Main&contentCollection=New York Today&action=Click&pgtype=Blogs®ion=Body