The Taxpayer First Act (TFA) of 2019, which became law on July 1, makes a variety of changes to the Internal Revenue Code (IRC). Title II, Subtitle A of the TFA, entitled “Cybersecurity and Identity Protection,” addresses taxpayer identity theft. As more and more tax preparation and filing activities move into online spaces, cybersecurity is a growing concern. The TFA directs the IRS to work with the private sector to improve data security, and to standardize and improve its policies and practices regarding taxpayer data. It also increases penalties for misuse of confidential taxpayer information.
What Is Identity Theft?
Identity theft involves the unauthorized use of personally identifying information (PII)—name, address, date of birth, Social Security number, etc.—for financial gain. An identity thief might, for example, purchase items with a credit card in someone else’s name, and leave that person with the debt. In many cases, a person hacks into a private company’s servers steals a large volume of data and tries to sell that data to others. A hacker allegedly gained access to the records of over 100 million people stored on a server owned by Capital One in March 2019. Federal prosecutors allege that the hacker attempted to share this information with others.
Several massive data breaches have occurred in the private sector in recent years. Consumers have incurred losses due to identity theft, and banks, credit card companies, retailers, and other businesses have faced substantial liability. Taxpayer information transmitted online to the IRS, as well as data stored by the IRS, includes numerous forms of PII. Section 6103(a) of the IRC prohibits the disclosure of “returns and return information” by government employees, contractors, and others, except as specifically authorized by law.