August 27, 2019

The Taxpayer First Act (TFA) of 2019, which became law on July 1, makes a variety of changes to the Internal Revenue Code (IRC). Title II, Subtitle A of the TFA, entitled “Cybersecurity and Identity Protection,” addresses taxpayer identity theft. As more and more tax preparation and filing activities move into online spaces, cybersecurity is a growing concern. The TFA directs the IRS to work with the private sector to improve data security, and to standardize and improve its policies and practices regarding taxpayer data. It also increases penalties for misuse of confidential taxpayer information.

What Is Identity Theft?

Identity theft involves the unauthorized use of personally identifying information (PII)—name, address, date of birth, Social Security number, etc.—for financial gain. An identity thief might, for example, purchase items with a credit card in someone else’s name, and leave that person with the debt. In many cases, a person hacks into a private company’s servers steals a large volume of data and tries to sell that data to others. A hacker allegedly gained access to the records of over 100 million people stored on a server owned by Capital One in March 2019. Federal prosecutors allege that the hacker attempted to share this information with others.

Several massive data breaches have occurred in the private sector in recent years. Consumers have incurred losses due to identity theft, and banks, credit card companies, retailers, and other businesses have faced substantial liability. Taxpayer information transmitted online to the IRS, as well as data stored by the IRS, includes numerous forms of PII. Section 6103(a) of the IRC prohibits the disclosure of “returns and return information” by government employees, contractors, and others, except as specifically authorized by law.

The Taxpayer First Act of 2019

Personal Identification Numbers

Currently, Social Security numbers serve as one of the main identifiers for individual taxpayers. These numbers are also used for credit applications and countless other financial activities, making them a powerful tool in identity theft.

The TFA directs the IRS to create a program that issues unique identifying numbers to taxpayers, upon a taxpayer’s request. The stated purpose of this identification number is “to assist…in verifying such individual’s identity.” The program should be available nationwide by July 2024.

“Single Point of Contact”

A common problem for identity theft victims is confusion about whom to contact to resolve the issue. The TFA directs the IRS to provide a “single point of contact” to every taxpayer alleging identity theft, in order to “track the taxpayer’s case to completion.”

Notification Requirements

The TFA adds a new section to Chapter 77 of the IRC requiring the IRS to notify a taxpayer of any suspected “unauthorized use of the[ir] identity.” This notification should include “instructions on how to file a report with law enforcement” and additional information on what the individual can do to protect themselves. This provision will take effect in January 2020.

Fraudulent Refunds Involving Identity Theft

The IRS has until July 2020 to issue new guidelines, available to the public, “for management of cases involving stolen identity refund fraud.”

Penalties for Unauthorized Use or Disclosure of Taxpayer Information

Sections 6713 and 7213 of the IRC establish civil and criminal penalties, respectively, for tax preparers who misuse or misappropriate taxpayer information. The TFA amends both sections to enhance those penalties.

If you have questions about taxes in California, the Enterprise Consultants Group’s tax advisors are available to help you. Please contact us online or at (800) 575-9284 today to discuss your case.