On January 29, 2024, Charles E. Littlejohn (gov.uscourts.dcd.260322.23.0) was sentenced to five years in prison for organizing one of the largest data thefts in the history of the U.S. federal government. Littlejohn's crime includes stealing and distributing sensitive data from the Internal Revenue Service (IRS), targeting some of the wealthiest individuals and entities in the United States.
Tax pros: how to protect your clients and your firm after the largest-ever IRS data breach
This breach exposed the personal tax and highlighted vulnerabilities within IRS systems. More than four years after the incident, the IRS has just begun notifying affected taxpayers.
As trusted advisors, tax professionals and accounting firms have a responsibility to help lead their clients through this crisis and take proactive steps to help protect their sensitive information now and in the future.
Understanding the breach
Littlejohn used his position within the IRS to access and illegally copy tax returns and related documents, which he then provided to ProPublica. This breach has significant implications due to both the sensitivity of the data involved and how delayed any notification to affected taxpayers happened. Notifications did not start until April 2024, years after the breach was discovered and following Littlejohn's sentencing.
The extent of how many taxpayers were affected by the breach was unknown until now. It is the largest documented data theft at the IRS in history, with Littlejohn admitting to taking tax information from thousands of wealthy Americans between 2018 and 2020.
The IRS is now sending notification letters to affected taxpayers, and it’s expected that additional lawsuits will result from notifications as taxpayers become aware that their information was compromised.
Immediate steps tax professionals can recommend to clients
As tax professionals, it is our responsibility to guide our clients through the aftermath of this breach. Here are specific actions to consider:
1. Recommend clients apply for an identity protection pin
A common tactic following a data breach is for criminals to use stolen Social Security numbers to file fraudulent tax returns and claim refunds.
An Identity Protection PIN (IP PIN) can help prevent this. The IP PIN is a 6-digit number assigned by the IRS that must be used when filing a return, blocking identity thieves.
Encourage clients affected by the breach to apply for an IP PIN through the IRS website. Remind them to keep their IP PIN secure and never share it, even with you.
2. Obtain and review client tax transcripts
The IRS maintains detailed transcripts of each client's tax filings, payments, and other account activity. Regularly reviewing these transcripts can uncover any suspicious or fraudulent activity.
Advise clients to request their tax transcripts through the IRS Get Transcript service and review them carefully for any irregularities. As their tax preparer, you can also obtain transcripts on their behalf to monitor their accounts.
If you identify any issues, work quickly with the client and the IRS to address them.
3. Suggest clients freeze credit and/or use identity protection monitoring services
While an IP PIN and tax transcript review can safeguard against tax-related fraud, clients also need protection from other identity theft risks, such as fraudulent loan applications. Encourage them to enroll in an identity monitoring service from a reputable provider.
Credit monitoring services scan the dark web, public records, and other sources to detect any suspicious activity linked to the client's personal information. Many also provide insurance and assistance if identity theft does occur.
In addition, consider suggesting clients freeze their credit with the three credit bureaus — TransUnion, Equifax, and Experian.
4. Consider legal action if impacted by the case
Some clients may want to explore legal action against the IRS or other parties responsible for the data breach. High-profile figures like Citadel's Kenneth Griffin (Griffin v. Internal Revenue Service et al.) have already filed lawsuits, alleging the IRS failed to secure taxpayer data properly.
Advise clients that under the Internal Revenue Code, they have two years from the date they discovered the breach to file a lawsuit. However, deciding to litigate requires careful consideration of the costs, publicity, and potential outcomes. Keep in mind that even though the letters from the IRS inform taxpayers that they have the right to sue for unauthorized data inspection or disclosure, the maximum compensation is $1,000 per incident, along with the possibility of punitive damages and legal fees. Additionally, taxpayers must identify the specific data that was compromised before proceeding with any lawsuit. Given that, bringing a lawsuit may not be worthwhile. As their advisor, you can provide guidance on the process and help connect them with legal counsel if your client chooses to proceed with legal action.
5. Strengthen your firm's cybersecurity
This breach is a stark reminder that tax professionals and accounting firms are prime targets for cybercriminals. It is crucial that you take steps to secure your systems and data to protect both your clients and your practice.
Steps to strengthening your systems include:
- Conducting a comprehensive security risk assessment to identify your most sensitive data and vulnerabilities.
- Implement robust data protection measures, such as encryption, access controls, and secure backup and disposal procedures.
- Ensure all devices, software, and networks are kept up-to-date with the latest security patches.
Consider engaging a cybersecurity specialist to assist with these efforts. Many professional liability insurers offer guidance and resources to help accounting firms and tax offices strengthen their defenses.
Stay vigilant and proactive
The IRS data breach has further shaken the public's trust in the tax system. As tax professionals, we have a critical role in helping our clients protect their confidential data.
We should encourage clients to monitor their tax and financial accounts proactively and assist them in obtaining transcripts, applying for IP PINs, and addressing suspicious activity.
In an era of escalating cyber threats, proactive risk management is essential for protecting both your firm and your clients.