Once more into the breach… The security breach of an Equifax online dispute portal from May to July 2017 was a whopper. According to a report published by the US Government Accountability Office in August 2018, records containing personally identifiable information of at least 145.5 million people in the US and nearly 1 million outside of the US were compromised.
What does that have to do with tax? The internal revenue service used Equifax as the contractor for taxpayer identity and verification services and was one of Equifax’s largest federal customers (along with the post office and the social security administration). One reason the IRS verifies taxpayer identity is to make sure that individuals who want to access prior year tax returns are the legitimate filers of those returns.
Due to concerns about the potential for fraud using the stolen data, the IRS got a list of the individuals affected by the breach from Equifax. The IRS used the list to identify which taxpayers were affected and to look for potential instances of identity fraud affecting those taxpayers. The IRS made public announcements about the impact of the breach, noting that the agency did not expect the breach to have any impact on taxpayers’ ability to securely file tax returns.
As a result of the breach, the IRS changed the Equifax contract for credit reporting services to require prompt notification of any future breach.
Do you think Equifax is still the contractor for IRS taxpayer identity and verification services?
One result of the Equifax breach was the Economic Growth, Regulatory Relief, and Consumer Protection Act, a law that was signed into effect in May 2018.
Note: Taxing Lessons provides a summarized version of sometimes lengthy court decisions and official documents. The full documents may include facts and issues not presented here. Please use the link provided in the post to read the entire document.
This information should not be considered legal, investment, or tax advice. Taxing Lessons and Top Drawer Ink Corp. do not provide legal, investment, or tax advice. Always consult your legal, investment, and/or tax advisor regarding your personal situation.
Equifax did not directly notify major federal customers of the 2017 breach prior to its public announcement because its contracts with those agencies required notification only of breaches directly involving the systems that provided services to the federal government.
IRS officials stated that the contract with Equifax for credit reporting services was changed to require Equifax to promptly notify the IRS of any data breach, regardless of which of the company’s systems it may affect.
The contract change also required the company to notify the IRS within one hour after a breach is discovered, rather than within the previous time frame of 24 hours.
In addition, according to the officials, cybersecurity language in the IRS’s contract was modified to ensure better implementation and oversight of technical security controls.
In June 2017, prior to the discovery of the breach, the IRS began a new acquisition for taxpayer identity and verification services by issuing a request for quotations to three consumer reporting agencies (including Equifax and Experian) holding contracts under the federal supply schedule.
The IRS selected Experian as offering the lowest-priced, technically acceptable quotation, for issuance of a fixed-price task order and establishment of a blanket purchase agreement.
Equifax filed a bid protest on July 5, 2017, with the government accountability office challenging the IRS’s evaluation of Experian’s quotation.
Equifax discovered the breach on July 29 and, after investigating it, announced the breach on September 7. On September 29, during the government accountability office’s consideration of the protest, the IRS awarded Equifax a short-term, sole-source contract for $7.25 million to cover identity and verification services during the time frame needed to resolve the protest. IRS considered these services “critical” and “cannot lapse.”
However, following the completion of its breach-related security assessments, the IRS issued Equifax a stop-work order to suspend its performance under the short-term, sole-source order.
The government accountability office denied Equifax’s protest on October 16, 2017, and the IRS proceeded with the task order issued to Experian for the taxpayer identity and verification services.
Starting September 21, 2018, you can freeze and unfreeze your credit file for free.
You also can get a free freeze for your children who are under 16. And if you are someone’s guardian, conservator, or have a valid power of attorney, you can get a free freeze for that person too.
Security freezes, also known as credit freezes, restrict access to your credit file, making it harder for identity thieves to open new accounts in your name.
You’ll need to contact all three of the nationwide credit reporting agencies (Equifax, Experian, and TransUnion) to request a credit freeze.