United States Founding Father Ben Franklin is famously quoted as saying “in this world nothing can be said to be certain, except death and taxes.” This idiom, while humorous, is apt for update.
In a country where electronic communications and the use of the internet have become as basic as breathing and eating, the axiom must be updated to say, “in this world nothing can be said to be certain, except death, taxes, and data breaches.” Conservative estimates are that, upwards of 2.5 quintillion bytes of data (2.5 million terabytes) are created every single day. By 2020, estimates project that 1.7 megabytes of data will be created every second for every person on earth (roughly 3.6 million terabytes total).
With such an unfathomable amount of data being created, the likelihood that even 1% of this data contains sensitive personally identifiable information (PII) that could be used for identity theft is not a hard case to make. The last few years have seen a new slew of data breaches, from Cambridge Analytica, to Marriott, to Equifax. Through all of these breaches, an annual and unavoidable threat remains. From late October through mid-April the number of identity theft related security incidents increase due to end of year holiday spending (retail, hospitality, travel) and because of the U.S tax filing season that occurs between late January and mid-April. Both businesses and individuals can take steps to prevent, detect, and respond to incidents involving exposure of PII.
Steps Businesses Should Take:
Businesses, in particular those handling sensitive client information, need to respond swiftly to an indication of a breach. Should the unthinkable happen, the IRS offers insights into a plan of response.
1. Contact experts – DO THIS ASAP!
- Data breach lawyer – This should be the first person you call.
- Cyber forensics expert – They can determine the cause and scope of the breach, what to do to stop the breach and prevent further breaches from occurring.
- Insurance company – Report the breach and check to see if your insurance policy covers data breach mitigation expenses.
2. If deemed appropriate by legal counsel, contact the IRS and law enforcement
- Federal Bureau of Investigation – Contact your local office.
- Secret Service – Contact your local office (if directed).
- Local police – File a police report on the data breach.
3. If deemed appropriate by legal counsel, contact states in which you prepare state returns:
- State Tax Agencies – Contact each state in which you prepare returns.
- State Attorneys General – Contact each state in which you prepare returns.
Steps Individuals Should Take:
According to guidelines provided by the IRS, individuals facing a breach of their data should proceed with the following actions:
- If possible, determine what type of Personally Identifiable Information (PII) has been lost or stolen. For example, a stolen credit card number will not affect your IRS tax account.
- Stay informed about the steps being taken by the company that lost your data.
- Follow the Federal Trade Commission recommended steps, including:
- Notify one of the three major credit bureaus to place a fraud alert on your credit file.
- Consider a credit freeze, which will prevent access to your credit records.
- Close any accounts opened without your permission.
- If you received IRS correspondence indicating you may be a victim of tax-related identity theft or your e-file tax return was rejected as a duplicate, take these additional steps with the IRS:
- Submit an IRS Form 14039, Identity Theft Affidavit
- Continue to file your tax return, even if you must do so by paper, and attach the Form 14039
- Watch for any follow-up correspondence from the IRS and respond quickly.
Hopefully, you’ll never need to use these protocols. But in the statistically likely event you may experience a breach of your personal data, contact the correct authorities as quickly as possible and monitor your information closely as your case develops.