One For You, Nineteen for Thieves: Data Breaches and Federal Tax Fraud
The close of tax season is finally upon us, bringing with it relief for the last-minute filer, excitement for the unexpectedly-large-refund recipient, and a renewed sense of freedom for the seasonal tax preparer released back into the world to once again enjoy the sights and sounds of civilization. But for another group of people, tax season will drag on indefinitely as they spend hours on the telephone with the IRS, fill out mounds of paperwork, and hope against hope to eventually get the refund they were counting on. These people are the victims of tax fraud, in many instances as a direct result of having their personal information stolen in a data security breach.
Data breaches have been front-page news lately, and it seems there’s a new one literally every month: Target, Michaels, Neiman Marcus, Jimmy Johns, Home Depot, Paytime, P.F. Chang’s, Uber, Anthem, Kmart, the list goes on. In a world where the vast majority of purchases are made with a debit or credit card, and where records (including sensitive medical records) are largely maintained electronically, lax data security measures can lead to drastic outcomes for consumers, including credit card fraud and identity theft.
Unfortunately, affected consumers oftentimes have little or no legal recourse. In a troubling legal trend, many federal courts have taken the view that even if one’s personal information (name, address, birthdate, social security number, bank account information, etc.) is stolen in a data breach, and even if cyber thieves have used that information to place fraudulent charges on that person’s account, no legal remedy is available unless that person has suffered unreimbursed, out-of-pocket expenses as a result of the breach. Until then, consumers must simply play the “waiting game,” monitoring their accounts for potential fraudulent charges, purchasing credit monitoring and identity theft protection at their own expense, or accepting protection from the breached company that is almost universally inadequate (usually 1 year, even though identity theft can occur years later).
Recently, this waiting game has ended for many when they go to file their federal income tax returns and learn that someone else has already filed in their name, using their social security number, and taken off with their refund. These taxpayers are then confronted with an obstacle course of red tape to clear their names: filing police reports, submitting affidavits to the IRS trying to prove their identity, and going through the cumbersome task of filing paper returns because their e-filing privileges have been revoked as a result of the fraud. These hoops can take days or weeks to jump through and, in a best case scenario, will end with the IRS restoring their identities and providing their refunds after months of delay.
Only one federal court has had the opportunity to confront the tax fraud issue head on in the context of a data breach. In In re Horizon Healthcare Servs. Data Breach Litig., 2015 U.S. Dist. LEXIS 41839 (D.N.J. Mar. 31, 2015) [Disclosure: my firm represents plaintiffs in this litigation], the U.S. District Court in New Jersey rejected a consumer’s claim that the defendant’s data security breach had resulted in thieves filing fraudulent income tax returns in his and his wife’s names and stealing their refund. In doing so, the court concluded that the fraud was not “fairly traceable” to the data breach (i.e., the thieves likely obtained the personal information from another source) and that, in any event, the consumer ultimately received his refund. This is a problematic ruling for consumers, particularly on the latter point, as it fails to account for the significant investment of time and resources necessary to get that refund back. And, of course, not everyone will be so lucky.
Future rulings will help to clarify this area of the law, and they are coming soon. Hopefully for consumers, these rulings will take into account the fact that tax fraud is a fundamentally different animal: unlike a credit card, you cannot simply “cancel” your social security number and birthdate. For some, a fraudulent tax return may only be the beginning of their problems, as their most sensitive identifying information remains in the hands of criminals who have displayed not only the intent but the ability to misuse it. As data breaches become more frequent, so too, regrettably, will tax fraud. Victims of tax fraud should not be left to fight their battles alone. Between now and next April 15th, consumers will need to keep a keen eye not only on their personal information and financial accounts but on the courts, who will decide – if and when that tax fraud occurs – whether the law will be on their side.