Identity theft continues to be a serious issue for individuals and businesses. According to Javelin Research’s 2016 Identity Theft Study, $15 billion was stolen from 13.1 million individuals in 2015 (Al Pascual, Kyle Marchini, and Sarah Miller, “2016 Identity Fraud: Fraud Hits an Inflection Point,” Feb. 2, 2016, http://bit.ly/2fWJgco
). For businesses, data breaches can compromise customers, clients, and employees; furthermore, it has been estimated that 90% of data breaches impact small businesses (“Small Businesses: The Cost of a Data Breach is Higher than You Think,” First Data Market Corporation, http://bit.ly/2gQCl1Z
). In light of these statistics, it is essential for CPAs to address the financial and tax issues related to individual identity theft as well as compromised business data that can translate into identity theft for customers, clients, and employees.
There are two major phases of combating identity theft: prevention and recovery. The first phase can minimize expo-
sure; the second can help minimize the pain in terms of time and money remediating any problem that results, despite prevention efforts.
Preventing Identity Theft
It is impossible for an individual or business to become completely immune from identity theft. Nevertheless, the following important steps can lessen the likelihood of thieves obtaining and using personal information for fraudulent purposes.
Safeguarding personal/business information.
For individuals, this means taking all of the following actions:
Protecting a Social Security number; for example, a Social Security card should not be carried around (other than to complete Form I-9 when hired for a job).
Limiting disclosure of personal information, such as a birthday, on social media.
Using smart passwords for financial accounts, mobile devices, and other sensitive data and devices.
For businesses, vulnerability can come from within (an employee or former employee) or without (hackers). A more complete discussion about prudent company policy regarding access to sensitive business information can be found later in this article.
For independent contractors, one strategy is to obtain an employer identification number and use it instead of a Social Security number when completing Form W-9 for all engagements.
Tax-related identity theft.
The IRS has been working to combat tax-related identity theft and was able to detect and stop more than 3.8 million suspicious returns in the 2015 filing season (Pascual et al.). The IRS reported some of its accomplishments in addressing this problem at its 2016 Security Summit (“Security Summit Reviews 2016 Accomplishments, Announces 2017 Initiatives,” June 28, 2016, http://bit.ly/2gLincm
). Nevertheless, identity theft continues to top the IRS’s list of tax scams (“IRS Wraps Up the "Dirty Dozen" List of Tax Scams for 2016,” Feb. 19, 2016, http://bit.ly/2gNgyJq
). These scams occur when criminals impersonating IRS agents try to collect bogus taxes on the threat of arrest, deportation, loss of licenses, and other actions.
They also include phishing, where identity thieves try to steal personal information. Because of the recent proliferation of phone scams, the IRS announced in an internal memorandum on May 20, 2016, that it will not make any initial audit contact with a taxpayer by phone. Individuals should be advised not to respond to any telephone calls purporting to be from the IRS and to refer all inquiries to their CPA.
Credit monitoring services.
Individuals may want to use a commercial credit monitoring service. This can detect when personal information is adversely used so that swift action can be taken to thwart additional theft. Some services also help correct a theft when it occurs. The cost of a particular service varies with the extent of the protection (e.g., whether it entails remedial action if identity theft occurs).
Recovering from Identity Theft
Despite the best efforts to prevent identity theft, it may still occur. Helping individuals understand the actions they can take is an invaluable service.
This involves the fraudulent use of a person’s credit card or bank account. Account takeovers represent 86% of all identity theft (Nicholas Clements, “Don’t Be a Victim of Identity Theft: Free Ways to Fight Back,” USA Today
, Oct. 6, 2016, http://usat.ly/2gZKZzg
). The good news is that protections can easily remedy the problem with no out-of-pocket cost to the victim. Protections include the following:
Zero-liability policies, which offer full protection in case the card is used fraudulently; many major credit cards do so as long as the problem is reported promptly.
Second-factor authentication, which sends alerts to the account owner when there is potentially unauthorized access.
Tax-related identity theft. This occurs when thieves obtain a taxpayer’s identity to obtain a bogus tax refund. To make matters worse, the real taxpayer may then be unable to e-file his legitimate tax return for the year. The thief may also use the taxpayer’s personal information to get a job; the thief’s employer reports the income under the name of the unwitting taxpayer, who omits it from his return and then receives a bill from the IRS for unpaid taxes.
If a taxpayer knows that his personal information has been compromised, he can file Form 14039, Identity Theft Affidavit, which puts the IRS on the alert. The form is mailed to the IRS, along with a copy of the taxpayer’s Social Security card, driver’s license, passport, military ID, or other government-issued form of identification. Taxpayers can also obtain an Identity Protection Personal Identification Number (IP PIN), which is a six-digit number used in place of a Social Security number when filing an individual income tax return. The IRS will issue an IP PIN to taxpayers who meet the following conditions:
File Form 14039 (explained earlier).
Live in Florida, Georgia, and the District of Columbia, which are part of a pilot program on combating ID theft.
An IP PIN can be obtained online by using “Secure Access Steps,” as detailed in IRS Fact Sheet 2016-20 (http://bit.ly/2gcXhQG
Medical insurance theft.
This occurs when a thief uses an individual’s name and insurance to obtain medical treatment; the treatment becomes part of the individual’s medical record and can lead to increased health or life insurance premiums and even a denial of life insurance coverage. Under HIPAA, individuals have the right to correct their medical records, although healthcare providers are permitted to charge a fee for providing copies of medical records to a patient. For details about this, see the Identity Theft Resource Center’s Fact Sheet 130A: Correcting Misinformation on Medical Records
Medical identity theft can also impact healthcare providers, who may not learn about the theft until the IRS seeks taxes for income earned by thieves, as with the earlier tax ID theft example (“Understanding and Preventing Provider Medical Identity Theft,” Centers for Medicare and Medicaid Services, http://go.cms.gov/2gcYS9c
Driver’s license theft.
This occurs when a thief fraudulently uses a driver’s license obtained under another person’s name. That person can be charged with fines and tickets, and violations (including DUIs) that can appear on the person’s driving record. The result can be loss of the person’s driver’s license, higher car insurance costs, and adverse background checks that can prevent being hired for a job.
If an individual learns that she has become a victim, she should report the fraud to the state department of motor vehicles. Remedial action, such as obtaining a new driver’s license, varies from state to state. It is also advisable to alert one’s car insurance company.
Strategies for Tax and Financial Planning Professionals
Protecting the personal information of clients is vital. Breaches can result in identity theft for clients and severe financial losses to professionals. For example, there can be criminal and civil penalties for tax return preparers who knowingly or recklessly disclose return-related information (Internal Revenue Code section 7216).
The IRS has outlined steps for tax preparers to take that will reduce the risk of data breaches impacting clients in Publication 4557, Safeguarding Taxpayer Data (http://bit.ly/2fQs84K
). These steps include the following:
Making a plan for safeguarding taxpayer information. This requires an assessment of the risks in the preparer’s offices, including operations, physical environment, computer systems, and employees, if applicable. It also includes safeguard procedures such as locking doors to restrict access to paper or electronic files, using encryption, backing up data, and properly disposing of old files.
Assigning an individual or individuals to be responsible for safeguards
Using only service providers with policies in place to maintain an adequate level of information protection that meets the Federal Trade Commission’s (FTC) safeguards rule (16 CFR Part 314)
Monitoring, evaluating, and adjusting the firm’s plan as needed. Publication 4557 contains an extensive checklist to ensure that all necessary steps have been taken to safeguard client information; however, breaches may occur despite all safeguards, so it is essential to have a data breach response plan in place as well. This entails the following:
Complying with the instructions in the FTC’s Data Breach Response: A Guide for Business (http://bit.ly/2gd2po2).
Contacting the IRS’s Stakeholder Liaison for the state in which the firm is located; a full list is available at http://bit.ly/2fQnu6w.
Maintaining cyber liability insurance. Do not assume that a basic business policy or even professional liability coverage gives a firm protection against cyber threats. There are cyber liability products unique to accounting firms that provide protection in case of data breaches.
The AICPA also offers a wealth of identity theft resources for practitioners (http://bit.ly/2gEeOli
). Some identity theft tools and information, however, are restricted to members of the AICPA’s Tax Section (http://bit.ly/2gcYFCT
), including a client identity theft checklist.
The Best Cure Is Preparedness
Tax and financial professionals can advise clients on how to deal with the matter of identity theft, as well as take measures to protect their own vital information in order to protect their customers, clients, employees, and themselves. They should also monitor pending legislation that may aid in the fight against identity theft. For example, the Stolen Identity Refund Fraud Prevention Act of 2016 (H.R. 3832), introduced earlier this year, would require the IRS to create an office to oversee tax-related identity theft and notify taxpayers of any suspected identity theft. The Identity Theft and Tax Fraud Prevention Act of 2016 (S. 676), introduced last year, would go even further in adding critical protections and ensuring expedited tax refunds owed to identity theft victims.
Unfortunately, identity theft is now a fact of life, and victims can suffer severe tax and financial consequences. Measures can be taken, however, to minimize the risk of becoming a victim and advise what to do if victimized. When it comes to tax-related identity theft, there are a number of IRS resources to help, including Fact Sheet 2016-3, IRS Identity Theft Victim Assistance: How it Works
), the IRS Identity Theft Protection Specialized Unit at 800-908-4490, and the Taxpayer Guide to Identity Theft (http://bit.ly/2gZO5mF
), which contains information and links. Still, the National Taxpayer Advocate Service wants the IRS to do more in the coming filing season with regard to identity theft victim assistance procedures (http://bit.ly/2gZPZ6U
Sidney Kess, JD, LLM, CPA, is of counsel to Kostelanetz & Fink and a senior consultant to Citrin Cooperman, LLP. He is a member of the NYSSCPA Hall of Fame and was awarded the Society’s Outstanding CPA in Education Award in May 2015. He is also a member of
The CPA Journal Editorial Board. James R. Grimaldi, CPA, and James A.J. Revels, CPA, are partners at Citrin Cooperman.