William Olney- AccountantIdentity Theft Tax Paper |

Posted on June 6, 2013 by William Olney in IRS, Tax | Comments Off

The following is a paper that I wrote regarding identity theft and some of the measures that could be taken to prevent it in the income tax world.

Identity theft has become a major problem in recent years as related to income taxes. The IRS has attempted to adapt its system to assist these individuals however currently anyone who has an identity theft problem often has to wait months before the issue is resolved. My suggestion is for the IRS to create a new department in the Services and Enforcement division to handle identity theft.

The IRS currently is not adequately protecting confidential data. (Banoff S. I., 2007, pp. 189-190) A few of the IT controls that could be implemented are encrypting all computers and adding access control software to the computers. With the encryption software only the authorized users would be able to access the returns and all private data on the computer, this is currently partially implemented. My suggestion for improving the system would be to have the entire computer be encrypted so that the users do not need to remember to encrypt data it just all would be as soon as it reached their hard drive.

My second IT related suggestion would be to add access control software to all computers. This would mean that in order to access any of the secure files the IRS user would need to be logged into the IRS server which would on the fly decrypt the files for them. An access control system would limit who is able to see a specific return. For example if a return was in the small business/ self-employed workflow to be reviewed then only revenue agents in that division would be able to open that file. Also once the file had been assigned to a particular revenue agent then no other revenue agents would be able to access the file. This would ensure that two people are not working on the same case and at the same time limit the number of people who have access to the taxpayer’s private data. The access control system would include measures to allow the case to be referred to fraud and also at appropriate time allow the manager and reviewer to access the file.

By creating a new Identity Theft division it would simplify the taxpayer’s communication about identity theft, currently the taxpayer has to go to multiple divisions to have their case handled. (IRS, 2012) This would give the Identity Theft division head enough power to have all identity theft cases referred to them similar to how the Criminal Investigation Division has all fraud cases referred to them. Also by creating one division to handle this type of case it would dramatically increase the worker productivity because they would be specialists in this case type and well versed in appropriate methods of handling them.

Currently the IRS is not using all of the identity theft information that it can. (IRS, 2005) For example the Federal Trade Commission handles complaints of identity theft, using these complaints it creates a database of people who have potentially had their identity stolen. The IRS could use this information to flag returns that could potentially be fraudulent for review. There are also a number of other sources of this type of information which the IRS should use to update the Identity Theft flagging.

Currently the Social Security administration publishes a death list which is a partial cause of identity theft. The Death list is a publicly available list of individuals who have died it includes a Social Security Number, name, date of birth, and date of death. The IRS currently does not use this information to help protect taxpayers. The IRS should be using the death master file to verify that the returns being filed for a diseased individual are correct. One potential use would be to ensure that the diseased individual only filed a final return for the last year of their life. Also the IRS could use this information to verify that returns are not filed in years after in the deceased’s name.

The IRS could use data sources such as the listed above to flag returns for greater scrutiny. However there is plenty that could be done using the data that the IRS has from back returns. It could use matching of major changes in the return such as home address change, job change, move to a different state or additional dependents. Individually these items would be harmless but if an individual moved from New York to California, added 3 dependents, was on the FTC Identity Theft list and was suddenly getting paid an amount that was significantly different from previous that would be very suspicious. The IRS by looking at all of the combined changes could be proactive in flagging returns for Identity Theft review instead of the current system which has the IRS being reactive and waiting for individuals to complain that they were unable to file their return.

However for the IRS to implement new security measures such as I have suggested would be expensive and require some change to how the cases are processed. I believe that at a minimum it would be beneficial for the IRS to have workers specialize in identity theft cases to improve the efficiency. The workers in this new department could be pulled from some of the departments that are currently handling identity theft cases because by moving this caseload to a new department there will most likely be excess employees. The major modification to the case management software would potentially be prohibitively expensive. Alternative would be for the IRS to skip that portion for now and instead focus on finding the identity theft cases. Adding the filters to the system to check for major changes such as address, dependents, and job changes would be minimally complex because the IRS already has similar filters to match w2’s and other forms. By adding the new filters to detect identity theft the IRS would be using their resources in the most effective way.

Preparers are also a potential point of data theft if their systems are not adequately protected. I would suggest that all data on preparers’ computers be encrypted and to implement access control systems. By encrypting all data on and transferred between devices that would eliminate a significant potential point of data leakage. Most of this type of identity theft is perpetrated by an individual from outside the system and a major point that can be exploited to non-encrypted data transfers.

A second potential point of Identity Theft in a firm is that often any tax preparer can view a client’s full information including their SSN, address and other private information. (Chambers & Zeiidan, 2013) My suggestion for limiting the exposure of this information would be to only allow the initial preparers and reviewers to view the return in its entirety. Anyone else would have certain information blocked out such as only showing the last 4 of the SSN and the city portion of the address. Also after the preparer entered the SSN then it should only be shown on-screen as the last 4 so that even if someone had access to the preparer’s computer their information gained would still be limited. Also no one below should be able to view the full customer list even if it only showed the last 4 of the SSN. My suggestion is to hide all information that is unnecessary for the preparer to complete an accurate return.

A final potential data leak point is when you give data to a third-party. You should if over the phone with the customer verify their identity to ensure that it is truly them authorizing the document release. Also you should send the requested documents via a secured transmission be it a secure portal or hand delivered. Also ask the customer if you should hide certain information on the return such as only showing the last 4 of the SSN or city portion of their address. By hiding as much information as possible it would make it more difficult for anyone who got ahold of this document to steal the identity of your client.

For Preparers it would also be expensive to implement an access control type of system and each firm would have to decide for themselves if they wish to implement one. However encrypting all of the data on an individual computer is simple and often free to do, because of this I would recommend for each and every firm to install encryption software such as TrueCrypt on all of the computers that they use, keeping in mind that once the computer is on all of the data can be freely accessed. Masking data in the tax software should not be difficult however each company will need to speak with their software provider to see how expensive this option would be.

Now another potential issue for tax preparers is that an individual who purchased or stole a SSN could use you to prepare the fraudulent return. To prevent this from happening you should always see there SS card and at least 2 forms of ID one of which would have a photo on it. By thoroughly identifying all of your customers you at least will be able to state that all of the individuals documents were in order and that they appeared to be who they said they were. I believe that it would be cost-effective for firms to verify the identity of customers because it will help them to avoid any legal issues that could arise from creating a falsified return. Potentially if the firm had enough issues with fraudulent returns they could get a system to verify identities such as many bars and liquor stores have by checking the DMV license registry. By using an existing technology like that it would limit the cost to the firm while ensuring that they are effectively verifying the customer identities.

Individuals also play a key role in protecting their identity from theft. They should avoid giving out their SSN unless it is absolutely necessary, monitor credit reports and keep all private information secured. For the most part all the individual needs to do is follow reasonable precautions with their personal data they just need to avoid circulating it unless absolutely necessary. Another potential measure that the taxpayer could implement to help protect them self would be to monitor their credit reports for suspicious activity.

The IRS needs to implement better procedures for handling Identity Theft cases. I recommend creating a separate department and using the data that is publicly available to organizations such as the FTC list and SSA death list. By incorporating this additional data to the information on past returns the IRS would be able to more effectively identify and resolve identity theft cases. Both the IRS and tax preparers need to improve their IT controls with secure encryption and access control type systems to ensure that only people who need to see the return can. The individual just needs to perform basic data security measures by not providing private information unless it is truly necessary.