WASHINGTON – Chairman Ron Johnson (R-Wis.) and the Senate Homeland Security and Governmental Affairs Committee (HSGAC) held a hearing Tuesday on the recent Internal Revenue Service (IRS) data breach that affected 100,000 American taxpayers, compromising their private information and raising serious concerns about the confidentiality of information supposedly being protected by federal agencies.
Michael Kasper, a victim of the data breach, told committee members that after he discovered the fraud associated with his tax return in February and reported it to the IRS, the agency repeatedly denied him assistance, citing privacy rules. “At every step of the case when I tried to get more information, they would say privacy rules prevented them from doing that, when the person they were protecting had already taken advantage of my privacy,” Kasper said.
Other witnesses at Tuesday’s hearing, titled, “The IRS Breach: Steps to Protect Americans’ Personal Information,” were Dr. Kevin Fu, an associate professor of computer science at the University of Michigan, Jeffrey Greene, director of government affairs in North America for the cybersecurity firm Symantec Corp., IRS Commissioner John Koskinen, and Terence Milholland, IRS chief technology officer.
Johnson brought up Mr. Kasper’s situation to IRS Commissioner Koskinen, asking him about his awareness and responsiveness during the breach of security in IRS’ Get Transcript program. “You were aware of that personally as well as the IRS was?” Johnson asked Koskinen.
“Yes, we were,” Koskinen answered.
“You were aware at the end of March, but you decided not to make any changes at that point in time?” Johnson asked.
“We made some changes,” Koskinen responded, “but we did not change the fundamental security aspect of Get Transcript. Our plan was to take a look at that and roll it out toward the middle of the end of June.” Get Transcript allows taxpayers to electronically access their previous year’s tax return in a matter of minutes.
Reiterating some of Mr. Kasper’s frustrations that the IRS said it would take about six months to get him any information on the fraud committed against him, Johnson asked Koskinen, “Can you talk about why it would take six months? What are those privacy laws you are dealing with that you couldn’t communicate with the taxpayer whose identity has been stolen through an IRS system?”
Koskinen said the IRS code says “we cannot reveal to anyone any taxpayer information. We can’t share it with other government agencies unless there’s a statutory exception that allows us to do that. So the challenge we had when fraudulent returns were filed . . . was a concern that if we issued a copy even of a fraudulent return, it could have other taxpayer information that could have been stolen in that return, and, technically, it’s a criminal violation for us to reveal that. I don’t know why it took anybody six months. It should never take you six months to get through the system.”
Johnson noted that the case of a Wisconsin couple, also fraud victims, who could not get prompt help from the IRS due to misplaced privacy concerns had prompted him to introduce legislation addressing the problem. “I’ve introduced a piece of legislation called the Social Security Identity Defense Act of 2015 to allow you to provide that information of identity theft. Is that a piece of legislation you’ll support?” Johnson asked Koskinen and Milholland. “That would be helpful,” Koskinen replied. A copy of the bill can be found here.
Chairman Johnson’s full written opening statement can be found here.
The full hearing can be viewed here.