Three years ago, thousands of taxpayers’ private tax data was leaked to investigative outlet ProPublica. Over three years later, the IRS has finally agreed to do the bare minimum when it comes to making amends: apologizing.
Affected taxpayers first became aware that their data had been leaked when it was included in a report released by ProPublica in 2021. At the time, the source of the data remained unknown, even to ProPublica. Of course, none of that stopped ProPublica from using it to continue churning out reports based on the ill-gotten data.
In the meantime, the IRS continued to keep its cards close to the vest. Even as members of Congress continued to ply the IRS Commissioner with requests for details or updates, the IRS remained vague in its answers. A year after the leak became public knowledge, the IRS had still not provided any updates on its search for the culprit. Indeed, the IRS even questioned whether it had suffered a leak at all, despite clear evidence that it had.
All of this gave the impression that the IRS was not engaging in the kind of self-reflection that the gravity of the situation merited. As a result, at the end of 2022, hedge fund manager Kenneth Griffin sued the IRS for its failure to properly safeguard taxpayer data.
While at the time it remained unclear how exactly the leak had happened, Griffin had good reason to suspect that IRS laxity was at fault. Over the preceding decade, the Treasury Inspector General for Tax Administration (TIGTA), the IRS’s official watchdog, had repeatedly warned that the IRS’s data security safeguards were sorely lacking. And repeatedly, the IRS failed to adequately address these concerns.
The monetary damages that Griffin stood to receive were relatively paltry, but Griffin’s real demand was essentially that the IRS take the problem of taxpayer data security more seriously — and specifically that it “formulate, adopt, and implement” more comprehensive data security protocols.
For years, the IRS’s answer to any demand that it improve its operations of any kind has been to claim that it lacks the necessary funding to do so. Well, that’s no longer an excuse after the IRS received $80 billion in additional funding as part of the Inflation Reduction Act. The fact that the IRS has thus far preferred to spend its money on tilting at the “tax gap” windmill and putting together a direct file pilot it was never asked to create is another matter.
Griffin and the IRS eventually settled its lawsuit, and as part of the settlement the IRS released an official apology to all the taxpayers who had their data leaked. While affected taxpayers were surely touched by this belated gesture, they would surely appreciate even more a greater emphasis on the part of the IRS on ensuring that something like this will not happen in the future.
The IRS is entrusted with a great deal of responsibility by taxpayers. They have access to troves of extremely sensitive and personal information, leaks of which can make victims susceptible to fraud and identity theft. If taxpayers don’t have confidence that the IRS takes this broad responsibility seriously, it is the IRS’s responsibility to make the necessary changes to ensure that they do.
