On August 20, 2015, affected taxpayers filed a class action lawsuit in the United States District Court for the District of Columbia against the Internal Revenue Service (the “IRS”) for failing to secure the personal information of more than 300,000 taxpayers from hackers even though the IRS allegedly knew its data systems were unsecure.

In January 2014, the IRS launched its “Get Transcript” online service—which allowed taxpayers to access the IRS’s system to order copies of their tax returns—but shut it down in May 2015 after discovering cyber criminals had used the service to steal taxpayer forms.  While the IRS initially estimated in May 2015 that about 100,000 taxpayer forms were stolen, the IRS recently revised that estimate, and the number of affected individuals is three times worse than previously thought.  The lawsuit alleges that the number of those affected is even greater than 300,000 because hackers also received information about spouses and dependents in the stolen transcripts.

According to the complaint, the “Get Transcript” service was unsecure because taxpayers accessed the “Get Transcript” service through knowledge-based authentication that relied on static identifiers, and hackers could determine those identifiers through online searching or by buying them in the cyber crime underground market.  

Plaintiffs allege that the IRS failed to establish safeguards or ensure the confidentiality of taxpayers’ records against known and anticipated threats.  Plaintiffs allege that the IRS chose not to implement stronger security measures despite having knowledge from reports that its systems lacked adequate security and that cyber criminals had previously hacked the IRS’ systems and were motivated to hack again.  For example, plaintiffs allege that prior to the hack, the Treasury Inspector General for Tax Administration, a government oversight agency, and the Government Accountability Office assessed the IRS’s cybersecurity and identified weaknesses, and that the IRS failed to address those weaknesses.  The lawsuit does not specify the amount of damages.

The complaint further alleges that the IRS should have known that its systems would be a target for cyber attacks because of large-scale data breaches in the past year against various corporations and the U.S. Office of Personnel and Management, although it is unclear how much weight, if any, a court would ultimately give to the IRS’ potential awareness of breaches in other industries if the suit were to reach the merits.   

This lawsuit is a cautionary tale for businesses that are aware of a data insecurity in their cyber systems, but fail to take any corrective action.   Businesses should be aware that potential plaintiffs could seek to hold them liable for failing to take steps after a data breach to address the underlying security weaknesses or better protect their systems before the next attack.  

Reporter, Julie A. Stockton, Palo Alto, CA, + 1 650 422 6818, jstockton@kslaw.com.