In response to a report from the U.S. Treasury Inspector General for Tax Administration (Processes Are Not Sufficient to Assist Victims of Employment-Related Identity Theft, Reference Number: 2016-40-065) the IRS announced that it will begin a program to notify individuals whose social security numbers have been used in employment-related identity theft uncovered by the agency beginning January 1, 2017.

The TIGTA report looked at the state of matters related to employment related identity theft—that is, when a person uses the identity of another person to obtain employment.  Given that employers today are supposed to “verify” the social security number of potential employees vs. government data bases or face penalties if it is found to have hired individuals not authorized to work in the United States, it’s not surprising there is an active market in obtaining such “verifiable” identities.

While the report cites the various impacts that employment related identity theft can have on those impacted, the report doesn’t link the harm to the lack of notification. For instance, it points out that those impacted might get a CP2000 notice—but, in that case, the individual clear was notified of the matter.  The harm in that case is not the lack of notification but the IRS’s inability to identify the problem prior to issuing a CP2000 notice.

Similarly, the failure to update the social security database is an issue—but the report didn’t tell us what percentage of those not notified later received a bill to repay social security benefits, since the major negative impact would be on those receiving benefits prior to their normal retirement age.  For everyone else, the only potential impact would be to increase their benefits above what they should have been—a problem for the federal treasury but not one many victims are likely to worry about.

Nevertheless, it’s never good to have your information used by a third party in an unauthorized fashion even if that use doesn’t result in a negative result—that data could be “recycled” later and used for more damaging identity theft since it seems reasonable to assume these individuals are receiving this information via various third parties who have a database of personal information which may be sold to the highest bidder.  So the lack of notice is troubling even if the report seems to focus on the less serious (but more headline ready) harms.

The real problem will occur when the IRS discovers a return where the identification number on the return does not agree with the social security number and name found on the information returns associated with the return (such as the W-2s).  In that case the IRS has been flagging the account of the person whose social security number was used to avoid a CP2000 notice and to put an identity theft warning on the account. 

The TIGTA report explains this as follows:

Our review identified that, during the period February 2011 to December 2015, the IRS identified almost 1.1 million taxpayers who were victims of employment-related identity theft. The IRS identifies these victims when it processes electronically filed (e-filed) tax returns in which the Individual Taxpayer Identification Number (ITIN)5 used to file the tax return does not match the SSN listed on third-party income documents associated with the tax return, such as a Form W-2.

The TIGTA had previously looked at this matter in 2011 and the IRS had indicated they were going to take steps to notify taxpayers whose accounts were affected—however, as this report found, that never happened aside from a small trial program the IRS started and then later shut down.

The IRS has now announced a hard and fast deadline for notifying the victims that will take place beginning January 1, 2017.  Presumably the IRS will likely use a notification similar to the one they used in the 2014 test program, the text of which is provided below:

Letter 4491-C, Notice of Employment-Related Identity Theft

WHY WE ARE SENDING YOU THIS LETTER

We believe your social security number (SSN) was used by another person to obtain employment. The use of your SSN in this instance hasn't affected your tax return or tax account. However, we marked your tax account to indicate that you are a victim of identity theft. This will help us to serve you more effectively and efficiently in the event you should have an identity theft-related tax issue.

Federal law prevents us from providing specific details regarding the identity of the individual who used your SSN for employment purposes. Our purpose in sending this letter is to make you aware of this incident so you can take the appropriate steps to protect yourself from any potential effects of identity theft.

WHAT YOU SHOULD DO

Again, there is no impact to your tax return or tax account because of this incident. However, you should review your earnings with the Social Security Administration to ensure their records are correct. You may review earnings posted to your record on your Social Security Statement. The Statement is available online to workers age 18 and older. To get your Statement, go to www.socialsecurity.gov/mystatement and create an account.

You should also monitor your credit reports and any financial accounts for further signs of misuse of your personal information. As a precaution, you may want to contact one of the three major credit bureaus to have a fraud alert placed on your account. You only need to contact one of the credit bureaus, as the one you contact is required to contact the other two.

CPAs will need to counsel clients who receive such a letter about the implications of the letter.  First, the taxpayer should take the steps outlined in the letter to notify credit bureaus and confirm their earnings with social security. 

Second, the adviser should explain that the real threat at this point most likely is not the party that used the identity, but rather the party form whom that data was obtained.  That is, it is very likely that far more than the person’s name and social security number is available for sale to the highest bidder—and the party that bought the identity for employment purposes was almost certainly not given those details since they can be resold by that party to others for more money.

An unfortunate fact of life today is that significant information (including social security numbers, addresses, employers, etc.) is available for sale—thus it is probably prudent for all individuals to assume their data is available for sale and they could be targeted.