Class action lawsuit filed against IRS for data breach

Back in January 2014, it seemed likely that the Internal Revenue Service's "Get Transcript" program would facilitate the depredations of identity thieves against the IRS. 

Sixteen months later, some sophisticated hackers bore out concerned parties' fears when they did in fact hack the IRS's database, forcing the IRS to suspend its "Get Transcript" program.

A class action lawsuit captioned Welborn v. IRS has now been filed against the IRS on behalf of all individuals whose personal information was compromised in the data breach (latest estimates fix their number to be approximately 330,000).  There are some notable aspects to the case.

First, that 330,000 figure is taxpayer accounts.  If the tax filing status was Married Filing Jointly, then there are two individuals on the account.  And even for married people who file separate tax returns, a spouse of a taxpayer whose information was compromised in the data breach cannot help but be affected.  Identity theft's damage tends to afflict entire families.  The number of affected individuals, then, can easily be numbered in the millions.

Moreover, as noted in the complaint, "[t]he Government Accountability Office ("GOA") [sic] and the Treasury Inspector General for Tax Administration ("TIGTA") specially issued reports warning the IRS of its lax computer security years before the hack of the 330,000 taxpayer accounts on the IRS’s website. This is not a new threat, but has been known to the IRS for a number of years."  The complaint goes on to note that the taxpayers involved (and indeed, every American taxpayer) had no legal alternative but to file their tax returns, and thereby entrust the IRS with their personal data.  Here, then, the IRS is being confronted with the U.S. government's own public data, which it is ill postured to refute.

Lead plaintiff Wendy Windrich and her husband are both information technology professionals, whose cyber-hygienic practices are more comprehensive than those of the average American.  This makes it very difficult for the IRS to credibly blame Ms. Windrich and her husband for the compromise of their personal information.

For her part, lead plaintiff Becky Welborn filed all of her tax returns in paper mode and never used electronic filing.

While it certainly is too early to prognosticate any particulars as to the outcome of the litigation, there is no reason to anticipate a clean settlement to it.  Nor is Welborn likely to be the last case that seeks to hold the government accountable for its poor data security and stewardship, for between the IRS "Get Transcript" hack and the filing of this lawsuit, the Office of Personnel Management (OPM)'s database was also hacked.  Whatever traction the Welborn lawsuit may attain will surely give cues to the lawyers of both plaintiffs and defendants, who, no doubt, will be stewarding a class action case regarding the OPM breach.

The proposed class of plaintiffs in Welborn specifically excludes IRS employees (including and especially Commissioner Koskinen) and whichever judicial officers may be assigned to hear the case.  Given the extent of the OPM data hack, which, by all estimates, dwarfs the "Get Transcript" data compromise, there may well be some significant issues in finding disinterested jurors to hear the upcoming case against OPM.

Kenneth H. Ryesky is a lawyer and writer currently on hiatus from teaching business law and taxation courses at the City University of New York.  He formerly served as an attorney for the IRS.

Back in January 2014, it seemed likely that the Internal Revenue Service's "Get Transcript" program would facilitate the depredations of identity thieves against the IRS. 

Sixteen months later, some sophisticated hackers bore out concerned parties' fears when they did in fact hack the IRS's database, forcing the IRS to suspend its "Get Transcript" program.

A class action lawsuit captioned Welborn v. IRS has now been filed against the IRS on behalf of all individuals whose personal information was compromised in the data breach (latest estimates fix their number to be approximately 330,000).  There are some notable aspects to the case.

First, that 330,000 figure is taxpayer accounts.  If the tax filing status was Married Filing Jointly, then there are two individuals on the account.  And even for married people who file separate tax returns, a spouse of a taxpayer whose information was compromised in the data breach cannot help but be affected.  Identity theft's damage tends to afflict entire families.  The number of affected individuals, then, can easily be numbered in the millions.

Moreover, as noted in the complaint, "[t]he Government Accountability Office ("GOA") [sic] and the Treasury Inspector General for Tax Administration ("TIGTA") specially issued reports warning the IRS of its lax computer security years before the hack of the 330,000 taxpayer accounts on the IRS’s website. This is not a new threat, but has been known to the IRS for a number of years."  The complaint goes on to note that the taxpayers involved (and indeed, every American taxpayer) had no legal alternative but to file their tax returns, and thereby entrust the IRS with their personal data.  Here, then, the IRS is being confronted with the U.S. government's own public data, which it is ill postured to refute.

Lead plaintiff Wendy Windrich and her husband are both information technology professionals, whose cyber-hygienic practices are more comprehensive than those of the average American.  This makes it very difficult for the IRS to credibly blame Ms. Windrich and her husband for the compromise of their personal information.

For her part, lead plaintiff Becky Welborn filed all of her tax returns in paper mode and never used electronic filing.

While it certainly is too early to prognosticate any particulars as to the outcome of the litigation, there is no reason to anticipate a clean settlement to it.  Nor is Welborn likely to be the last case that seeks to hold the government accountable for its poor data security and stewardship, for between the IRS "Get Transcript" hack and the filing of this lawsuit, the Office of Personnel Management (OPM)'s database was also hacked.  Whatever traction the Welborn lawsuit may attain will surely give cues to the lawyers of both plaintiffs and defendants, who, no doubt, will be stewarding a class action case regarding the OPM breach.

The proposed class of plaintiffs in Welborn specifically excludes IRS employees (including and especially Commissioner Koskinen) and whichever judicial officers may be assigned to hear the case.  Given the extent of the OPM data hack, which, by all estimates, dwarfs the "Get Transcript" data compromise, there may well be some significant issues in finding disinterested jurors to hear the upcoming case against OPM.

Kenneth H. Ryesky is a lawyer and writer currently on hiatus from teaching business law and taxation courses at the City University of New York.  He formerly served as an attorney for the IRS.