Last month, the IRS reported that the Electronic Tax Administration Advisory Committee (ETAAC) had submitted its annual report to Congress. The focus of that 60-page document is a list of ten recommendations designed to thwart the efforts of criminals perpetrating identity theft and tax refund fraud (IDTTRF).
Now, some skeptical readers might ask, “Why should I care about recommendations from a committee I’ve never heard of?” Since our hypothetical, skeptical friend probably won’t accept “because data security” as an answer, we’ll answer two related questions.
What is ETAAC?
ETAAC was created by the IRS Restructuring and Reform Act of 1998 to “research, analyze, and consider and make recommendations on the IRS’s progress toward achieving its 80% e-file goal” (1). While e-filing doesn’t seem to have much to do with data security, the executive summary noted that ETAAC’s mission broadened “to include an evaluation of the Security Summit initiative and the prevention of IDTTRF” (iv).
As a partnership between the private tax industry and state and federal taxing authorities, the Security Summit develops data-security strategies and educational outreach campaigns. Since ETAAC provides oversight of the Security Summit and develops recommendations for preventing IDTTRF, it’s one of the leading authorities on protecting PII (51-52).
What are the ETAAC recommendations?
Before jumping into the recommendations, we should think about why this agency—and the tax industry as a whole—is so concerned with IDTTRF. The report defined identity theft as a threat to “our voluntary compliance tax system at both the federal and state levels” precisely because it gives criminals the information needed to slip fraudulent returns past IRS filters.
Still not convinced that IDTTRF is a big problem? Here’s a quote from the section titled “Our electronic infrastructure is under attack…stolen information fuels IDTTRF” citing just how much money is being siphoned from the Treasury:
The Federal Bureau of Investigation (FBI) reports that it received over 1.4 million cybercrime complaints totaling over $5 billion between 2013 and 2017. A significant portion of these thefts originate through compromises of something as common as business email.
With that out of the way, here are the ten ETAAC recommendations to Congress. While the report has both a short and long version, we’re just going to quote the summary:
I: STRENGTHEN THE SECURITY SUMMIT: ENABLE & EXPAND
RECOMMENDATION #1: Fund the ISAC
Congress should appropriate funds for the IRS’s requested budget program increases for IDTTRF prevention including approximately $7 million to enable contractor support for the ISAC.
RECOMMENDATION #2: Enact an IDTTRF exception to IRC Section 6103
Congress and the Department of the Treasury should make targeted legislative and regulatory changes, respectively, to permit appropriate uses and disclosures by the IRS under Internal Revenue Code Section 6103 for IDTTRF detection and prevention purposes.
RECOMMENDATION #3: Increase the engagement of ISAC members
The IRS and ISAC should increase the engagement of ISAC members by (i) using the ISAC Strategic Plan’s Engagement Model to illustrate and encourage higher levels of participation, and (ii) leveraging state and industry endorsing organizations to provide guidance and support to improve performance quality.
RECOMMENDATION #4: Integrate the Payroll Community more fully into the Security Summit
The IRS should, in collaboration with Security Summit members, conduct a prompt review of the Payroll Community and develop a plan for the Community’s full integration into the Security Summit and ISAC on an accelerated basis.
RECOMMENDATION #5: Pilot a Financial Services Company (FSC) Collaboration Space in the ISAC
The IRS should pilot a dedicated Financial Services Company (FSC) Collaboration Space in the ISAC to facilitate FSC information sharing in order to leverage their unique insights in identifying and preventing IDTTRF.
II: IMPROVE SECURITY IN KEY AREAS OF OUR TAX SYSTEM
RECOMMENDATION #6: Assess the state of information security practices in the tax professional community
In collaboration with the Security Summit, the IRS should develop and execute a plan for ongoing research on the state of information security practices and vulnerabilities in the tax professional community.
RECOMMENDATION #7: Grant the IRS the authority to establish and enforce security standards
Congress should grant IRS clear legal authority to develop, implement and enforce appropriate information security standards and practices in the area of tax administration, which would include establishing administrative, technical, and physical safeguards, implementing required education and training, and providing ongoing guidance.
III: PROTECT & ENABLE TAXPAYERS
RECOMMENDATION #8: Develop and expand channels for identity proofing
The IRS should (i) continue its current efforts to implement digital identity proofing protocols compliant with NIST Special Publication 800-63-3 Digital Identity Guidelines, and (ii) identify and develop opportunities to expand the availability of identity proofing mechanisms in other channels including the implementation of an IRS trusted third party identity verification program.
RECOMMENDATION #9: Collaborate with Security Summit members to identify and pilot emerging approaches for identity verification
The IRS should engage regularly with subject matter experts from Security Summit members to identify and potentially pilot emerging technologies or approaches to verify identities across all channels.
RECOMMENDATION #10: Engage with the Security Summit to improve the Taxpayer Protection Program’s taxpayer experience
The IRS should collaborate with Security Summit and ISAC members to identify actions to increase the number of legitimate taxpayers timely responding to Taxpayer Protection Program communications.
Want to read the report? Check out the links below.
Sources: IR-2019-117; Electronic Tax Administration Advisory Committee Annual Report to Congress