Q. Media reports that the IRS was the victim of a data breach. Now the number of victims has increased to 334,000. How do we protect our personal data when it is required that it be reported to employer and government agencies?
A. This week the IRS updated information on its recent data breach where identity thieves used a tool on it's website to obtain prior-year tax return information. The number increased by 220,000 for the total of 334,000 possible victims. Be aware, not only the IRS, but all companies keep some amount of sensitive information in their files either to identify customers or employees.
A data breach is the intentional or unintentional release or theft of secure information. It can be the improper disposal of personally identifiable information in the trash or a sophisticated cyber-attack on corporate computers by criminals. It can affect companies large or small.
The one common link in a data breach is the victim, the person whose identity, financial or personal information has been compromised. Be advised, not every data breach results in identity theft, and not every identity theft is tax-related identity theft.
The Internal Revenue Service says tax-related identity theft is when someone uses your Social Security number to file a false tax return claiming a fraudulent refund. Your tax account is most at risk if the data breach involves both your SSN and financial data, such as wages. Data breaches involving just credit card numbers, health records without SSNs or even driver's license numbers, while certainly serious, will not affect your tax account.
The Internal Revenue Service is committed to working with taxpayers to ensure that all tax accounts remain secure. The IRS stops the vast majority of fraudulent tax returns. If fraud is suspected, the IRS will contact you via mail with instructions. Or, you may attempt to file electronically and your return is rejected as a duplicate.
If you are a data breach victim, take these steps:
1. If possible, determine what type of Personally Identifiable Information (PII) has been lost or stolen. It is important to know what kind of information has been stolen so you can take the appropriate steps. For example, a stolen credit card number will not affect your IRS tax account.
2. Stay informed about the steps being taken by the company that lost your data. Some may offer special services, such as credit monitoring services, to assist victims.
3. Follow the Federal Trade Commission recommended steps, including:
* Notify one of the three major credit bureaus to place a free fraud alert on your credit file;
* Consider a credit freeze, which, for a fee in some states, will prevent access to your credit records;
* Close any accounts opened without your permission;
* Visit www.identitytheft.gov for additional guidance.
2. If you receive IRS correspondence indicating you may be a victim of tax-related identity theft or your e-file tax return was rejected as a duplicate, take these additional steps with the IRS:
* Submit an IRS Form 14039, Identity Theft Affidavit
* Continue to file your tax return, even if you must do so by paper, and attach the Form 14039
* Watch for any follow-up correspondence from the IRS and respond quickly.
The IRS data breach reminds us that no one is completely immune to hackers. While there is no guarantee that a business will not become subject to a data breach, businesses can do several things to minimize the risk. Beyond customer and staff expectations to keep sensitive data from falling into the wrong hands, businesses have legal requirements as well. Better Business Bureau reminds businesses to put procedures in place to safeguard their customers' privacy.
For all businesses that collect customer information:
* Make sure you protect your customers' data. If a data breach can happen to a major corporation with significant data security measures in place, it can happen to any business.
* Check out BBB's updated online guide; www.bbb.org Data Security Made Simpler for free information on how to create a data security plan.
For consumers, BBB offers the following suggestions if you individually are concerned that Personal Identifiable Information (PII) has been stolen:
1. Do not take a "wait and see" approach as you may have done with breaches involving credit card data. You should act quickly. Breaches involving Social Security numbers have the potential to be far more detrimental to victims, and the damage can be difficult to repair.
2. Consider taking a pre-emptive strike by freezing your credit reports. This will not impact existing credit cards and financial accounts, but will create a roadblock for thieves seeking to create fraudulent accounts using your personal information.
3. At a minimum, if you know your Social Security number has been compromised, place a fraud alert on your credit reports. While less effective than a freeze, this will provide an extra layer of protection.
4. If you are notified by the IRS, take advantage of the free credit monitoring services being offered to breach victims. While this is not a preventative measure, this will alert you to new accounts or inquiries using your Social Security number so that you can act quickly to repair the damage.
5. Vigilance is key. Regularly check your credit reports at annualcreditreport.com for unauthorized charges or other signs of fraud. (NOTE: This is the only free credit report option authorized by the Federal Trade Commission.)
6. For more information and complete step-by-step guidance on repairing the damage caused by identity theft, visit the FTC's identity theft resources.
7. Expect that scammers will take advantage of this data breach to send out phishing emails and other messages that appear to be from the Internal Revenue Service, a credit bureau or other legitimate companies. Do not click on links from any email, text or social media messages about this or any other data breach.
Jim Winsett is president of the Better Business Bureau in Chattanooga.