publican lawmakers, led by House Ways and Means Committee Chair Jason Smith (MO), have introduced legislation that would increase penalties for leaks of taxpayer information. Meanwhile, the IRS says it is prioritizing data security and tightening access to sensitive taxpayer information.
The bill, the Taxpayer Data Protection Act (HR 8292), comes in response to IRS contractor Charles Edward Littlejohn’s disclosure of taxpayers’ information — including that of former President Donald Trump and thousands of other wealthy taxpayers — to news organizations Pro Publica and the New York Times beginning in 2019. Despite the volume of information leaked, Littlejohn was charged with a single count of unauthorized disclosure of tax information. He pleaded guilty in October 2023 and was sentenced this January to five years in prison and fined $5,000 — the maximum provided for under current law.
Ways and Means Republicans, however, called the tax code’s penalties for data leaks “inadequate.” And earlier this year, Smith requested details from the IRS on what it was doing to protect taxpayer data in light of the Littlejohn case. Smith called for upping monitoring and tracking efforts and reducing the number of IRS staff and contractors with access to sensitive information.
According to a Ways and Means press release, the bill seeks to “deter future bad actors” by increasing the maximum fine for data leaks from $5,000 to $250,000, and the maximum prison sentence from five years to 10 years under Code Sec. 7213(a). It also calls for treating leaks that impact more than one taxpayer as separate violations for each taxpayer.
“No American should fear that their sensitive tax information might be unlawfully disclosed to another party or made public without their consent,” said Smith. “This legislation takes vital steps to protect the integrity of the American tax system and ensures stark penalties if this happens again.”
The bill comes after civil suits brought by taxpayers who allege their data was disclosed by Littlejohn accused the IRS and Littlejohn’s employer, Booz Allen Hamilton Inc., of negligence and Privacy Act violations. A federal court, however, recently found that insufficient damages allegations were made to sustain the Privacy Act claim in one of the cases.
IRS Commissioner Daniel Werfel said at a Senate Finance Committee hearing last month that protecting taxpayer information from unauthorized access is “solemn” and called strengthening data security a “top priority.” On how the agency intends to achieve this, Werfel said there was a move towards fewer users and tighter email controls. The goal, he added, is to try to “narrow the risk to as small as it can possibly be” by “closing gaps.”
And on May 10, the IRS provided an update to taxpayers whose information was leaked by Littlejohn. The update said the IRS was only able to access the compromised data set in February after the conclusion of the Treasury Inspector General for Tax Administration’s (TIGTA) criminal investigation and the subsequent court proceedings.
Describing the data Littlejohn accessed as “voluminous and complex,” the IRS said it has been working with TIGTA to fully digest exactly what information was obtained. “We are doing this so that we can provide taxpayers with notice of the incident,” as required by Code Sec. 7431, “and so that we can take whatever additional steps are warranted to address taxpayer inquiries, interests, and concerns,” affected taxpayers were told.
That process has been lengthy, the letter continued, and the IRS may send additional correspondence to some taxpayers. It does not yet know the “full scope” of what was unlawfully disclosed, but it does not appear that Littlejohn shared the data with anyone outside of the two news outlets.
The IRS has “not seen any indication” that the confidential information was connected with instances of identify theft or other forms of fraud. Per TIGTA and the Justice Department, the data that was in Littlejohn’s possession was recovered.
According to members of Greenberg Traurig’s tax and litigation teams, the IRS began sending Letters 6613 on April 12 to “thousands of taxpayers.” They recommended that recipients apply for an Identity Protection PIN, review tax transcripts, and monitor credit reports for fraudulent activity. For those considering taking civil action, there is an “open question” as to whether the IRS satisfied the requirement under section 7431 to notify taxpayers of the unlawful disclosures “as soon as practicable” despite a several-year period between Littlejohn’s violations and the IRS’ correspondence.
The IRS’ recent update to recipients of Letters 6613 also delved into IRS security improvements, which include “further restricting user access for the most sensitive taxpayer data sets; more robust protective security controls; more frequent data reviews; improved firewalls; stronger around the clock data monitoring; new security tools; less use of removable media; tighter email controls; new printer controls and improved retention of data access logs.”
A similar bill aimed at deterring taxpayer data disclosures, S 3199, was introduced in the fall by Senator Steve Daines (R-MT), but has not yet gained traction. That bill would mandate that fines imposed for unauthorized information disclosures be between $5,000 and $10,000, and, like the House bill, would increase the maximum prison term to 10 years.
The Ways and Means Committee has scheduled a markup of the House bill for May 15.
Get all the latest tax, accounting, audit, and corporate finance news with Checkpoint Edge. Sign up for a free 7-day trial today.
