This article was originally published on June 7 2019 by The Lawyer’s Daily (www.thelawyersdaily.ca), part of LexisNexis Canada Inc.

Identity theft was an issue long before the Social Insurance Number (SIN) existed, but it keeps evolving. It is common today because high-tech hackers work around  the  clock  to find new ways to access our personally identifiable information. This makes taxpayer data some of the most sought-after information for cybercriminals.

So what are the Internal Revenue Service (IRS) and the Canada  Revenue Agency (CRA) doing to protect our sensitive information from being used to file a fraudulent tax return? A comparison between the  two agencies shows a big gap when it comes to planning and strategizing ways to protect taxpayers from tax-related identity theft.

With a population as large as that of the United States, there are hundreds of millions of opportunities to steal a person’s identity. In   fact, this has been a major concern of the IRS for some time. In 2015,   in response to the surge in identity theft that came along with taxpayers’ increased use of online technologies, the IRS formed the Security Summit.

The IRS Security Summit is a public-private partnership made up of representatives from the IRS, state tax agencies, the larger tax community (i.e., tax-preparation firms, software developers, payroll and tax financial product processors, and tax professional organizations) and financial institutions. They work together to protect U.S. taxpayers from identity theft refund fraud. In 2017, the summit also established the Identity Theft Tax Refund Fraud Information Sharing and Analysis Center (IDTTRF-ISAC) to facilitate information exchange, provide a real-time forum for discussion and promote the use of data analysis, all with a view to detecting and preventing tax- related fraud.

This ambitious initiative has proven to be very successful. IRS statistics for 2015 to 2018 show that during this time frame:

  • taxpayer reporting of identity theft fell by 71 per cent;
  • confirmed identity theft returns intercepted by the IRS declined by 54 per cent;
  • US$24 billion in fraudulent refunds were protected by the IRS stopping confirmed identity theft returns;
  • an additional US$1.4 billion in fraudulent refunds was recovered by financial industry partners.

In contrast to the formal programs and awareness campaigns of the IRS, the CRA  seems to be in    the dark. Its so-called “strategy” to prevent tax-related identity theft puts the onus on Canadian taxpayers to be vigilant around such things as telephone scams and phishing expeditions. And its “awareness campaign” appears to be limited to four posters reminding  taxpayers  that  we  can protect ourselves; tax agencies and tax preparers are  encouraged  to  put  these  posters  on  their office walls! There is no Canadian equivalent to the Security Summit and nothing like IDTTRF- ISAC. The Office of the Canadian Privacy Commissioner (OPC) is working to address data breaches that lead to identity theft by provisioning a mandatory requirement that organizations give proper notice to affected individuals and to the OPC when a data breach occurs. And that’s pretty well it.

But it seems the IRS has always outpaced the CRA in matters of data security. In 2014, some 900 SINs were stolen from the CRA due to the Heartbleed Internet bug, which was a serious  vulnerability in an encryption software intended to secure web communications. The IRS was not impacted at all. Meanwhile, the CRA had shut down online services to prevent incidents such as    the theft of SINs from happening. Yet the theft still occurred, while IRS online services continued unscathed for the duration of the notorious cyberthreat.

It’s high time that the CRA get in step with its American cousin.

According to an IRS press release issued on April 8, IRS commissioner Charles Rettig was happy to celebrate the wins of the summit, but was also quick to caution about sophisticated criminals. “Identity thieves are often members of sophisticated criminal syndicates, based here and abroad,” he said. “They have the resources, the technology and the skills to carry on this fight. The IRS and the Summit partners must continue to work together to protect taxpayers as cyberthieves continue to evolve and adjust their tactics.”

Tax lawyers and tax accountants should be aware that part of this ongoing cybercriminal evolution involves targeting tax professionals and their clients’ personal data. This remains a major issue for the IRS, as the agency has no control over third-party data security. If you are a tax professional and believe you have experienced a theft of your U.S. taxpayer client data, contact the IRS stakeholder liaison for assistance.

And what if you are a tax professional in Canada with concerns about data breaches on this side   of the border? Well, I know I’m suddenly longing for the days when data security came in the  form of a paper shredder.