IRS Admits Data Breach Worse Than Thought, Will Congress Do Wrong Thing Anyway?

This week, the IRS has admitted that thieves accessed the personal information -- enough to allow them to take your tax refund -- of an additional 220,000 taxpayers, on top of the 114,000 reported in May. Meanwhile, we remain  concerned that Congress will use continued publicity about the Target breach and other breaches as an excuse to pass dangerous data security legislation. Dangerous? Yes, because it would only protect against limited financial identity theft harms, but eliminate stronger state protections against the harms posed by the IRS breach, the health insurance breaches and the OPM breach.

This week, the IRS admitted (WashPost story) that thieves accessed the personal information — enough to allow them to take your tax refund — of an additional 220,000 taxpayers, on top of the 114,000 first reported in May. Also this week, papers are reporting that Target has agreed to spend $67 million to settle Visa and bank claims over its well-publicized 2013 breach.

Breaches are everywhere. Yet, the more we hear about breaches, the more we remain concerned that powerful special interests will take advantage of the clamor to convince Congress to pass dangerous data security legislation. Dangerous? Yes, because the bills with the most traction would only barely protect against some, limited financial identity theft harms, and then only some of the time, but would eliminate stronger state data security and privacy protections against both identity theft and the more significant harms posed by the IRS breach, the health insurance breaches and the OPM breach.

As we explained in June about the OPM breach, which involved millions of security clearance records, the harms consumers face in data breaches are potentially much worse than fraud on your existing accounts or even new account fraud (financial identity theft). The OPM breach exposed information that could lead to a variety of reputational or emotional or even physical (stalking) harms, since the information breached included information about you, your spouse or partner and even your references (friends and co-workers) and possibly contained information about drug treatment or extra-marital affairs or arrest records (whether or not charged or convicted).

In her comments on a recent enforcement action against data brokers selling consumer files to wrongdoers, Federal Trade Commission Bureau of Consumer Protection director Jessica Rich told the New York Times:

“There is a debate about whether invasions of privacy harm consumers,” Jessica Rich, the director of the the agency’s Bureau of Consumer Protection, said in a phone interview. “This is a clear-cut example where the sale of sensitive data caused considerable harm to consumers.”

We agree with Jessica Rich. Privacy harms are real. As we said in June: Instead of narrowing the scope of consumer harms that are actionable in privacy breaches, as nearly very breach notice proposal before Congress would, any legislation, if it is passed nationally, must recognize the broader panoply of harms that federal employees, their friends, partners and co-workers, taxpayers and health insurance customers are already facing. If Congress can’t do something that actually benefits the public, it should do nothing.

Our recent data breach testimony to Congress is here. Our group letter opposing weak federal data breach and data security proposals that also override stronger state laws is here. Our recent blog offering tips to victims of any breach — including information on your best protection against financial identity theft, the security freeze — is here.

In July, after a medical data breach, Indiana attorney general Greg Zoeller urged all “Hoosiers” to place a security freeze. In Indiana, a security freeze is free by law for anyone at any time; in many states, it is only free for identity theft (not breach) victims. If Congress really wanted to get ahead of the curve and protect consumers, it too would pass a law providing free security freezes at any time, nationwide. We have more explanation of the security freeze here. It’s your best protection, unlike over-rated, under-performing credit monitoring.

Topics
Authors

Ed Mierzwinski

Senior Director, Federal Consumer Program, PIRG

Ed oversees U.S. PIRG’s federal consumer program, helping to lead national efforts to improve consumer credit reporting laws, identity theft protections, product safety regulations and more. Ed is co-founder and continuing leader of the coalition, Americans For Financial Reform, which fought for the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010, including as its centerpiece the Consumer Financial Protection Bureau. He was awarded the Consumer Federation of America's Esther Peterson Consumer Service Award in 2006, Privacy International's Brandeis Award in 2003, and numerous annual "Top Lobbyist" awards from The Hill and other outlets. Ed lives in Virginia, and on weekends he enjoys biking with friends on the many local bicycle trails.

Find Out More