IRS officials' defense that hack into taxpayer records wasn't a data breach raises questions about extent of liability for such attacks
Is data security on the verge of becoming a whole lot tougher for companies?
It seems likely based on some of the points that became clear after the revelation in late May that identity thieves gained access to more than 100,000 US taxpayer accounts at the Internal Revenue Service (IRS) between February and May through the use of personal data acquired elsewhere.
Notably, an IRS commissioner told reporters for the Wall Street Journal that rather than a data breach this was a scheme perpetrated by organized crime in which criminals may have used ‘sophisticated programs to aggregate and mine data’ to pretend to be the people whose IRS accounts they broke into. By exploiting an IRS application called ‘Get Transcript’ that lets taxpayers access prior-year returns, the perpetrators were able to create fake returns for 2014 and then request that tax refunds be sent to hard-to-trace debit cards, as reported by the Wall Street Journal.
John Isaza, a partner at Rimon and head of its information governance and records management practice, agrees that the unlawful access to taxpayers’ prior-year tax returns shouldn’t be considered a data breach per se. ‘It’s more an issue of taking the hacking to the next level,’ he says. ‘They’ve been collecting all this data by hacking and now that they’ve collected it, they’re in the new frontier: mining for assets from vulnerable sites.’
Data breaches have practically become the norm and are, to some degree, expected, but now organizations need to start thoroughly assessing their areas of vulnerability to organized schemes that are targeting their assets, Isaza says. There are several steps companies and other organizations need to take to prepare for and respond effectively to these new threats:
• Activate a response team that includes staff from the legal, IT, security, records management, HR, marketing, finance and any other relevant departments to examine the incident, looking at it not strictly from a hacking point of view but rather to assess their vulnerabilities
• Launch an investigation as to how, why, when and where exactly the incident occurred
• Assess the scope of the exposure by having the IT team or outside forensics experts determine how widespread the problem is, where the areas of vulnerability lie and what immediate measures need to be taken to mitigate further and future damage.
The last point should include an investigation into the nature of the attackers, as if this were a war, Isaza says. Then a company needs to take note of lessons learned so it can improve the protections it has in place and implement changes. Those changes will likely entail additional technology, new hires, possible changes in leadership within certain departments and enterprise-wide change management once all your vulnerabilities have been assessed, he adds.
Because none of the IRS’ core accounts, such as its filing system, were penetrated, the agency said what happened wasn't technically a data breach but instead ‘represented a successful exploitation of an IRS application’, as reported by the Wall Street Journal. Isaza says he has not yet been able to look into whether there’s a legal distinction between these characterizations that might have implications for the extent of liability that an organization has in such a case.
‘But I would argue it is a breach even if an application was compromised,’ he adds. ‘There are legal implications because if you don’t consider it a breach then technically you wouldn’t be subject to the disclosure requirements, penalties and sanctions that can be associated with it. The courts may wind up having to argue this or there may be some Federal Trade Commission opinions on whether or not this is considered a breach, but I would think that it is a breach even if they’re just targeting one application.’
Given that the perpetrators of the IRS scheme may have discovered some personal information through social media, Isaza also sees a need to dramatically ramp up the level of security questions consumers are asked to access their accounts by various organizations. ‘All it takes these days is your date of birth, your address and your name, and that’s it,’ he points out. ‘You can get to any information with that. If you look in social media you can easily find out the names of people’s pets and their mothers’ maiden names’ and other types of information that are commonly used in security questions.