Congress recently gave the IRS failing grades for not adequately preventing, identifying and processing identity theft cases involving tax returns. One member of Congress called tax identity theft "an epidemic that is profoundly unacceptable." Another joked that if bank robber Willie Sutton were alive today, he'd target the IRS.

In the past couple of years, the IRS has announced that it is cracking down on the problem. Yet the number of tax identity theft cases rose to 1.9 million through June 29, 2013, up from 1 million in 2011, according to the Treasury Inspector General for Tax Administration.

The Business Side:
Complying with ID Theft Laws

Identity thieves don't just steal from the government. Businesses lose billions to these fraud schemes every year. A company can be legally obligated to identify, mitigate and prevent identity theft under federal and state identity theft laws. Failure to comply with these laws could make a business civilly liable for damages suffered by its customers.

Who is a Creditor?

The federal "Red Flags Rule," administered by the Federal Trade Commission (FTC), applies to banks and other businesses involved in extending credit. A "creditor" is any individual or organization that obtains and uses credit reports, furnishes information to consumer reporting agencies, and advances funds to consumers based on an obligation to repay them, according to the latest rendition of the FTC rule effective February 2013.

The law covers any credit account for personal, family or household purposes that permits multiple payments or transactions. It also covers any account for which there is a "reasonably foreseeable" risk of identity theft, including commercial accounts. Examples of businesses that might be required to comply with the Red Flags Rule include retailers and leasing companies.

How to Comply

If the FTC rule applies to your business, implement a written program with four features:

1. Identification. Customize a list of red flags specific to your business. The FTC lists 26 possible red flags, including unusual account activity, fraud alerts or credit freezes on consumer reports, and inconsistent personal information compared to credit reports or what your company has on file.

2. Detection. Implement procedures to detect these red flags. A large company with millions of customers or one that handles high dollar transactions may need a more robust program than a small firm.

3. Response. After you red flag an account, respond promptly and effectively to mitigate and prevent identity theft. For example, if you receive a Notice of Address Discrepancy from a credit reporting agency, immediately request additional documentation to confirm the customer's address or refuse to extend credit.

4. Revision. Your written program should not be static. Revise it periodically for the latest identity theft scams and detection methods.

In addition to the federal rule, many states have their own identity theft and privacy laws. If your business extends credit to out-of-state customers, check with your attorney to determine whether you must legally comply with the laws in the customers' states.

How Can Businesses Combat Identity Theft?

Here are some tips for minimizing the risks of leaking sensitive personal information:

Limit usage. Only obtain private information when it's absolutely necessary and never use it as part of your account numbers. This applies to Social Security numbers, birth dates and credit card numbers.

Protect paper records. Store personal information about customers and employees in locked file cabinets and limit the number of employees who have access to the records.

Be aware that many ID theft schemes are operated by employees who have access to personal information and sell it -- or work with criminals outside the organization for a cut of the proceeds.

Secure technology. Use passwords, firewalls, antivirus software, spyware protection and encryption to protect sensitive data from hackers. Install updates as soon as they're available to fix potential security risks.

Purge old information. Set policies for how long to retain customer data. Cross-cut shred old paper files and render old computer hard drives unreadable by disk shredding, magnetically cleaning disks or using software to wipe them clean.

For years, identity theft has been the FTC's top complaint. Regardless of whether the Red Flags Rule or state identity theft laws apply to you, it's smart business for every company to protect itself and its customers from identity fraud.

Typical Tax Scams

IRS Principal Deputy Commissioner Michael R. McKenney testified before Congress that tax identity theft cost $4.2 billion during the 2013 tax season.

Identity thieves typically use two tax fraud scams:

Refund fraud. The thief files a fraudulent tax return, reporting fictitious wages and withholdings, usually early in the year before companies are required to issue 1099s and W-2s. The thief pockets the refund, which is typically issued electronically or with a debit card to avoid the hassle and suspicion of depositing a paper refund check at the bank. When the real taxpayer files a legitimate tax return later in the tax season, the IRS rejects the duplicate filing under his or her Social Security number.

Employment-related fraud. The thief gets a job using stolen personal data and collects earnings without withholding all requisite income taxes. When the company files a 1099 or W-2 under the stolen Social Security number, the taxpayer gets a bill for unreported earnings tied to his or her Social Security number.

Resolving a tax identity fraud claim can take a year or longer. National Taxpayer Advocate Nina Olson testified that the beefed-up ID theft efforts taken by the IRS have done little to assist fraud victims. Olson saw a 66 percent increase in identity theft cases from 2012 to 2013. She expects the trend to continue into the 2014 tax season.

IRS Prevention and Detection Efforts

McKenney defended his agency's identity theft strategy before Congress. He testified that the IRS is currently conducting 1,100 criminal investigations that that led to 785 indictments through June. But he estimates that it would cost roughly $22 million to screen all the suspicious tax returns identified by an IRS protection program -- at a time when the agency is operating with financial challenges. The IRS budget has been cut by $1 billion since 2010, including $618 million this year from the sequester.

Insight from a Florida Pilot Program

As part of its anti-fraud efforts, the IRS is initiating a pilot program with state law enforcement officials in Florida, where tax ID theft cases are especially high. One preliminary finding from the Florida crackdown is that number of tax fraud cases is down but the average amount stolen per fraudster is reportedly up.

Some of the bigger players in Florida are downright brazen. Law enforcement officials point to the self-professed "queen of IRS tax fraud," Rashia Wilson, who posted pictures of herself on Facebook holding wads of cash and boasting:

"IM A MILLIONAIRE FOR THE RECORD SO IF U THINK INDICTING ME WILL BE EASY IT WON'T I PROMISE U."

Wilson was subsequently indicted along with her boyfriend for filing more than 220 fraudulent returns and claiming $1.9 million in federal tax refunds between 2009 and 2013. At the same time, Wilson reported no federal employment income and collected $668 a month in food assistance from Florida. She began serving a 21-year prison sentence in July.

While her fraud spree lasted, claiming fraudulent tax credits -- including the earned income and education credits -- were also some of Wilson's favorite schemes. These credits reduce taxable income and can generate a refund. For example, if a low-income individual qualifies for a $2,000 earned income credit but has only $700 of taxable income, he or she would be eligible for a $1,300 tax refund. Supporting documentation is not attached to a tax return in order to claim the education tax credit.

Wilson's home state, Florida, has historically had the highest per capita rate of reported identity theft complaints, followed by Georgia and California. Some speculate that Florida's pilot program might cause local thieves to relocate to other states -- or at least have their fraudulent refunds rerouted to banks across state lines.

Personal Protection Measures

No matter where you live, identity theft can be costly and frustrating if you are a victim. It starts when someone steals your personal information, including:

  • Name and address,
  • Telephone number,
  • Social Security number (SSN),
  • Bank or credit card account number,
  • Birth date, and
  • Biometric data, such as eye color, height and weight.

This information may be stolen from tax records, medical and death documents, loan applications or your employer's payroll files. Some information, such as birthdays, can be found on social media websites.

Fortunately, you can take these steps to help prevent your personal information from getting into the wrong hands:

Don't carry your Social Security card or documents with your Social Security number.

Don't give out your Social Security number to businesses or medical providers just because they ask for it. Give it only when required.

Protect your financial information. Shred documents with personal identifying information. Don't provide information in response to e-mail or text messages. Don't give personal information over the phone unless you have initiated the contact or you are sure you know who you are dealing with. Secure personal information in your home.

Watch what you put on social media. Some people put personal information on social media websites and elsewhere on the Internet, such as their birthdays, addresses, phone numbers, marital status, etc. Identity thieves can use that information to try and compile more information about you so be careful what you disclose.

Change social media accounts to "friends only" or similar settings to prevent information from being accessed by anyone.

Check your credit report every 12 months.

Protect personal computers by using firewalls, anti-spam/virus software, update security patches, and change passwords for Internet accounts.

File as early as possible in the tax filing season.

Respond immediately if you receive a notice from IRS. If you believe someone may have used your Social Security number fraudulently, notify the IRS by responding to the name and number printed on the notice or letter. You need to fill out the IRS Form 14039, Identity Theft Affidavit.

If you are a victim, get an Identification Number from the IRS that proves you are the legitimate filer of future tax returns. The IRS issues Identity Protection Personal Identification Number (IP PIN) to select identity theft victims whose identities have been validated by the IRS. It allows legitimate returns to be processed, and prevents processing of fraudulent returns, thereby mitigating processing delays in victims' federal tax return processing. Generally, the IP PIN is mailed out once the taxpayer's account has been resolved. Current programming allows one IP PIN to be generated each year.

© Bizactions LLC.