Criminals are increasingly stealing tax refunds by obtaining personally identifiable information about individuals and using that information to file fraudulent tax refunds.  The IRS identified $6.5 billion in identity-related tax refund fraud last year.  CNN Presents recently investigated the crime and, as Randi Kaye explained in this news report, it is “one of the biggest, most brazen crimes in the U.S.” I highly recommend that you watch Kaye’s report and this report that details the great work that North Miami Beach Detective Craig Catlin and his team are doing here in Miami to fight this increasingly threatening crime.

Why should companies care about criminals who steal identities and then use that information to file fraudulent tax returns?  The short answer is that the criminals are getting the personally identifiable information from somewhere, and it may be from your company.  As the CNN report explains, criminals often obtain information (like social security numbers) from sources inside medical providers that maintain such sensitive information.  If one of these medical providers learns that information it maintains about its patients was compromised (i.e., accessed or used by an unauthorized individual) then it may have a duty to notify the individuals whose information was compromised.  It may also be obligated to report the compromise to state and federal government officials, which could in turn result in investigations, fines, and lawsuits against the provider.  Doesn’t seem fair to the medical provider, does it?  Particularly since the “bad actor” was a rogue employee.  But it is the law.

More importantly, these concerns are not exclusive to medical providers.  Any business that maintains personally identifiable information about its customers or employees (credit card numbers, dates of birth, social security numbers, etc.) is susceptible to these data breach risks.

In light of these risks, it is important that businesses implement strong safeguards to limit the risks associated with these data breaches.  Safeguards can include protecting the information through encryption and passwords, limiting access to sensitive information, performing thorough background checks of employees, monitoring access and use of personally identifiable information, and auditing security measures on a periodic basis to ensure that the highest security standards are maintained.  All of these safeguards should be clearly explained in a company policy about which employees are trained periodically. Many of these obligations are already required by law, depending on the information your organization maintains.

What is your company doing to evaluate, address, and minimize these risks?


DISCLAIMER:  The opinions expressed here represent those of Al Saikali and not those of Shook, Hardy & Bacon, LLP or its clients.  Similarly, the opinions expressed by those providing comments are theirs alone, and do not reflect the opinions of Al Saikali, Shook, Hardy & Bacon, or its clients.  All of the data and information provided on this site is for informational purposes only.  It is not legal advice nor should it be relied on as legal advice.