IRS Guidance on Reporting W-2/SSN Data Breaches

Post by
April 6, 2017

The IRS recently laid out reporting procedures for employers and payroll service providers that have fallen victim to various Form W-2 phishing scams.  In many of these scams, the perpetrator poses as an executive in the company and requests Form W-2 and Social Security Number (SSN) information from an employee in the company’s payroll or human resources departments (see prior coverage).  If successful, the perpetrator will immediately try to monetize the stolen information by filing fraudulent tax returns claiming a refund, selling the information on the black market, or using the names and SSNs to commit other crimes.  Thus, time is of the essence when responding to these data breaches.

According to the IRS’s instructions, an employer or payroll service provider that suffers a Form W-2 data loss should immediately notify the following parties:

  1. IRS. The entity should email dataloss@irs.gov, with “W2 Data Loss” in the subject line, and provide the following information: (a) business name; (b) business employer identification number (EIN) associated with the data loss; (c) contact name; (d) contact phone number; (e) summary of how the data loss occurred; and (f) volume of employees impacted.  This notification should not include any employee personally identifiable information data.  Moreover, the IRS does not initiate contact with taxpayers by email, text messages, or social media channels to request personal or financial information.  Thus, these types of requests should not be taken as IRS requests.
  2. State tax agencies. Since any data loss could affect the victim’s tax accounts with the states, the affected entity should email the Federal Tax Administrators at StateAlert@taxadmin.org for information on how to report the victim’s information to the applicable states.
  3. Other law enforcement officials. The entity should file a complaint with the FBI’s Internet Crime Complaint Center (IC3), and may be asked to file a report with their local law enforcement agency.
  4. Employees. The entity should ask its employees to review the IRS’s Taxpayer Guide to Identity Theft and IRS Publication 5027 (Identity Theft Information for Taxpayers).  The Federal Trade Commission (FTC) suggests that victims of identity theft take various immediately actions, including: (a) filing a complaint with the FTC at identitytheft.gov; (b) contacting one of the three major credit bureaus to place a “fraud alert” on the victim’s credit card records; and (c) closing any financial or credit accounts opened by identity thieves.

The IRS has also established technical reporting requirements for employers and payroll service providers that only received the phishing email without falling victim.  Tax professionals who experience a data loss also should promptly report the loss pursuant to the IRS’s procedures.