Kathleen Nilles is a partner in Holland & Knight's Washington D.C. office
On March 1, 2016, the Internal Revenue Service
(IRS) began alerting employers
and their payroll staff about a phishing scheme that
cyber-criminals are successfully using to trick payroll and
accounting staff to release their employees' W-2 forms to
persons outside the company. In most cases, the outsiders are
seeking to "monetize" the data—either by filing
false refund claims or by selling to data thereby obtained to other
cyber-criminals. The gist of the scam is an incoming e-mail made to
appear as if it is coming from a company executive, such as its
CEO, CFO or controller. The e-mail politely requests the recipient
to send the executive a copy of all employee W-2 forms by
electronic means, such as a PDF file. We are already hearing from
companies and other organizations whose staff members have been
tricked by the data requests.
If a tax data breach of this type occurs, there are several
measures that a company should take immediately. First, contact
should be made with the Criminal Investigation Division (CID) of
the IRS. Besides working to apprehend the perpetrators, IRS CID is
generally able to immediately put the employees' taxpayer
identification numbers (TINs) on a watch list so that fraudulent
requests for tax refunds using the employee tax data can be
scrutinized and rejected. Second, the company should assist
employees with identity theft remediation efforts, including the
filing of IRS Form 14039 (Identity Theft Affidavit). Additional
measures may also be warranted.
Even if a tax data breach has not occurred, the IRS Release
provides companies with a reminder to review and tighten up
internal control procedures, particularly as they pertains to the
use and handling of employee tax data and personal information. All
companies should have a plan in place to prevent and deal with data
breaches of this type.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.