It's Time to File Taxes—and Protect Tax Information
Theft of W2s and other tax information has become an annual occurrence. Companies need to not only to prevent such breaches from occurring, but also to position themselves to act quickly to protect their employees.
March 04, 2019 at 07:00 AM
6 minute read
It's 5:00 on a Friday evening in a human resources division. An employee receives an email from his supervisor demanding that W2 “Wage and Tax Statements” forms for all executives and managers be sent to her immediately. The email's urgent tone is not typical of the supervisor. But mindful of upcoming performance reviews and thinking about weekend plans, the employee dutifully sends the W2s anyway.
Not long after, the company's CEO and general counsel attempt to file their personal taxes, only to learn from the Internal Revenue Service (IRS) that tax returns have already been filed in their name. An urgent investigation reveals that the email from the “supervisor” was actually a phishing email with a spoofed email address from an untraceable IP address. Worse, unknown assailants are now filing fraudulent tax returns on behalf of senior executives, and collecting inflated refunds in their names.
With tax season now here, this scenario has almost certainly played out in multiple companies across the country. W2 breaches can cause employers significant harm by undermining employee trust. They are even more damaging for employees. W2s contain sensitive personal information that can be subject to tax fraud, as well as other forms of identity theft, such as social security fraud.
Unfortunately, theft of W2s and other tax information has become an annual occurrence. Companies need to understand this trend, not only to prevent such breaches from occurring, but also to position themselves to act quickly to protect their employees.
Sophisticated social engineering techniques are central to most W2 breaches. Cyber-criminals carefully research targets before sending “spear-phishing” emails to trick employees into unwittingly disclosing W2s. These emails commonly purport to be from actual company employees, with addresses that may even look as though they come from employees' specific managers. They are often sent with a sense of immediacy to pressure the target into disclosing the requested information.
Companies should train their employees, particularly those identified as handling confidential or sensitive information, to recognize and avoid falling victim to these tactics. This could be part of a coordinated company phishing training program designed to reduce employee click rates on fraudulent email.
Cyber threat vectors are relentless. Companies must also prepare to quickly respond to a breach, whether it be loss of W2s or any other compromise to sensitive information or information systems. Well in advance of an attack, companies should develop a coherent and effective incident response plan. Such a plan should be designed to quickly escalate compromises of sensitive information, so that Legal, IT security, Human Resources, and any other appropriate department can quickly act to mitigate the fallout from a breach. As part of their incident response planning, companies should consider establishing a relationship with outside counsel before an incident in order to fully leverage their specialized breach experience.
The loss of W2 forms triggers requirements in most states to notify impacted individuals. Even if not required to do so, companies should consider providing employees who had their W2s breached with credit monitoring services. However, this may not be enough. Cyber-criminals in possession of W2s can quickly cause significant financial harm to impacted employees, so time is of the essence.
The IRS provides steps for companies to respond to a breach of W2 forms on its website, including instructions on reporting such breaches to the IRS. The IRS recommends that even when a company receives a W2 phishing email and does not fall victim, the email should be reported, along with its header information, to [email protected]. Impersonations of IRS officials on the telephone can be reported to the IRS at tigta.gov. Companies experiencing an actual W2 data loss should report the incident to the IRS by emailing [email protected], as well as the FBI's Internet Crime Complaint Center at ic3.gov, so that the incident can be investigated.
Cyber-criminals may seek to file fake tax returns with state tax agencies. Therefore, companies experiencing a W2 breach should also email the Federation of Tax Administrators at [email protected] to get information on how to report victim information to the states. Some states may be able to monitor tax returns of employees residing in their state for fraudulent activity.
Where an employee knows of identity theft caused by breached W2 forms, the IRS recommends the following steps:
- The employee should respond immediately to any IRS notice and call the number provided.
- In the event an e-filed return is rejected because of a duplicate filing under the employee's social security number, or if the IRS has otherwise notified the employee that they are the victim of tax-related identity theft, the employee should complete and submit the IRS Form 14039, “Identity Theft Affidavit.”
- The employee should continue to pay taxes and file tax returns, even if by paper.
- The employee should contact the IRS for specialized assistance at (800) 908-4490.
The Social Security Administration (SSA) also recommends measures for individuals who suspect their social security numbers have been compromised from a W2 breach or otherwise. Specifically, the SSA recommends setting up an online account through its “my Social Security” web portal in order to prevent a thief from setting up an account to steal benefits. Where an individual knows they have been a victim of social security fraud, they can block electronic access to SSA records.
As with any other information security incident, whether through a phishing email, cyber intrusion, or other means, responding to a W2 breach should be done through an enterprise-wide approach. Collaboration between key business units and advanced preparation is critical. In doing so, companies can position themselves to act quickly to protect employees from identity theft in the wake of a W2 breach.
Eric Hutchins is principal attorney at H2 Legal, P.C. in Chicago where he partners with Hunton Andrews Kurth to help companies achieve their security-related goals. Paul Tiao is a partner at Hunton Andrews Kurth in Washington, D.C., and founder and co-chair of the firm's Energy Sector Security Team.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250