Earlier this month, Elon Musk’s Department of Government Efficiency (DOGE) raised eyebrows when it requested access to sensitive taxpayer data at the IRS. According to various reports, DOGE is seeking access to the Integrated Data Retrieval System (IDRS). You can think of the IDRS as a master file, which includes tax returns and other taxpayer information, including bank records.
Taxpayers and tax professionals alike have expressed concerns about the safety of their data. Some have even suggested that they will not file or pay their taxes until the matter is resolved. In addition to concerns about whether allowing access is legal, taxpayers worry about the privacy of their data and whether that data may be leaked or used in the private sector. Here’s what you need to know about taxpayer privacy.
Current Law
Today, section 6103 of the tax code prohibits federal employees from sharing tax returns and tax return information with third parties—some exceptions may apply, including disclosures to other federal agencies. This is a broad prohibition–it doesn’t just include copying and sending information. It also means discussions about returns, including something as simple as whether a taxpayer has filed a tax return, is prohibited. That’s why attorneys, accountants and other tax professionals have to provide the IRS with signed taxpayer authorizations before they can discuss taxpayer issues with the IRS, as well as why your mortgage company or student lender will ask for authorization before asking the IRS to confirm financial information.
(For purposes of this and related statutes, the definition of tax return and tax return information is very broad.)
Those with access to data as part of their jobs–like IRS employees–have strict rules about what they can access or share. IRS employees are barred from viewing or disclosing taxpayer data unless they are expressly authorized to do so. Under section 7213A of the tax code, it is unlawful for any federal officer, employee, or other authorized viewer to willfully inspect a return or return information for an unauthorized purpose.
The bottom line is that they may inspect or disclose tax return information only when their “official duties require such inspection or disclosure for tax administration purposes.” To make sure that IRS employees follow the rules, they are subject to annual UNAX (authorized access) training and testing. One IRS employee told me, “As an IRS employee, I swore to uphold the confidentiality of this data and would have been immediately fired for accessing anything not directly involved with work on a specific case.” Beyond firing, rule breakers risk criminal and civil penalties.
In fact, an IRS employee can’t even use the system to browse their own data. They also can’t look up information on friends or relatives, or (needless to say) a famous person just to satisfy their curiosity. Diving into Taylor Swift’s returns, for example, is grounds for dismissal and prosecution, even if the employee never shares what they learned with anyone else.
To make sure that IRS employees follow the rules, digital trails track access. There’s a record of who–and in most cases why–records are accessed.
Heightened controls mean that disclosures and data breaches are relatively rare compared to the vast amount of data available. In 2023, a federal contractor, Charles Edward Littlejohn, pleaded guilty to unauthorized disclosure of tax return and return information—a violation of section 7213(a)(1) of the tax code, the most serious offense for leaking tax information. His punishment was swift and severe. In January of 2024, Littlejohn was sentenced to five years in prison (the maximum sentence) for disclosing thousands of tax returns—including Donald Trump’s—without authorization.
In addition, if a taxpayer’s information is improperly inspected or disclosed, they can bring a civil lawsuit to recover damages. By statute, if the accused person is a U.S. officer or employee, you can sue the government in federal district court. If the accused person is not a U.S. officer or employee, you can sue the individual.
(After Littlejohn’s disclosures, billionaire Ken Griffin sued the government for damages. In that case, the IRS argued for a dismissal based on the fact that Littlejohn was a contractor and not an officer or employee of the federal government. The matter was eventually settled out of court and included a public apology from the IRS.)
Damages are limited under section 7431(c) of the tax code to the greater of $1,000 for each act of unauthorized inspection or disclosure or the actual economic damages. But the wronged taxpayer may also be entitled to punitive damages if the disclosure was willful, as well as costs and reasonable attorney fees.
Moreover, it’s not just taxpayers’ privacy that’s explicitly protected by law. Thanks to the Nixon scandal (more on that in a moment), it’s now against the law for many political officials within the Executive Branch—including the President, Vice President, and any employee of the Executive Office of the President—to request an audit or investigation of a taxpayer or interfere with an ongoing taxpayer audit or investigation. This law (found in section 7217 of the tax code) also applies to indirect interference—for example, if the President instructs another person to request or interfere with an audit. Violating section 7217 is punishable by a fine or imprisonment.
Exceptions
There are several exceptions to tax disclosure laws. Those include sharing information with state agencies responsible for tax administration (this must be done in writing) or with law enforcement agencies pursuant to a court order to investigate non-tax crimes. Exceptions also apply if the Social Security Administration needs information to carry out its responsibilities, including information about your tax liability.
To make sure that these disclosures are proper, each year, the IRS is required to furnish the Joint Committee on Taxation with a report of all agencies receiving returns and return information, the number of cases in which disclosures were made to them during the year, and the general purposes for which the requests were made. Approximately 11 billion allowable, routine disclosures (including to state agencies) were made that were required to be accounted for in 2017—by 2021, that number had escalated to over 27 billion.
A Little History
While we largely assume taxpayer privacy is a given, that hasn’t always been the case. Prior to 1976, tax returns were considered public records, and disclosure was permitted under statute or executive order and Treasury regulations. That had been the case more or less since 1924—under the Revenue Act of 1924, the Committee on Ways and Means of the House of Representatives, the Committee on Finance of the Senate, or a special committee of the Senate or House, could request returns or data from the Secretary of the Treasury. And, although returns were classified as public records, the President, through executive order and Treasury regulations approved by his appointees, controlled access to returns and return information other than those expressly permitted by statute.
On May 13, 1971, President Richard M. Nixon told his staff he was looking for a particular type of IRS Commissioner. In a recorded call (remember, Nixon famously taped his calls), he said, “I want to be sure he is a ruthless son of a bitch, that he will do what he’s told, that every income tax return I want to see I see, that he will go after our enemies and not go after our friends. Now it’s as simple as that. If he isn’t, he doesn’t get the job.” The job eventually went to Johnnie Walters, who became IRS Commissioner on August 6, 1971.
Walters claimed that he didn’t know about Nixon’s comments. He was said not to have participated in Nixon’s plan to use the IRS to intimidate taxpayers on his “enemies list” with threats of an audit. The list was, however, provided to Walters by White House counsel John W. Dean III and included hundreds of individuals to be targeted for tax investigations.
Dean told Nixon in 1972 that “Johnnie has been a disappointment.” Nixon responded, “Well, he’s going to be out. He’s finished.” Walters would be replaced in May 1973 by Raymond F. Harless—Harless only lasted a month before being replaced by Donald Alexander.
By the summer of 1973, the question of who to audit took a different turn as Nixon himself became a target. Initially, his return was flagged over a sizable charitable donation, but the audit raised additional issues over several years. Nixon’s reaction? He told reporters about the scrutiny of his taxes, “People have got to know whether or not their President is a crook. Well, I am not a crook.”
As accusations—and denials—flew, information about Nixon’s returns was leaked in 1974. The leak was purported to have come from the IRS service center in Martinsburg, West Virginia. If the President could look at taxpayer returns—and his critics could look at his returns—where were the controls?
Ultimately, Nixon owed the government $476,431 in additional taxes and interest. But the damage to his presidency—and the IRS—was just beginning.
The scandal raised public concern about who had access to taxpayer information. A series of hearings in the mid-1970s culminated in a 1976 Act that eliminated executive branch control over access to tax returns. Instead of treating tax returns as public records subject to certain restrictions, the new law made clear that tax returns and return information are confidential.
Why Does Security Matter?
The IRS knows a lot about you. The information on your tax return doesn’t only include the basics—your name, address, and Social Security number. A glance through your tax return can tell a reader about your family, including the ages of your children and any other persons you support. Information on the return can reveal not only your annual pay, but also where you work, the nature of your job, and whether you are saving for retirement. There’s something of a running tab on your financial accounts—with account numbers—if they produce interest, dividends, or other investments. A quick glance at your Schedule A could reveal whether you have a mortgage, how much—and in some instances, where—you give to charity, and what kinds of medical expenses you pay. Your Schedules C, E, and F can reveal information about other businesses or sources of income. Some tax returns include more information, including foreign interests, digital assets, and other investments.
That information is valuable.
It’s no wonder that in 2004, then-serving Senator Max Baucus (D-Mont.), wrote, in a statement: “Our tax system depends on citizens being candid about personal and financially sensitive information. In return, the government has a clear obligation to respect and protect the personal and private nature of that information. If taxpayers are given reason to doubt that the government will respect their privacy, the integrity and efficacy of our voluntary tax system will eventually crumble.”
Cyberattacks
In addition to protecting taxpayers from inside actors, the IRS must protect taxpayer data from outside actors, including cyber threats. In its 2019 Integrated Modernization Business Plan, the IRS noted that it was the target of “increasingly sophisticated and frequent efforts by cybercriminals to steal taxpayer data.” Those efforts included 1.4 billion attacks annually, including denial-of-service attacks, unsuccessful intrusion attempts, probes or scans, and other unauthorized connectivity attempts. The report noted at the time that the IRS’s computer systems withstand 2.5 million unauthorized access attempts daily.
New Concerns
While there have been occasional breaches, the IRS has, for years, maintained that taxpayer data was safe. The systems are old, and the IRS has asked Congress for funding for modernization efforts. Before the Inflation Reduction Act of 2022, that included an ask to update the IDRS–the master file that includes all of your tax data. The IRS spent $15.8 million on this investment in fiscal year 2016.
But efforts to modernize IRS systems have not been a priority for Congress. Some of the systems date back more than 50 years, making a quick fix not quite so easy.
That’s one of the reasons that taxpayers, tax professionals, and some members of Congress are concerned about DOGE access to taxpayer information. Not everyone is convinced that a quick “audit” of the IRS systems will be successful—or legal. This week, Senators Ron Wyden (D-Oregon) and Elizabeth Warren (D-Mass.) sent a letter to acting IRS Commissioner Douglas O’Donnell, including an “urgent demand” for information related to efforts to access that information. The Senators have requested that the IRS “immediately disclose to the Senate Committee on Finance the full extent of the potential access to IRS systems and data granted to DOGE team members so that the Committee can address any efforts by DOGE personnel to gain access to taxpayer records at the IRS, which may constitute criminal violations of federal privacy laws.”
There hasn’t yet been any official public response to the request. However, the Washington Post is reporting that White House and Treasury Department officials have reached an agreement that would give DOGE read-only access to anonymized tax data–the same access granted to other IT professionals who work on IRS systems. The terms of any such deal have not been confirmed.
What’s at stake? Decades of taxpayer privacy laws–and your data.
Read the full article here
