IRS Data Liabilities, Budget Costs, and the Inflation Reduction Act of 2022

Context

• Under Internal Revenue Code Section 7431(c), the IRS is liable for damages to taxpayers for unauthorized disclosures of their protected information by IRS employees. $1,000 of statutory minimum damages are due to a taxpayer for each act of unauthorized disclosure by an IRS employee. Also due are uncapped actual damages, punitive damages, and reasonable attorney fees.

The Inflation Reduction Act (IRA) increases the risk of unauthorized disclosures of taxpayer data that could lead to large statutory and punitive damages for the government not included in Congressional Budget Office (CBO) estimates.

Inflation Reduction Act Increases Budgetary Risk

• Attempt to rapidly onboard full-time employees and contractors, which included lowering quality standards for the sake of expediency.
• Adoption of new “Artificial Intelligence” and other technology systems over a compressed period, which created more short-term risks.

Data acquisitions from third parties, data linkages, and digitization, which exposes more data to the IRS’s information (in)security systems.

Possible outcomes in budget window	An act leading to unauthorized disclosure of a taxpayer’s data ($)	An act leading to unauthorized disclosure of all taxpayers’ data ($)	A malicious campaign of unauthorized disclosures of taxpayer data ($)
	$1K to millions or more	$10B to $300B or more	10s of billions to trillions

Summary

• The IRA increases the IRS’s exposure to Section 7431(c) liabilities arising from unauthorized taxpayer information disclosures. These effects could be large, up to trillions of dollars, could happen unexpectedly, and could be triggered by an accident or a malicious actor inside the IRS. The effects would amplify previous CBO underestimation of the costs of the IRA.

Introduction

The IRS spent $14.3 billion and had more than 79,000 full-time positions in 2022.^[1] Thanks to an anticipated $79.6 billion of mandatory funding provided by the IRA of 2022, the agency expected to see its outlays grow to $28.8 billion in 2031.^[2] Those expectations were moderated when a 2023 deal between Republicans and Democrats agreed to cut $20.2 billion of the funding.^[3] Most of the funding, however, will still be spent unless more cuts are made. Of the $79.6 billion of original funding, more than $55 billion is now slated to be spent before the IRS’ budget deflates to $15 billion when the IRA funding expires in 2032.

CBO has played a significant role throughout. It estimated that the IRA’s $79.6 billion funding for the IRS would increase federal revenues by $180.4 billion from 2022 to 2031.^[4] More recently, it estimated that rescinding $20 billion of the funding would add $24 billion to the deficit through 2034.^[5]

From the CBO’s estimates, the new funding might seem like a good “bargain” from the tax collectors’ perspective. However, the CBO has not considered in its estimates a critical area of risk for the IRS that was amplified by the IRA: the risk of agency liability for actions of IRS employees and officers that lead to unauthorized disclosures of taxpayer information. When disclosures happen, a taxpayer can sue for damages, including a statutory minimum of $1,000 per act that leads to an unauthorized disclosure.^[6]

This OFRA Fiscal Risk Analysis reviews the origin of the budget risks associated with unauthorized disclosures of taxpayer information, outlines the components of IRA funding for the IRS that could increase those risks, and provides a basis for estimating the general magnitudes of budgetary costs that would arise with specific risk events.

In addition to providing information to the public, this analysis could serve as a supplemental aid for the official estimators at the Joint Committee on Taxation and the CBO. Their privileged access to IRS records makes them, the House Committee on Ways and Means, and the Government Accountability Office uniquely capable of in-depth research on IRS’s information security liabilities.^[7]

Contextual Background on the IRS’s Data Liability Risk

The IRS is liable for unauthorized disclosures of taxpayer information by IRS employees and officers, and likely some contractors, under Section 7431(c) of the Internal Revenue Code.^[8] For each act of unauthorized disclosure, the taxpayer is due $1,000 as base statutory damages regardless of actual damages, ^[9] uncapped compensatory, punitive damages, and reasonable attorney fees.^[10]

The IRS has a history of major data losses as it struggles with the asymmetric advantages of dedicated attackers in the current information environment.^[11] Given its poor internal IT logging and security audit systems, which the IRS intends to improve with the IRA funding, the number of data losses at the IRS could be substantially underreported, and the count of past disclosures may increase significantly in coming years.

The budgetary risk of data loss is particularly acute for the IRS because it faces minimum statutory liabilities for unauthorized disclosures of taxpayer data under its protection, regardless of damages. Other agencies, though all are liable for unauthorized disclosures of private information under the Privacy Act of 1974,^[12] are only subject to statutory liabilities for those Privacy Act violations when actual damages are demonstrated by a plaintiff.^[13]

One of the IRS’s most recent and well-publicized leaks came from a contractor for the IRS, Charles Littlejohn. According to Department of Justice prosecutors, Littlejohn sought work with the IRS in 2017 for the purpose of leaking taxpayer data to the press. He succeeded in this, leaking the tax returns of a president and several thousand of America’s highest net-worth taxpayers. The IRS is currently being sued for his actions in what may be the highest profile Section 7431(c) suit in American history.^[14] Successful or not, the visibility of the suit increases the public and legal community’s knowledge of Section 7431(c) and should increase expectations that such lawsuits might increase in frequency.

There is some uncertainty regarding the coverage of Section 7431(c) protections for taxpayers. For example, there is not yet a case law that establishes which contractors are considered IRS employees and whose acts of unauthorized disclosures create liability for the IRS.^[15] There is also uncertainty over which safeguarding lapses by employees create liability, such as improperly securing IT systems, disclosing data to authorized counterparties with known security lapses, or disclosing data to improperly vetted contractors.^[16]

However, there is no uncertainty that any IRS employee could unilaterally create large liabilities for the IRS and the Treasury Department.

Information Risk Factors Associated with the IRA Funding

The IRA funding for the IRS will support several activities that markedly increase the risks of unauthorized disclosures, taxpayer lawsuits, and IRS liabilities. The IRS’s budget growth is pronounced in enforcement and business systems modernization, two areas that rely heavily on sensitive data.^[17] Activities that are likely to increase the risk of liability under Section 7431(c) include:

Rapid additions of IRS full-time employees and contractors in a tight labor market

The Treasury Department has laid out plans to hire nearly 90,000 new employees through 2031.^[18] In FY 2023, the IRS hired 16,405 new employees and moved another 15,475 to new positions within the agency,^[19] but did not reach its goals for enforcement personnel.^[20] In order to hire more rapidly, the IRS has called on its Direct Hire Authority, which expedites and streamlines the hiring process, explicitly removing quality standards for the sake of expediency.^[21] New hires are not necessarily more prone to leaking data, but lower hiring standards most likely are.

Adoption of new “Artificial Intelligence” and other technology systems

A core component of the IRS’s plan with the IRA funding is to adopt Artificial Intelligence systems^[22] and deploy other forms of technology modernization to enhance compliance and improve operations.^[23] Some of these investments may increase information security in the long run, but adopting new technologies over a compressed period via a rapid budget outlay significantly increases short-term information security risks. The risks are further amplified by the rushed hiring and onboarding of new employees and employee-like contractors, many of whom will receive high levels of data privileges and high capacity to make extensive and numerous data disclosures.

Data acquisitions from third parties and associated data linkages

The acquisition and deployment of data are key components of the IRS’s enforcement and operations strategy.^[24] The IRA increased the IRS’s budget to implement new third-party reporting programs, acquire data from private-sector data aggregators, and link the data with other IRS data, private-sector [MP3] [WZ4] data, and data within the government. With the IRA funding, the IRS also plans to process all forms digitally.^[25] The collection and linkage of data sources can increase the actual damages upon inappropriate data disclosure by increasing the severity of reputational or business-competitive harms. The programs also expose more data to the IRS’s information security systems and increase the risk of wider-spread disclosure.

These risk factors necessitate an examination of possible risk events and the magnitude of budgetary effects they can have.

Estimating Basis

This Fiscal Risk Analysis does not provide budget estimates. Rather, it seeks to outline the magnitude of budgetary outcomes that might accompany these risk events. A thorough, conventional budget estimate under the CBO’s existing one-sided bet framework would take into account probabilistically weighted expected outcomes of these risk events.^[26]

Scenario 1:
An act of an IRS employee or officer leads to the unauthorized disclosure of a single taxpayer’s data, and the taxpayer sues. One thousand to millions of dollars or more in fiscal risk.

The lower range of $1,000 is the statutory minimum damages. Actual damages, attorney fees, and punitive damages can reach millions of dollars.^[27]

Scenario 2:
An IRS employee act leads to the unauthorized disclosure of the population of taxpayer data, such as to a news source, on the internet, or to a foreign adversary — and the disclosure becomes public. (Note that disclosure to multiple parties would be considered multiple acts and would require consideration under Scenario 3 below). Ten to 250 billion dollars or more in fiscal risk.

The lower range of $10 billion assumes 10 million taxpayers (less than 10% of the U.S. taxpayer population) file suit, and each wins the statutory minimum damage but claims no other damages. Class action would likely be available in these circumstances.^[28] The (conservative) upper range of $300 billion assumes 75 million taxpayers (less than 50% of all taxpayers) file suit, and each wins the statutory damage and other damages of $3,000 on average. In a significant data leak of business returns, the average damages could be much higher. Any population leak would be a significant news event, and more than half of taxpayers may sue.

Scenario 3:
A campaign of malicious acts or a spate of accidents leads to numerous incidents of population-wide disclosure. Tens of billions to trillions of dollars in fiscal risk.

This scenario presents, in its essence, a multiple of Scenario 2. A reasonable range might be from tens of billions to an upper range of trillions of dollars, where 10 or more population-wide acts of disclosure create significant statutory, actual, and other damages.

Conclusion

Malicious or careless actors at the IRS could expose the federal government to substantial budgetary risks.

The possibility of the risk events considered in this analysis should have concrete implications for the CBO’s conventional estimates of funding for the IRS and the rescissions of such funding. Under its prevailing one-sided bet conventional estimating framework,^[29] the CBO should probabilistically consider data liability risks in cost estimates for which the CBO’s central of those risks is not zero. 

[1] Internal Revenue Service, IRS Budget & Workforce: Table 32: Costs Incurred by Budget Activity, Fiscal Years 2022 and 2023, Table 34: Personnel Summary, by Employment Status, Budget Activity, and Selected Personnel Type, https://www.irs.gov/statistics....

[2]<Congressional Budget Office, How Changes in Funding for the IRS Affect Revenues, February 2024, https://www.cbo.gov/publication/60037.

[3] $1.4 billion rescission in June 2023 was followed by an agreement to rescind $10 billion in each of FY 2024 and FY 2025, which is now fulfilled by the $20.2 billion rescission by the March 2024 Consolidated Appropriations Act.

[4] Phillip L. Swagel, Re: Additional Information About Increased Enforcement by the Internal Revenue Service, https://www.cbo.gov/system/files/2022-08/58390-IRS.pdf.

[5] Supra note 2.

[6] 6 U.S.C. Section 7431(c).

[7] 6 U.S.C. Section 6103.

[8] Supra note 8. See also Michael Hatfield, “Privacy in Taxation,” 42(2) Fla. St. U. L. Rev. 579 (2018) and Hatfield, “Cybersecurity and Tax Reform,” 93(4) Ind. L.J. 1161 (2018).

[9] Minda v. Comm’r of Internal Revenue, (U.S.T.C. Feb. 7, 2022)

[10] Supra note 8.

[11] Matthew Jensen, Keeping Federal Data Secure, National Affairs, (April 4, 2024) https://www.nationalaffairs.co....

[12] 5 U.S.C. Section 552(g)(4)(A).

[13] Doe v. Chao, 540 U.S. 614 (2004).

[14] See, e.g., Editorial Board, Ken Griffin vs. the IRS, The Wall Street Journal, (April 4, 2024), https://www.wsj.com/articles/ken-griffin-irs-lawsuit-security-charles-littlejohn-leak-823a53d4.

[15] The IRS Internal Revenue Manuals section on unauthorized disclosures groups as its audience, “All IRS employees and IRS contractors who have staff-like access (including subcontractors, non-IRS-procured contractors, vendors, and outsourcing providers who have staff-like access.” IRS, Internal Revenue Manual, pt. 10, ch. 5, sec. 5, IRS Unauthorized Access, Attempted Access or Inspection of Taxpayer Records (UNAX) Program Policy, Guidance, and Requirements, 10.5.5 (latest available year).

[16] The government recently settled a Privacy Act case where safeguarding lapses at the OPM led to a massive breach. In re U.S. Office of Personnel Management Data Security Breach Litigation, 928 F.3d 42 (D.C. Cir. 2019).

[17] Supra note 2.

[18] Treasury Department, The American Families Plan Tax Compliance Agenda, 1, 17 (May 2021).

[19] Internal Revenue Service, Annual Report to Congress, i, i-iv, viii (2023).

[20] Congressional Budget Office, How Changes in Funding for the IRS Affect Revenues, 1, 2-4 (February 2024). see also The IRS Needs to Leverage the Most Effective Training for Revenue Agents Examining High-Income Taxpayers, Treasury Inspector General for Tax Administration, 1, 10, (August 2023).

[21] Office of Personnel Management, Direct Hire Authority, https://www.opm.gov/policy-dat....

[22] Internal Revenue Service, IRS Announces Sweeping Effort to Restore Fairness to Tax System with Inflation Reduction Act Funding; New Compliance Efforts Focused on Increasing Scrutiny on High-Income, Partnerships, Corporations and Promoters Abusing Tax Rules on the Books, (April 4, 2024). https://www.irs.gov/newsroom/i....

[23] Internal Revenue Service, Inflation Reduction Act, Strategic Operating Plan FY 2023-2031, https://www.irs.gov/pub/irs-pd...

[24] Internal Revenue Service, Internal Revenue Service Inflation Reduction Act Strategic Operating Plan, 1, 2-3 (April 2023).

[25] Internal Revenue Service, IRS Launches Paperless Processing Initiative, (April 4, 2024). https://www.irs.gov/newsroom/i...

[26] Congressional Budget Office, Estimating the Cost of One-Sided Bets: How CBO Analyzes the Effects of Spending Triggers, 1, 2-4 (October 2020).

[27] See, e.g., Payne v. United States, 289 F.3d 377, 379 (5th Cir. 2022).

[28] Federal Rules of Civil Procedure, “Rule 23. Class Actions,” https://www.law.cornell.edu/ru...

[29] Supra note 27.