Tax Reform, the IRS, Cybersecurity, and Privacy

The current tax reform debate has focused on economic growth and the value of cuts to different groups of taxpayers. Tax simplification has received less attention, and Republican bills would only make modest gains in that regard.

Yet a major tax code simplification would not only save time on administration, it would increase financial privacy and deter cyberattacks on the Internal Revenue Service. A new study by Michael Hatfield of the University of Washington looks at the risks posed by the IRS’s vast data collection on 290 million Americans. The more micromanagement there is in the tax code, the more information the IRS collects on our finances, lifestyles, and activities.

Here are some of Hatfield’s points:

• Many federal agencies have been hit with damaging cyberattacks in recent years, including the Office of Personnel Management, the Justice Department, the Pentagon, and the White House.
• The IRS has also suffered attacks. In 2015, “the IRS launched the Get Transcript service, enabling taxpayers to view this information (known as a “transcript”) online. Unfortunately, the security of the service was so low that, within the first few months of the service, hackers stole personal information from about 724,000 taxpayer accounts.”
• Individual hackers, groups, and hostile governments regularly target U.S. companies and government agencies. The Chinese government may be building a database of personal information on all Americans. The IRS is an ideal target for hackers seeking to steal personal information and money, and for people simply wanting to wreak havoc by destroying data.
• The IRS has a history of expensive technology failures. The agency has struggled to update its systems with new technologies and security protections. The IRS has a hard time competing to attract top computer experts, and so it may fall further behind.
• The IRS collects information on our income sources, family structure, health information, housing data, small business details, educational situation, retirement finances, and many other things. During investigations and audits, the agency can demand and collect just about any information it wants to judge the accuracy of tax return data.
• Political pressures work against security and personal privacy. Politicians encourage the IRS to improve “customer service,” which encourages more online interaction. And politicians push to close the “tax gap” of taxes owed but not collected, which prompts the agency to demand ever more data from individuals and businesses.

Hatfield notes that ensuring good cybersecurity is a difficult task for any agency these days, so damaging attacks against the IRS seem likely. Ironically, massive IRS attacks may have been avoided thus far due to the antiquated nature of the IRS’s computer systems.

We need better IRS management, but Hatfield’s main point is that Congress should simplify the tax code to reduce the amount of information collected from Americans. Another problem he points to is the overwithholding of income taxes, which necessitates more than 110 million refunds each year. Hatfield says, “making the IRS less like an ATM would reduce its appeal to financial thieves.” One fix, in my view, would be to repeal the earned income tax credit, which pays $60 billion in subsidies to more than 25 million people a year. The huge EITC error rate illustrates the IRS’s inability to monitor its vast transactions.

Hatfield concludes:

Congress has designed a tax system that requires the IRS to collect information on hundreds of millions of individuals and to routinely issue hundreds of billions in refunds. If the tax law did not require so much information on so many, nor involve refunds to so many, the IRS would be a less appealing and more defensible cyberattack target. In short, if the tax law were simpler in specific ways, the information technology needs at the IRS would be simpler, and adequate cybersecurity for it would be easier.

The tax law need not demand so much information on so many individuals, nor must its administration turn on a system that generates refunds as a rule rather than an exception. Within the limits of the political and financial realities that determine legislation, there is ample flexibility for Congress to reform tax law so that it demands less of both taxpayers and tax administrators and, thereby, provides more information security.

A broader conclusion from Hatfield’s study is that policymakers should put much more emphasis on personal privacy when considering all federal programs. The government has a poor record of guarding its databases, so policymakers should be very skeptical of federal activities that require the gathering of personal data on Americans.