News

The Internal Revenue Service needs to increase employee training and cybersecurity protections, an official with a nationwide network of nonprofits said Tuesday, following the agency's recent announcement that some data from business income returns that nonprofits file was inadvertently disclosed.

The IRS' announcement Friday that it had discovered some machine-readable Form 990-T data was inadvertently made publicly accessible underscores the need for greater worker training, David L. Thompson, vice president of public policy with the National Council of Nonprofits, told Law360.

"We see the release of confidential information as unfortunate and a clear sign that greater cyber protections and training are urgently needed at the IRS," he said.

Nevertheless, the general regulatory practice of confidential information disclosures to the agency for law enforcement purposes remains vital, Thompson said.

The agency said in its announcement that it had discovered some machine-readable Form 990-T data was made available for bulk downloads on its tax-exempt organization search tool that shouldn't have been publicly accessible. The IRS said the files have been removed from its website and will be replaced with updated ones in the near future. The agency also said that in the coming weeks it will contact all tax filers that were affected.

Tax-exempt entities, including tax-exempt organizations, retirement accounts and government entities, use Form 990-T to report and pay income tax on income generated from certain investments or income unrelated to their tax-exempt purposes, the IRS said. The agency said it has to disclose this information for Section 501(c)(3) organizations, but that similar details for some non-501(c)(3) groups that aren't subject to public disclosure was made available. That data does not contain individual tax returns, Social Security numbers or account holder details, the agency said.

The IRS said in its statement Friday that it is continuing to review the matter. The agency told Law360 on Tuesday it had no further comment. 

The IRS' review showed the inadvertent disclosure included information for about 120,000 people, according to letters sent to lawmakers by Anna Canfield Roth, acting assistant secretary for management with the U.S. Department of the Treasury.

In the letters to Rep. Bennie Thompson, D-Miss., chairman of the House Homeland Security Committee, and to Rep. John Katko, R-N.Y., the committee's ranking Republican, Roth said that in accordance with guidance under the Federal Information Security Modernization Act, further details will be provided within 30 days. That will include summaries of Treasury's response to and remediation of the issue.

Treasury provided Law360 the letters Tuesday but declined to comment further. Sen. Ron Wyden, D-Ore., chairman of the Senate Finance Committee, said in a statement that "the committee is looking into the matter and has requested additional information from the IRS."

The data disclosure isn't the only recent instance of confidential tax data being inadvertently exposed. ProPublica, a nonprofit news organization, started publishing articles in 2021 based on a trove of confidential tax data it obtained.

"Coming on top of the still unaddressed ProPublica breach this is terrible news for the IRS," said Mark Everson, vice chairman of Alliantgroup and a former IRS commissioner.

Jorge Leon of Michael Best & Friedrich LLP called the Form 990-T data disclosure shocking but said, "it's not surprising."

"This incident highlights the importance of cybersecurity in the retirement context and it shows that every player in the space can be affected," he said. "Hopefully, no one experiences fraud, theft or other adverse effects as a result of this incident and we are able to learn of any mitigation steps if and when a forensic investigation is completed."