Security system design concept.
gettyThe IRS is now notifying more taxpayers who were impacted by the Littlejohn data breach. Former IRS contractor Charles Littlejohn illegally accessed and distributed to certain news organizations the private tax information of corporate and wealthy individual taxpayers, including former President Donald Trump and fellow billionaires Elon Musk, Jeff Bezos, Warren Buffett and Michael Bloomberg. But he also disclosed tax return information of thousands of others. The IRS is required, by law, to give notice to any other victims of the breach it can identify, even if their names were never published. It is doing so now.
Background
According to court documents, from about 2017 to 2021, Littlejohn was employed as a government contractor for an unnamed consulting firm that serviced public and private clients. As part of his job, he worked on contracts that the firm had obtained through the IRS. The returns and return information were disclosed to Littlejohn for "purposes of tax administration."
Court documents also reveal that Littlejohn turned over returns and return information dating back more than 15 years covering thousands of the nation's wealthiest people to "News Organization 2" (News Organization 2, which was not explicitly named in the charges, published over 50 articles using the stolen data. That appeared to match reporting by Pro Publica in 2021, a fact later confirmed in the sentencing memorandum.). He provided the data by mailing it to a password-protected personal data storage device. The data contained not only tax returns but also investments, stock trades, gambling winnings, audit determinations, and many other types of financial material.
Littlejohn accessed the returns on an IRS database after using broad search parameters designed to conceal the true purpose of his queries. He then evaded IRS protocols established to detect and prevent large downloads or uploads from IRS devices or systems before saving the tax returns to multiple personal storage devices, including an iPod.
Littlejohn was initially charged on information on September 29, 2023, with one count of disclosing tax return information without authorization. Generally, being charged on information means that a defendant has agreed to plead guilty and waived the right to an indictment—that's what appears to have happened here.
The following month, Littlejohn pleaded guilty to unauthorized disclosure of tax return and return information—a violation of section 7213(a)(1) of the tax code, the most serious offense for leaking tax information. In January of 2024, Littlejohn was sentenced to five years in prison for disclosing thousands of tax returns—including Donald Trump's tax returns—without authorization.
Impact
The IRS has not publicly indicated how many letters it will be sending out related to the breach, though it’s been suggested that it could be in the thousands.
Here’s what we do know. On May 1, 2023, the government filed an unopposed Motion to Provide Alternative Victim Notification Pursuant to 18 USC § 3771(d)(2) in the case. The government noted in the motion that it has identified "at least 152 victims whose tax information was published by the media as a result of the charged unauthorized disclosure." According to the Motion, the government had provided individual notifications of this investigation and the rights crime victims have under the Crime Victims' Rights Act (CVRA) to those 152 identified victims via mail and telephone calls. The government said it would continue to provide individual notifications of court hearings to those identified victims.
The government also indicated that it had information that Littlejohn disclosed the tax return information of thousands more individuals, but the media did not publish those individuals' information. The government posited that individual notification to all of the thousands of additional potential victims, many of whom the investigative agency was still trying to identify at the time, would be impractical.
The government proposed providing public notice on the Department of Justice (DOJ) website. The website, the government proposed, would give a summary of the case, information regarding the case's status, including the dates and times of hearings, and other significant case-related documents, such as the charging documents and plea agreement. The website, it said, would also contain an email address through which individual potential crime victims could contact the DOJ with questions regarding the case.
The government noted that the courts have allowed this kind of notice in several cases, including United States v. Madoff.
Alternative Notice
The Motion for alternative notice was granted on October 10, 2023, with the court finding that (1) the number of potential victims in this case makes it impracticable to provide all of the victims the rights provided under 18 USC § 3771(a); (2) the "[m]ultiple crime victims" provision of the Crime Victims' Rights Act applies to this case, id. § 3771(d)(2); and (3) the means of notifying potential victims set forth in the motion constitute a "reasonable procedure" to give effect to and ensure compliance with the notice provisions of the Act.
(You can find the website, updated in February 2024, here.)
Statutory Obligation
Under section 7431(e) of the tax code, if a person is criminally charged with unauthorized inspection or disclosure of a taxpayer's return or return information, the Secretary of the Treasury must notify the taxpayer as soon as possible. The notice must include the date of the unauthorized inspection or disclosure and the rights of the taxpayer.
The notice is not required to provide information about what specific was disclosed.
Civil Damages
Under section 7431(a), victims may be able to sue for damages for the unauthorized inspection or disclosure of their tax information. If the accused person is an officer or employee of the United States, the taxpayer may sue the United States in district court. If the accused person is not an officer or employee of the United States, the taxpayer may sue the individual.
Littlejohn was an independent contractor, and the government has argued that means that he was not an employee of the United States. That argument has yet to be fully tested in court—but it likely will be. There is a case, Kenneth Griffin v. Internal Revenue Service, currently being heard in the U.S. District Court, Southern District of Florida (Miami), where the issue is already being raised.
Griffin, the founder and Chief Executive Officer of Citadel, a global alternative investment firm, and a founder and the non-Executive Chairman of Citadel Securities, a leading global market maker, has filed suit against the IRS for “their willful and intentional failure to establish appropriate administrative, technical, and/or physical safeguards over its records system to insure the security and confidentiality of Mr. Griffin’s confidential tax return information.”
Griffin’s information was included in the data leaked to Pro Publica and he filed suit months before Littlejohn was revealed to be the leaker. After that discovery, Griffin amended his complaint, but the IRS continues to argue for dismissal, noting, “Since Littlejohn was not an officer or employee of the IRS, Mr. Griffin’s claim for damages in Count I lies not against the United States (as pleaded) under § 7431(a)(1), but rather against Littlejohn under § 7431(a)(2).” Last month, the court admitted that there were questions as to whether the claim could properly be brought, but continued to allow it, writing, “Whether the evidence ultimately supports the complaint’s allegations that Littlejohn was an IRS employee remains to be seen. But, at least for now, the Court finds the Government’s challenge to subject-matter jurisdiction falls short.”
That could open doors for future challenges. Clearly, taxpayers would prefer to file suit against the United States as opposed to Littlejohn, who is currently spending time in jail—there’s no indication that he would have assets sufficient to pay damages.
Written Notice
It's unclear why the IRS is now sending out notices, but taxpayers are reporting that they have received Letter 6613-A, IRC 7431(e) Notification Letter. As noted earlier, the IRS is required to notify taxpayers when any person has been criminally charged with the unauthorized disclosure or inspection of taxpayer returns or return information in violation of section 6103. The most common result is a form letter, Letter 6613.
In this case, Letter 6613-A indicates that an IRS contractor has been charged with the unauthorized disclosure or inspection of the taxpayer’s tax return or return information. The letter indicates that an IRS independent contractor—not named in the letter, but clearly referencing Littlejohn—was charged with the unauthorized disclosure of the taxpayer's information between 2018 and 2020.
The letter then directs taxpayers to the statute, a copy of which is enclosed with the letter, and advises taxpayers about the Crime Victims' Rights Act (CVRA). You can find out more about the CVRA here.
The letter includes a link to the website related to the Littlejohn case and, as noted in the government's Motion, provides an email address for the DOJ if taxpayers need more information.
Finally, the letter recommends consulting with an attorney if taxpayers have questions. As noted on the website, "Although the statute specifically sets forth your right to seek advice of an attorney with regard to your rights under the statute, there is no requirement that you retain counsel. The Government may not recommend any specific counsel, nor can the Government (or the Court) pay for counsel to represent you. Government attorneys represent the United States."
Damages
One of the primary issues in a civil suit will be whether—and how much—damages might have been suffered. That's difficult for some taxpayers since the extent of the disclosures may not be initially known. And, importantly, the taxpayers would have to prove that Littlejohn was responsible for the damages.
By statute, under section 7431(c), damages are limited to the greater of $1,000 for each act of unauthorized inspection or disclosure or the actual damages. If the disclosure was willful—as here—the taxpayer may also be entitled to punitive damages. Taxpayers may also be entitled to costs and reasonable attorney fees (with the caveat that if the suit is filed against the United States, reasonable attorney fees may be awarded only if the taxpayer wins).
Taxpayer Protection
A data breach like this one—where accessing taxpayers' accounts for financial gain wasn't the primary goal—doesn't necessarily mean your personal information is at risk. As the IRS notes, "Not every data breach will result in identity theft, and not every identity theft is tax-related identity theft."
Taxpayers who have concerns about what data might have been compromised and whether there is a risk moving forward should consult with a tax professional.
The IRS encourages those taxpayers—and, in fact, "everyone"—to opt-in to the Identity Protection Personal Identification Number (IP PIN) program. If you don't have an IP PIN, you can get one by going to irs.gov/ippin. If you can’t get one online, you can schedule an appointment at your closest Taxpayer Assistance Center by calling 1-844-545-5640. You can also file Form 15227 to apply for an IP PIN by mail or fax—however, to qualify to file a paper form by mail or fax, your adjusted gross income on your last filed return must be below $79,000 for individuals or $158,000 for married taxpayers filing jointly. For more, check out irs.gov/ippin.
Tax Breaks: Timely tax tips and the latest news delivered to your inbox weekly
