(Maybe. Such a lawyerly answer!)
By now, you have probably heard that possible Russian hackers stole sensitive personal information from the IRS website in at least 104,000 successful attempts over a period of three months or more. It has been reported that the stolen information may have led to at least $50 Million in fraudulent tax refunds. Further, the stolen information exposes the affected taxpayers to the real danger of identity theft. The true loss to affected taxpayers may be much higher.
Some of you may ask: can I sue the IRS if I was affected? That’s a fair question. We tremble at the idea that the IRS will come after our wallets when we make an honest mistake with penalties and interests, wouldn’t it be nice to go after the IRS for its blunder? As is intuitive to most of you, if a private company suffered such a breach, there surely would be lawsuits and settlements ahead. But is the IRS, as a part of the federal government, vulnerable to civil legal actions? The question is a complicated one, and I will attempt to provide some color below.
Liability
Historically, the United States has enjoyed “sovereign immunity” which means that the federal government is immune to liability which may otherwise be applied to private parties. You can’t sue the king who can do no wrong, so to speak.
Sensing that this principle does not exactly agree with idea of democracy, Congress in 1946 enacted the Federal Tort Claims Act (the “FTCA”) to allow citizens to sue the federal government under a limited set of circumstances. In other words, when the government screws up, they should be held responsible.
The FTCA allows federal district courts to hear certain tort claims against the federal government. Very often, the claims involve simple negligence. There are several basic requirements, most importantly:
- The federal government cannot be sued unless you can sue a private individual under state law in similar situations
- The federal government cannot be sued for a “discretionary function.” What is a “discretionary function” is a hotly contested topic. But generally and simply, a “discretionary function” is a value judgment that a government official is authorized to make one way or another, such as whether to buy optional software upgrades.
- The federal government cannot be sued for the intentional wrong doing of its employees or agents.
Yes, those are some pretty hard hurdles to get over, but they can happen. Past successful cases under the FTCA have mostly involved negligence claims where the federal government failed to or negligently carry out some required duty and caused damages to citizens. The cases involve a diverse set of circumstances, as you can imagine.
Applicable Claims
Now that we have a general understanding of what the federal government’s tort liability looks like, you must want to know: how does that apply to the situation at hand?
First, there may be a claim for privacy violations. Although federal agency practices are covered under the Privacy Act 1972, federal courts have held that the Privacy Act is not meant to be the exclusive remedy for certain privacy violations. Therefore, cases claiming invasion of privacy have gone forward under the FTCA based on state privacy law grounds.
Second, many states have enacted laws protecting citizens against data breaches at private companies. Others have relied on common law principles to hold private companies accountable for data breaches. Examples of lawsuits and settlements are many.
Elements of a Tort Claim
So exactly how does a tort case work? In order to succeed at a tort claim, a plaintiff must prove (1) there is a duty, (2) the defendant breached the duty, (3) the defendant’s negligence caused the damage, and (4) there is recoverable damage.
In this case, the IRS certainly had a duty to keep taxpayer’s information safe. Many states have enacted privacy laws requiring private companies and individuals safeguard sensitive personal and financial information. Common law invasion of privacy tort likely also covers release of sensitive personal information in most jurisdictions. Lawsuits and settlements arising out of data breaches at private companies are numerous and will only increase as more and more of our daily lives move online.
Second, depending on the circumstances, the IRS may have breached its duty to safeguard taxpayer’s information by failing to detect, prevent, or remedy both the taking of personal information from its website and allowing fraudulent tax returns to be filed. Of course, there are a lot of facts we are not privy to, and any possible case must necessarily involve intensive investigations. However, it is possible that the number of taxpayers affected, the length of time the hackers were able to exploit the system, and the delay IRS experienced before detecting and remedying the breach can support a claim that IRS breached its duty.
Third, there must be evidence that IRS’s action or omissions caused taxpayers damages. The evidence can only be discovered through an extensive discovery process.
Fourth, there must be recoverable damages. Since IRS has reported that at least $50 million has been lost, damages exist. Further, there are financial damages that taxpayers may experience as a result of the data breach when their identities are used to open fraudulent accounts.
Closing Thoughts
Because the breach involves the Internet, sophisticated technologies, and possible foreign hackers, many complicated legal issues are involved. It would not be easy for any claim against the IRS to succeed, if it is possible at all. However, there seems to be a way to file a legal claim in court against the IRS under the FTCA. Even if ultimate victory proves to be exclusive, it would at least serve to discover what really transpired behind the scenes at the IRS and serve as a notice that it must do a better job at protecting our sensitive data going forward.
Doing nothing would be like giving the IRS a free pass. And I know how much you all love giving the IRS freebies.