[Senate Hearing 114-322]
[From the U.S. Government Publishing Office]








                                                        S. Hrg. 114-322

   INTERNAL REVENUE SERVICE DATA THEFT AFFECTING TAXPAYER INFORMATION

=======================================================================

                                HEARING

                               before the

                          COMMITTEE ON FINANCE
                          UNITED STATES SENATE

                    ONE HUNDRED FOURTEENTH CONGRESS

                             FIRST SESSION

                               __________

                              JUNE 2, 2015

                               __________





[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]






                                     
                                     

            Printed for the use of the Committee on Finance
                                   ______

                         U.S. GOVERNMENT PUBLISHING OFFICE 

20-598-PDF                     WASHINGTON : 2016 
-----------------------------------------------------------------------
  For sale by the Superintendent of Documents, U.S. Government Publishing 
  Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; 
         DC area (202) 512-1800 Fax: (202) 512-2104 Mail: Stop IDCC, 
                          Washington, DC 20402-0001

















                          COMMITTEE ON FINANCE

                     ORRIN G. HATCH, Utah, Chairman

CHUCK GRASSLEY, Iowa                 RON WYDEN, Oregon
MIKE CRAPO, Idaho                    CHARLES E. SCHUMER, New York
PAT ROBERTS, Kansas                  DEBBIE STABENOW, Michigan
MICHAEL B. ENZI, Wyoming             MARIA CANTWELL, Washington
JOHN CORNYN, Texas                   BILL NELSON, Florida
JOHN THUNE, South Dakota             ROBERT MENENDEZ, New Jersey
RICHARD BURR, North Carolina         THOMAS R. CARPER, Delaware
JOHNNY ISAKSON, Georgia              BENJAMIN L. CARDIN, Maryland
ROB PORTMAN, Ohio                    SHERROD BROWN, Ohio
PATRICK J. TOOMEY, Pennsylvania      MICHAEL F. BENNET, Colorado
DANIEL COATS, Indiana                ROBERT P. CASEY, Jr., Pennsylvania
DEAN HELLER, Nevada                  MARK R. WARNER, Virginia
TIM SCOTT, South Carolina

                     Chris Campbell, Staff Director

              Joshua Sheinkman, Democratic Staff Director

                                  (ii)
























                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page
Hatch, Hon. Orrin G., a U.S. Senator from Utah, chairman, 
  Committee on Finance...........................................     1
Wyden, Hon. Ron, a U.S. Senator from Oregon......................     3

                               WITNESSES

Koskinen, Hon. John A., Commissioner, Internal Revenue Service, 
  Washington, DC.................................................     5
George, Hon. J. Russell, Treasury Inspector General for Tax 
  Administration, Department of the Treasury, Washington, DC.....     7

               ALPHABETICAL LISTING AND APPENDIX MATERIAL

George, Hon. J. Russell:
    Testimony....................................................     7
    Prepared statement...........................................    37
    Responses to questions from committee members................    42
Hatch, Hon. Orrin G.:
    Opening statement............................................     1
    Prepared statement...........................................    44
Koskinen, Hon. John A.:
    Testimony....................................................     5
    Prepared statement...........................................    46
    Responses to questions from committee members................    49
Roberts, Hon. Pat:
    ``I.R.S. Data Breach May Be Sign of More Personalized 
      Schemes,'' by Patricia Cohen, New York Times, May 28, 2015.    63
Wyden, Hon. Ron:
    Opening statement............................................     3
    Prepared statement...........................................    65

                                 (iii)
 
   INTERNAL REVENUE SERVICE DATA THEFT AFFECTING TAXPAYER INFORMATION

                              ----------                              


                         TUESDAY, JUNE 2, 2015

                                       U.S. Senate,
                                      Committee on Finance,
                                                    Washington, DC.
    The hearing was convened, pursuant to notice, at 10 a.m., 
in room SD-215, Dirksen Senate Office Building, Hon. Orrin G. 
Hatch (chairman of the committee) presiding.
    Present: Senators Grassley, Crapo, Roberts, Enzi, Cornyn, 
Thune, Isakson, Heller, Scott, Wyden, Stabenow, Nelson, Carper, 
Cardin, Bennet, and Casey.
    Also present: Republican Staff: Chris Campbell, Staff 
Director; Kimberly Brandt, Chief Healthcare Investigative 
Counsel; Chris Armstrong, Deputy Chief Oversight Counsel; and 
Justin Coon; Detailee. Democratic Staff: Adam Carasso, Senior 
Tax and Economic Advisor; Dave Berick, Chief Investigator; 
Michael Evans, General Counsel; Daniel Goshorn, Investigative 
Counsel; and 
Joshua Sheinkman, Staff Director.

 OPENING STATEMENT OF HON. ORRIN G. HATCH, A U.S. SENATOR FROM 
              UTAH, CHAIRMAN, COMMITTEE ON FINANCE

    The Chairman. The committee will come to order.
    Our hearing today concerns recent revelations that the 
Internal Revenue Service was the target of an organized service 
breach aimed at roughly 200,000 taxpayer accounts. We 
understand that over 100,000 of these breaches were successful, 
with cyber-criminals obtaining confidential taxpayer 
information from the agency's Get Transcript application.
    In dealing with this breach here in the Senate, this 
committee stands alone, having legislative jurisdiction over 
the Internal Revenue Code, oversight jurisdiction over the IRS, 
and wide-ranging abilities to conduct investigations dealing 
with individual taxpayer information.
    While I have raised questions in the past about the way the 
IRS prioritizes its spending, today's hearing is about finding 
out how criminals stole vast amounts of taxpayer information. 
Any questions regarding funding levels for the agency should 
wait until we have a complete understanding about what 
occurred.
    Before we turn to the technological issues, let us focus 
for a moment on the victims. Because of this breach, criminals 
were able to get personal information about roughly 104,000 
taxpayers, potentially including Social Security Numbers, bank 
account numbers, and other sensitive information. These 
taxpayers, and their families, must now begin the long and 
difficult process of repairing their reputations. And they must 
do so with the knowledge that the thieves who stole their data 
will likely try to use it to perpetrate further fraud against 
them.
    Commissioner Koskinen, put simply, your agency has failed 
these taxpayers.
    This hearing is of utmost importance as we work to find out 
what individuals and organizations were behind this breach; 
discover how this breach occurred and what steps the IRS might 
have taken to prevent it; find out what taxpayer information 
was compromised and how this may affect both taxpayers and tax 
administration going forward; and determine what tools and 
resources are necessary to better protect taxpayers, catch 
cyber-criminals, and prevent this type of breach from being 
successful in the future. Most of all, we must pledge to work 
together to make sure that this type of breach does not happen 
again.
    The secure movement of information is the lifeblood of 
international commerce and a necessary predicate for efficient 
government administration. Unfortunately, this information is 
also highly valuable to criminals.
    We see it in the headlines nearly every week: a major 
insurance company, bank, or retailer has its information 
security compromised, and personal information or corporate 
data is stolen. Federal departments, especially defense-related 
agencies, come under attack each and every day.
    The IRS is not, and will never be, exempted from this 
constant threat. In fact, there is reason to believe the IRS 
will be more frequently targeted in the future. After all, the 
IRS stores highly sensitive information on each and every 
American taxpayer, from individual taxpayers to large 
organizations, and from mom-and-pop businesses to multinational 
corporations. The challenge of data security matters a great 
deal to every single taxpayer and will continue to be a central 
challenge to tax administration in the coming years.
    Of course, data security and the protection of taxpayer 
information are of the highest importance in the prevention of 
stolen identity refund fraud. Identity theft, and the resulting 
tax fraud, costs taxpayers billions of dollars every year, and, 
once it occurs, it can take months or years for a taxpayer to 
mitigate the damage.
    It was out of concern over stolen identity refund fraud 
that Ranking Member Wyden and I quietly launched an 
investigation earlier this year, requesting information and 
documents from the country's largest tax return preparers and 
debit card companies.
    We look forward to working with the IRS as we move forward 
with this investigation and consider policy changes. We also 
look forward to hearing the report from your preparer working 
groups, and the committee looks forward to weighing in on those 
matters in the near future.
    So I welcome our witnesses today, IRS Commissioner Koskinen 
and Inspector General George. Commissioner Koskinen, earlier 
this year, when I first welcomed you before the committee as 
chairman, I noted that I hoped it would be the beginning of a 
new chapter in the long, historic relationship between the 
Internal Revenue Service and the Senate Finance Committee. I 
said that because the issues before us are too great for that 
relationship to be anything but open, honest, and productive.
    Today's topic is a great example of why that relationship 
is so important. Cyber-threats will only continue to grow, and 
those types of threats go to the core of our voluntary tax 
system. We must work together to figure out what really has 
happened, what went wrong in allowing the breach to occur, and 
how we can prevent another successful attack from taking place 
in the future.
    Finally, I would like to acknowledge that today's hearing 
occurs during somewhat unusual circumstances. The issue before 
us is the subject of several recently opened investigations, 
including a criminal investigation conducted by TIGTA. I 
caution members of the committee to be sensitive to these 
investigations when asking questions of the witnesses and be 
aware that they may not be able to provide full answers to 
every question in this public forum. In spite of these 
limitations, it is important to discuss this matter today as 
fully and candidly as possible.
    [The prepared statement of Chairman Hatch appears in the 
appendix.]
    The Chairman. With that, I would like to turn to Senator 
Wyden for his opening remarks.

             OPENING STATEMENT OF HON. RON WYDEN, 
                   A U.S. SENATOR FROM OREGON

    Senator Wyden. Thank you very much, Mr. Chairman. Mr. 
Chairman, I look forward to working with you and all our 
colleagues on what is another important and bipartisan concern 
for this committee.
    Three months ago, the Finance Committee met in a hearing on 
the latest ID thefts and other scams plaguing taxpayers, and I 
said then that that wave of attacks sure looks to me like 
organized crime. Today, we meet after 104,000 tax returns have 
been hoovered up by what appears to be a sophisticated 
organized crime syndicate.
    The problem continues to spiral, with hackers targeting 
Federal agencies, State governments including my own, and 
private companies alike, to steal money and data. One report 
from the Department of Homeland Security said Federal agencies' 
computer systems come under attack hundreds of times a day, 
tens of thousands of times a year.
    The investigation of the stolen tax returns is ongoing as 
of this morning. But once again, it seems that the thieves are 
a step ahead of the authorities. They gained access to enormous 
amounts of personal data, which is up for purchase at 
extraordinary cost in the Internet's shadowy corners. These 
rip-off artists used that data to slip past the security 
filters at the IRS and steal taxpayers' most sensitive 
financial information. So it is my view that it is fair to say 
once again that this conduct fits the definition of ``organized 
crime.''
    The thieves who steal taxpayer information could wipe out 
people's life savings and leave them in financial ruin. They 
could falsify tax returns next year or further down the road. 
They could take out huge, fraudulent home or student loans. And 
on a bigger scale, the money stolen in this cyber-crime wave 
could be funneled into yet more criminal activity. It could 
wind up in war zones. There is a possibility it could be used 
to fund acts of terror without being traced.
    Just like when the White House and the Department of 
Defense were targeted in the past, this was an attack on the 
security of Americans. I will be very direct about what is 
needed here. To protect taxpayers from this onslaught of cyber-
crime, the IRS needs a 21st-century IT system.
    Now, this is not just a question of resources, and it is 
certainly not a lack of commitment from the IRS staff. It is 
also a question of expertise. The era of punch cards and paper 
forms ended long ago. Federal agencies like the IRS need to tap 
into the expertise of our leading technology firms, our leading 
web firms--the pros who serve not millions or tens of millions 
but hundreds of millions of users.
    This expertise will allow the IRS to avoid the pitfalls of 
the past and to implement a 21st-century IT system that 
protects taxpayers' privacy, catches the hackers and the 
cheats, and funds our government as efficiently as possible. 
When that system is in place, the Congress has to step up and 
provide the funds necessary to manage those functions 
effectively.
    Legislators would not call for the Department of Defense or 
White House security budgets to be slashed after cyber-attacks, 
but the IRS's security funding has been shrinking for years. No 
company would try to defend against modern cyber-criminals with 
technology that is 20 or 30 years old, but that is what the IRS 
is stuck using in the absence of the expertise and resources to 
serve the American taxpayer.
    The Congress must also make sure that the IRS has the 
information it needs to mount the strongest possible fight 
against the fraudsters. If the IRS had access to the data on W-
2 and 1099 forms from the beginning of tax season, it would be 
much easier to catch fraudulent returns early and save 
taxpayers the nightmare of a stolen refund. Chairman Hatch and 
I have developed a bipartisan proposal to add an extra level of 
security by expanding the program that distributes unique 
passwords for individual taxpayers to use when they file. And 
when the taxpayer does become a victim of fraud, they ought to 
get more help undoing the damage more quickly and restoring 
their credit.
    It ought to be clear to all that beefing up cyber-security 
at the IRS ought to be a top priority and draw on the 
technology expertise that exists in my home State and in States 
across the land. It is my hope that our hearing today will set 
aside once again the politics of these issues and focus on 
bipartisan, fresh ideas of how to best protect our taxpayers.
    Thank you, Mr. Chairman, and I look forward to working with 
you.
    The Chairman. Thank you, Senator.
    [The prepared statement of Senator Wyden appears in the 
appendix.]
    The Chairman. Our first witness today is IRS Commissioner 
John Koskinen. Commissioner Koskinen has been serving as the 
head of the Internal Revenue Service since December 2013. Mr. 
Koskinen's extensive public- and private-sector experience has 
prepared him to confront the many challenges facing the IRS. I 
have a great deal of confidence in Commissioner Koskinen.
    I want to thank you, Commissioner, for being here with us 
today.
    Let me introduce our second witness as well, and then we 
will have you give your statements.
    Our second witness today is Inspector General Russell 
George, the Treasury Inspector General for Tax Administration, 
or TIGTA. Inspector General George has been serving as the head 
of TIGTA since 2004. Mr. George has extensive public-sector 
experience, including working for the House of Representatives' 
Committee on Government Reform and Oversight.
    I have a great deal of respect for you also, Mr. George, 
and I want to thank you, Mr. Inspector General, for being here 
today.
    So if you will, Commissioner Koskinen, we will start with 
you. We hope you can keep your remarks within 5 minutes, 
because I am sure we are going to have a lot of questions.

  STATEMENT OF HON. JOHN A. KOSKINEN, COMMISSIONER, INTERNAL 
                REVENUE SERVICE, WASHINGTON, DC

    Commissioner Koskinen. Chairman Hatch, Ranking Member 
Wyden, and members of the committee, thank you for the 
opportunity to appear before you today to provide information 
on the recent unauthorized attempts to obtain taxpayer data 
through the IRS's Get Transcript online application.
    Securing our systems and protecting taxpayer information 
are top priorities for the IRS. Even with our constrained 
resources as a result of repeated decreased funding over the 
past few years, we continue to devote significant time and 
attention to this challenge. At the same time, it is clear that 
criminals have been able to gather increasing amounts of 
personal data as the result of data breaches at sources outside 
the IRS, which makes protecting taxpayers increasingly 
challenging and difficult.
    The unauthorized attempts to access information using the 
Get Transcript application were made on approximately 200,000 
taxpayer accounts from questionable e-mail domains, and the 
attempts were complex and sophisticated in nature. The attempts 
were made using taxpayers' personal information already 
obtained from sources outside the IRS.
    It should be noted that the third parties who made these 
unauthorized attempts to obtain tax account information did not 
attempt to gain access to the main IRS computer system that 
handles tax filing submissions. The main IRS computer system 
remains secure, as do other online IRS applications such as 
``Where's My Refund?''
    To access Get Transcript, taxpayers must go through a 
multistep authentication process to prove their identity. They 
must first submit personal information, such as their Social 
Security Number, date of birth, tax filing status, and home 
address. The taxpayer then receives an e-mail from the Get 
Transcript system containing a confirmation code that they 
enter to access the application and request a transcript.
    Before the request is processed, the taxpayer must respond 
to several so-called out-of-wallet questions designed to elicit 
information that only the taxpayer would normally know, such as 
the amount of their monthly mortgage or car payment.
    During the middle of May, our cyber-security team noticed 
unusual activity on the Get Transcript application. At the 
time, our team thought this might be a ``denial of service'' 
attack, where hackers try to disrupt a website's normal 
functioning. They ultimately uncovered questionable attempts to 
access the Get Transcript application.
    Of the approximately 100,000 successful attempts to access 
the Get Transcript application, only 13,000 possibly fraudulent 
returns were filed for tax year 2014, for which the IRS issued 
refunds totaling $39 million. We are still determining how many 
of these returns were filed by actual taxpayers and which were 
filed using stolen identities.
    For now, our biggest concern is for the affected taxpayers 
to make sure they are protected against fraud in the future. We 
have marked the accounts of the 200,000 taxpayers whose 
accounts were attacked by outsiders to prevent someone else 
from filing a tax return in their name, both now and in 2016. 
Letters have already gone out to the approximately 100,000 
taxpayers whose tax information was successfully obtained by 
unauthorized third parties. We are offering credit monitoring 
at our expense to this group of taxpayers. We are also giving 
them the opportunity to obtain an Identity Protection Personal 
Identification Number, or IP PIN as it is known. This will 
further safeguard their IRS accounts.
    We are also in the process of writing to the 100,000 
taxpayers whose accounts were not accessed to let them know 
that third parties appear to have gained access from outside 
the IRS to personal information such as their Social Security 
Numbers and other information. We want them to be able to take 
steps to safeguard that data. The Get Transcript application 
has also been taken down while we review options to make it 
more secure without rendering it inaccessible to legitimate 
taxpayers.
    The problem of criminals using stolen personal information 
to impersonate taxpayers is not a new one. The problem of tax 
refund fraud exploded from 2010 to 2012. Since then, we have 
been making steady progress both in terms of protecting against 
fraudulent refund claims and prosecuting those who engage in 
this crime. Over the past few years, almost 2,000 individuals 
were convicted in connection with refund fraud related to 
identity theft.
    Additionally, as our processing filters have improved, we 
have also been able to stop more suspicious returns at the 
door. This past filing season, our fraud filters stopped almost 
3 million suspicious returns before processing, an increase of 
over 700,000 from the year before. But the criminals continue 
to become more sophisticated and creative. For that reason, as 
the chairman noted, we recently held a sit-down meeting with 
the leaders of the tax software and payroll industries and 
State tax administrators. We all agreed to build on our 
cooperative efforts of the past and find new ways to leverage 
this public-private partnership to help battle identity theft. 
We expect to announce more details shortly.
    Congress plays an important role too, and can help by 
approving the President's 2016 budget request, which provides 
for $101 million specifically devoted to identity theft and 
refund fraud. And as Senator Wyden noted, a key legislative 
request, among others in the budget, is a proposal to 
accelerate information return filing dates generally to January 
31st of the year following the year for which the information 
is being reported. That would assist the IRS in identifying 
fraudulent returns and reduce refund fraud related to identity 
theft.
    Chairman Hatch, Ranking Member Wyden, and members of the 
committee, this concludes my statement, and I would be happy to 
answer your questions.
    [The prepared statement of Commissioner Koskinen appears in 
the appendix.]
    The Chairman. Well, thank you, Mr. Koskinen.
    I will turn to Mr. George.

STATEMENT OF HON. J. RUSSELL GEORGE, TREASURY INSPECTOR GENERAL 
FOR TAX ADMINISTRATION, DEPARTMENT OF THE TREASURY, WASHINGTON, 
                               DC

    Mr. George. Thank you, Chairman Hatch, Ranking Member 
Wyden, members of the committee. Thank you for the opportunity 
to discuss the data breach that occurred at the Internal 
Revenue Service.
    On May 26, 2015, the IRS announced that criminals had used 
taxpayer-specific data acquired from non-IRS sources to gain 
unauthorized access to information on approximately 100,000 tax 
accounts through the IRS's Get Transcript application. Our 
Office of Investigations continues to investigate this 
incident, coordinating with other Federal enforcement agencies.
    According to reports we received from the IRS, which we 
have not yet validated, an individual or individuals succeeded 
in clearing an authentication process that required knowledge 
of prior information about the taxpayer, including Social 
Security Number, dates of birth, tax filing status, street 
addresses, as well as answers to personal identity verification 
questions that typically only the taxpayer would know.
    Security of taxpayer data has been designated by TIGTA as 
the top concern facing the IRS since fiscal year 2011. Due to 
the significant risks in this area, we currently have an audit 
underway to assess the IRS's processes for authenticating 
taxpayers at the time the tax returns are processed and when 
accessing IRS services.
    Information obtained from data breaches in recent years and 
increased availability of personal information on the Internet 
have resulted in a weakening of controls used to authenticate 
individuals accessing personal data. The risk for this type of 
unauthorized access to tax accounts will continue to grow as 
the IRS focuses its efforts on delivering taxpayers' self-
assisted, interactive online tools. More avenues for online 
assistance also mean more opportunities for exploitation by 
hackers and greater risk to the IRS and taxpayers.
    In prior audits, we have identified a number of areas in 
which the IRS could better protect taxpayer data and improve 
its overall security posture. For example, we found that the 
IRS had not always applied high-risk computer security 
upgrades, known as ``patches,'' to help ensure IRS systems were 
protected and operated securely.
    In another audit, we found that the IRS office responsible 
for addressing cyber-attacks was not monitoring a significant 
percentage of IRS servers, which puts the IRS's networks, data, 
and applications at risk.
    The IRS is continuously under attack by those using the tax 
administration system for personal gain in various ways. These 
attacks and the methods used to perpetrate them are constantly 
changing and require constant monitoring by the IRS. Two of the 
most pervasive frauds currently being perpetrated that impact 
tax administration are the phone impersonation scheme and 
identity theft.
    In summary, the IRS faces the daunting task of protecting 
its data and IT environment from the ever-changing and rapidly 
evolving hacker world. This incident that is the subject of the 
hearing provides a stark reminder that even security controls 
that may have been adequate in the past can be overcome by 
hackers, who are anonymous, persistent, and have access to vast 
amounts of personal data and knowledge. The IRS needs to be 
even more vigilant in protecting the confidentiality of 
sensitive taxpayer data. Otherwise, as shown by this incident, 
taxpayers can be exposed to the loss of privacy and to 
financial damages resulting from identity theft or other 
financial crimes.
    We at TIGTA are committed to our mission of ensuring an 
effective and efficient tax administration system and 
preventing, detecting, and deterring waste, fraud, and abuse. 
As such, we plan to provide continuing audit and investigative 
coverage of the IRS's efforts to effectively protect sensitive 
taxpayer data and investigate any instances of attempts to 
corrupt or otherwise interfere with tax administration.
    Chairman Hatch, Ranking Member Wyden, and members of the 
committee, thank you for the opportunity to share my views.
    [The prepared statement of Mr. George appears in the 
appendix.]
    The Chairman. Well, thank you, Mr. George.
    Let me start with you, Inspector General George. In your 
written testimony, you said that TIGTA has designated the 
security of taxpayer data as the top concern facing the IRS in 
every year since 2011, as you stated here today. But in spite 
of your concerns, the IRS has not implemented many of TIGTA's 
audit recommendations about how the IRS can strengthen its IT 
security.
    You noted that as of March 2015, the IRS had not 
implemented 44 of TIGTA's audit recommendations about 
information technology security, 10 of which were more than 3 
years old. Beyond that, the IRS had disagreed with another 10 
recommendations about IT security.
    Mr. Inspector, if the IRS had fully implemented TIGTA's 
past recommendations about IT security, do you believe that the 
recent attacks on the Get Transcript application would have 
been successful?
    Mr. George. I cannot at this stage, Mr. Chairman, give you 
a definitive answer as to whether or not it would have been 
possible. But I can say it would have been much more difficult 
had they implemented all of the recommendations that we made.
    The Chairman. Thank you.
    Mr. Commissioner, in your testimony, you acknowledge that 
the use of stolen identities to perpetrate tax fraud has really 
exploded in recent years. Now, due to the theft of personal 
information from your agency, there are more than 100,000 new 
identities on the international black market, and as many as 
13,000 new fraudulent returns have been filed, at a cost to 
taxpayers of up to $39 million.
    When it comes to identity theft and tax fraud, I do not 
think we can adopt a ``pay and chase'' mentality, or we will 
lose every single time. Stolen identities are a significant 
problem, but also not a problem that your agency can solve on 
its own. What your agency can solve is the ease with which 
criminals then use this stolen information to obtain fraudulent 
tax refunds.
    News reports indicate that the recent IRS identity thieves 
may have been in Russia. Two years ago, TIGTA found large 
numbers of fraudulent refunds issued to Bulgaria, Lithuania, 
and China.
    Now, I am not asking you to speak about the new 
investigation, but can either of you tell the committee about 
what more can be done to stop these thieves from robbing the 
Treasury both at home and abroad? And do you feel like you have 
received the adequate cooperation of the Justice Department and 
others in finding and stopping these perpetrators?
    Commissioner Koskinen. Well, it is, as noted, an 
increasingly complicated challenge everyone faces in the 
financial world. I would just note, as a correction, there are 
not 104,000 new stolen identities. Those identities were stolen 
before the transcripts were accessed. What is available now is, 
for those transcripts out there, more details to go along with 
those stolen identities, and that is part of the problem. As 
there are breaches across the private sector or across the 
economy, all of that data is being collected by organized 
criminals who have a database in what is the so-called dark net 
that exceeds the amount of data that is in the regular web that 
we all use. So it is, as the Inspector General says, an 
increasingly complicated challenge. What worked yesterday, what 
worked a year ago, may not be working anymore today. So you 
continually have to attack that problem.
    We work very closely with the Inspector General and value 
their input, and, in fact, in many cases we ask them to do 
tests, to do reviews and audits of the security and the IT 
systems as we go forward.
    In response to your question, we have looked at that in 
terms of the suggestions made about improvements we could make. 
Virtually all of the reports we have had recently have 
appropriately looked at our security with regard to our basic 
database. Those reports and those recommendations did not deal 
with the e-authentication process for this website. The problem 
with the e-authentication process for the website is, what was 
a perfectly good security mechanism that was used by private-
sector financial institutions and others, as the Inspector 
General says, is being overtaken by events.
    The Chairman. In too many cases, foreign criminals are 
reaching into the Federal Treasury from abroad. Now, do you get 
adequate cooperation from foreign governments?
    Commissioner Koskinen. Well, we get very good cooperation 
from the Justice Department. As I noted, with our Criminal 
Investigation Division, and working with TIGTA, we have thrown 
almost 2,000 people in jail. Our resources there--we have 300 
fewer criminal investigators than we had 4 or 5 years ago.
    It is a problem when you find, as we do, that an increasing 
number of the attacks are coming from criminal syndicates in 
Eastern Europe and Asia. Extradition, finding, tracking those 
people down, is much more difficult, and, as a general matter, 
we do not get a lot of cooperation.
    The Chairman. Okay. Senator Wyden?
    Senator Wyden. Thank you very much.
    Commissioner, at a hearing in March, I pointed out that 
with the increased sophistication of those involved in taxpayer 
ID theft, it looked to me like the work of organized crime. I 
understand that you have since stated that most of taxpayer ID 
theft involves organized crime. You also said that the recent 
taxpayer ID theft involved bulk attempts to access taxpayer 
records.
    Now, I know the investigation of this latest ID theft is 
ongoing, but from what I have seen thus far, it sure looks to 
me like this attack was undertaken by an organized crime 
syndicate that already had access to enormous amounts of data 
on U.S. taxpayers. Would you agree?
    Commissioner Koskinen. I would. As I said, there is an 
unimaginable amount of personal data in the hands of criminals 
as a result of data breaches across the economy, not only here 
but criminal syndicates around the world, in Eastern Europe and 
in Asia. And the battle is becoming increasingly more 
difficult, not just for us but for everyone in the private 
sector. In many ways, this event is a shot across the bow to 
remind people of the nature of the battle we are fighting and 
the sophistication of the enemy.
    Senator Wyden. And would you then say, given that you said 
you agreed with my description of the threat, that your 
challenge is making sure you are in a position to have a game 
plan so you can stay ahead of these increasingly sophisticated 
threats to our taxpayers?
    Commissioner Koskinen. Right. Whether we are ever going to 
be able to stay ahead or not is the challenge. Our goal right 
now is to try to make sure that we are at least even with them 
in understanding what is going on and being able to protect 
taxpayer data and taxpayers from these ongoing attacks.
    Senator Wyden. Let us talk for a few minutes then about the 
game plan that you would have to have. As I say, I think the 
sophistication of these organized crime syndicates is such 
that, whenever you close this door, they look for the next one, 
and that is why I talked about how we are going to try to take 
them on.
    It seems to me it comes down to having the people who have 
the skills and experience to combat the threats, the critical 
pay authority to be able to hire them, and sufficient funding 
to upgrade the IRS computer security systems.
    Are those generally the elements of the kind of strategy 
that you want to have?
    Commissioner Koskinen. Those cover most of the significant 
points, particularly what we call the streamlined critical pay. 
It is a small number of people whom we are authorized to hire, 
but it allows--our present head of Information Technology is on 
streamlined critical pay. That program worked for about 14 
years, but it was not extended 2 years ago. I was just talking 
to our IT head. We had two very senior, sophisticated IT people 
we could not hire because they did not want to go through the 
normal government process.
    So it is critical to us. It is a total authorization of 40. 
We had 29 when I started; we are down to 16 as that program 
runs off. A key member of our cyber-security unit is on 
critical pay. Our Online Services Program Director was hired 
through streamlined critical pay authority. So that authority 
is critical for the small number of people we need who are 
going to be world-class experts at dealing, not only with 
technology, but with security.
    Senator Wyden. What does this committee need to do--because 
you have heard Chairman Hatch and I indicate we want to work 
with you on a bipartisan basis to address this. What does this 
committee need to do to assist you in executing this game plan 
to make sure, for example, you have an adequate number of 
people in cyber and these kinds of issues?
    Commissioner Koskinen. Well, I appreciate the chairman's 
note that we need to work on this together. This is not an 
issue that has a political overtone to it. This is a challenge 
that faces every American, faces every company in this country.
    As I noted, if we could get W-2s and information returns 
earlier, it would allow us to be more effective in protecting 
against identity theft. To the extent that we could get 
authority to, in fact, adjust the way Social Security Numbers 
are produced on W-2s, it would help us ensure that those W-2s 
are not fraudulent.
    There are other legislative supporting issues, including 
streamlined critical pay, that would be very helpful. And, 
obviously, I think the chairman is right. We have not made a 
point in this presentation that budget is an issue, but we are 
running an antiquated system with some applications that are 50 
years old. In some cases, as the IG noted, we have not even 
been able to provide patches for all of the upgrades. Some of 
our systems do not have patches because they are no longer 
supported by the providers.
    So we obviously do need jointly to figure out what it takes 
to make sure that this system is able to protect people.
    Senator Wyden. Commissioner, thank you. It just is clear to 
me that if you have IT from the Dark Ages, you are not going to 
be able to stay on top of these kinds of problems. So I am 
committed to working with you, and I also mentioned in my 
opening statement there are some very good people in the 
technology sector, people who run major tech firms, whom I 
think would also be available to work with you all. So we are 
committed to making sure that you understand there is a 
bipartisan effort to help you put that game plan in place.
    Thank you, Mr. Chairman.
    The Chairman. Thank you.
    Senator Grassley?
    Senator Grassley. First of all, Mr. Koskinen, I thank you 
for coming for this conversation, and the reason for that is 
that the theft of personal private tax information of over 
100,000 taxpayers is deeply concerning, because our whole tax 
system is based on the proposition of voluntary compliance and 
privacy and all that.
    So I am asking about a letter I sent to you asking a number 
of questions related to the data breach, and I do not expect 
those answers now, but I want to find out when I am going to 
get answers to my letters. This would include requests for 
documents that should shed light on whether the IRS carefully 
considered security risks prior to instituting the Get 
Transcript online service. My letter asks that you provide a 
response by June 4th, and it was sent last week.
    Some examples of what we are concerned about are whether or 
not you had a risk assessment plan, an implementation plan, and 
mitigation plans. Those are some of the documents I am asking 
for.
    Do you have any idea where my request stands in the 
process? And do you expect to be able to fully respond to my 
letter by June 4th? And if not, when do you expect that I would 
be able to get a response?
    Commissioner Koskinen. That is a good question. As you 
know, and as I committed to the chairman at my confirmation 
hearing, we treat letters from the Hill very seriously. They 
are a high priority. Sometimes we get a request to give a 
response within a week to a lot of data that is difficult for 
us, but our goal is to, in fact, not delay this any longer than 
necessary.
    The amount of information you want probably makes it 
unlikely we will get it by the end of this week, but certainly 
by next week we expect to be able to provide you that data. The 
chairman has a pending request to us, a very thoughtful 
request, about our entire IT program, which is in the process 
of coming back to him. It has taken longer than we would like, 
but it is going to be 40 or 50 pages long, with very, I think, 
instructive detail--I found it interesting to read--about the 
priorities we have, the challenges that we have faced over 
time, and how we have responded to those.
    But we will point out to you that we take risk seriously. 
When this Get Transcript was put up, when any new application 
is put up, we look at the security risks. Whenever we have a 
new program, we work with the Inspector General to see that it 
is being set up appropriately, that there are appropriate 
protections.
    And so, it is an important question, one that, as we move 
along--not only do we have risk mitigation plans when we start, 
we monitor as we go forward each year what are the schemes, 
what is going on with identity theft, where are the attacks 
coming from. We are pinged, as it were--not necessarily 
attacked but just people checking to see where we are and what 
they might be able to find--over a billion times a year. So we 
have security going on every day.
    The Chairman. If I can interrupt, we have a vote on. 
Senator Grassley will finish his questions, and then next is 
Senator Carper. And I will try to get back by then. If not, 
after Senator Carper is Senator Enzi.
    Senator Grassley. Okay.
    The Chairman. So, in that order.
    Senator Grassley. Yes. Well, I think I heard you say that 
you will fully respond. It may not be by June 4th but next 
week. Thank you.
    Mr. George, IGs are very important offices as far as I am 
concerned. Did your office evaluate the security measures put 
in place by the Get Transcript service either before or after 
it went online? And if so, what were your office's findings? 
Did the IRS fully comply with any recommendations you may have 
made?
    Mr. George. Mr. Grassley, we did take a look at an earlier 
iteration of the Get Transcript program and at that time made 
some recommendations that we believe were implemented. We have 
not taken a look at a subsequent version of it until now. But 
obviously we will be looking at that.
    Senator Grassley. Okay. Mr. Koskinen, reportedly the 
attacks began in mid-February, but the IRS failed to notice 
suspicious activity until mid-May. Why was the IRS not able to 
detect the malicious activity when it initially began?
    Commissioner Koskinen. Last filing season, there were 23 
million successful downloads on the Get Transcript application, 
so it is a huge volume. We now know when it started by going 
back through our logs. We log every transaction. They were 
shrouded under the huge volume of requests going out 
legitimately.
    When the filing season ended, I think what happened was 
that the volume dropped--not ``I think.'' I know it dropped, 
and then it suddenly started up again. But, by that time, the 
volume of legitimate requests had dropped, and the activity 
became visible to us. I am not sure that people expected it to 
be visible, but anyway, that was when we found it. It was in 
mid-May when we noticed it. As I say, first we thought it was a 
denial of service attack, because things were backing up in a 
way that was unexpected. Within a couple days, our security 
people went through and figured out it was not that; it was, in 
fact, unauthorized attempts to access the data. And as soon as 
they found that out, within a day or two they sat down with us. 
We advised the Hill, and as I say, I am delighted that we have 
been able to notify the 104,000 taxpayers already.
    Senator Grassley. My time is up. Thank you.
    Senator Carper. Thanks, Mr. Chairman. Gentlemen, welcome. 
It is great to see you both. We appreciate your presence today. 
We appreciate very much your service to our country.
    I want to start off by going back to Commissioner Koskinen 
talking about what the IRS is doing in reaching out to those 
citizens, those taxpayers whose information has been or may 
have been compromised to try to help them in a time of 
uncertainty and probably a time of considerable concern and 
worry.
    A lot of us use the Golden Rule to kind of guide us in our 
lives: treat other people the way we would want to be treated. 
Tell me how the IRS is, if you will, using the Golden Rule to 
reach out to the people whose information may have been put at 
risk, or has been put at risk.
    Commissioner Koskinen. The investigation is still going on 
by ourselves, by the Inspector General, but one of our concerns 
was, as soon as we knew that there had been inappropriate 
access and data had been released, our first concern was 
taxpayers. We regret that this attack took place. We understand 
that it is a traumatic event for taxpayers. We work with 
taxpayers as victims of identity fraud every filing season, 
virtually every day.
    So our goal was, even while we were trying to get to the 
bottom of it, once we were able to identify the taxpayers whose 
information had gone out, our goal was to get that notice to 
them as quickly as we could. We secured their accounts--we 
secured the accounts of the other 100,000 even though no data 
went out--so that there would not be false refunds available to 
be filed against their Social Security Numbers.
    As I say, we have completed the mailings to the 104,000. We 
are offering them, at our expense, credit protection. We are 
also offering them the option to authenticate themselves and 
get an Identity Protection PIN, or an IP PIN, to give them even 
further security as they go forward.
    So we have done everything we think we can do, and most 
importantly, we have done it as quickly as we could, because we 
think it is important for them to have that information.
    Senator Carper. Thank you. Just very briefly, did you say 
the letters have been sent or are being sent?
    Commissioner Koskinen. The letters are all in the mail.
    Senator Carper. And when would you expect----
    Commissioner Koskinen. The letters for the 104,000. We are 
now processing the letters to the 100,000 where no data 
escaped, but we think they need to be notified that we have 
evidence that criminals have access to their personal 
information.
    Senator Carper. Do those letters include phone numbers that 
people can call to have further conversation and gain some 
further assurances?
    Commissioner Koskinen. There are numbers to call, although, 
as you know, the ability to get us on the phone is not as good 
as we would like it to be, so we have posted information on our 
website. We are suggesting they go to the website first if they 
have questions. And we have already had some people showing up 
at our Taxpayer Assistance Centers, and we are providing them 
assistance as well.
    Senator Carper. All right. Sometimes people ask me why I 
have had some success in my life. I always say, ``I have always 
surrounded myself with people smarter than me.'' My wife has 
often said, ``It is not hard to find them.'' But I want to talk 
about--I want to go back to the issue of streamlined critical 
pay.
    I would like for us to think--and I will ask you to answer 
for the record. If we were to restore this program, which I 
think ended in 2013----
    Commissioner Koskinen. Yes.
    Senator Carper. If we were to fully restore and fund this 
program, what would be the cost of that on an annual basis? 
Compare that for us with the cost of this breach. What is this 
costing the Treasury as we attempt to respond to it, at least 
to date? You do not have to do that right now, but if you have 
it off the top of your head, that would be fine. I would love 
to know what kind of return we would get on the investment if 
we were to restore this program.
    Commissioner Koskinen. The Inspector General did a review 
of the program that he published last December, and, as a 
general matter, it appeared that the cost to the Government was 
$400,000 or $500,000 a year, because, you know, the pay 
increase differential is relatively modest. We only had about 
30 people who had taken advantage of it. And some of them get 
paid less than senior SESers. So for the $400,000 or $500,000, 
we think you get a great return. As I say, the 13 million 
returns that went through with refunds out of the 104,000 have 
refunds totaling $39 million. Now, some of those will turn out 
to be real taxpayers, but obviously the return on the 
investment is significant.
    As I said, the head of our IT program, who is wonderful, is 
a streamlined critical pay guy. We lost the three people who 
were great data analytics people, including an expert on 
authentication.
    Senator Carper. Thank you. Inspector General, can you give 
me a number, 10 to 1, 50 to 1?
    Mr. George. I do not know that we have a number.
    Senator Carper. I am going to ask you to just respond to 
that for the record, if you would.
    Mr. George. We will, to the extent that we can, but I would 
say that we did find that the program was operated 
successfully, and it was justified.
    [The information appears in the appendix on p. 44.]
    Senator Carper. Okay. Thank you.
    Outside help--you are not in this by yourself. You have 
other Federal agencies that have responsibilities to be of 
assistance to you at the IRS, and one of those is the 
Department of Homeland Security. I would just ask you for the 
record what help have they provided, and is there more that 
they and other agencies should be doing?
    Commissioner Koskinen. We have regular communications with 
Homeland Security. I have met with the Secretary of Homeland 
Security, actually at your suggestion. They provide us 
technical expertise. We alerted them immediately, even when we 
thought it was just a denial of service attack, that this was 
an issue they needed to know about. We alerted the Inspector 
General.
    Homeland Security has been very supportive, and what they 
provide is updated information about what they are seeing 
across the spectrum. So there is a good working relationship 
across the Government of agencies under attack trying to see 
what are the patterns, what is going on, and what can we learn 
from each other.
    Senator Carper. All right. Thank you both very much.
    Senator Enzi?
    Senator Enzi. Thank you, and thank you, Mr. Commissioner 
and Mr. Inspector General, for being here. I read your 
testimony. I thought of some other possibilities for the data 
breach, and I was reminded of them when I filed my taxes. I had 
overpaid, and I do not have electronic transfer to the bank, 
because I am not going to share that information with the IRS 
or anybody else. So I received my tax refund in an envelope, of 
course, a paper check, and what surprised me was, in the 
envelope there was also a flier from the Consumer Financial 
Protection Bureau.
    Now, the Consumer Financial Protection Bureau has the power 
to examine and impose reporting requirements and all kinds of 
regulations on financial institutions and on personal 
information. They are collecting everything. People are worried 
about the National Security Administration. They ought to worry 
about the Consumer Financial Protection Bureau. They are 
getting all of our data all of the time, and that is one of the 
possibilities for a security breach.
    I do not believe the authority extends to the IRS to 
solicit Americans' stories about their money through the 
Consumer Financial Protection Bureau. Additionally, since the 
Consumer Financial Protection Bureau is funded by a transfer of 
non-appropriated funds from the Federal Reserve System's 
combined earnings before it ever gets to the general fund, I 
question whether it is appropriate to use taxpayer dollars to 
advertise the Consumer Financial Protection Bureau as the IRS 
did by including this mailing with the tax refunds.
    And, lastly, because the CFPB is supposed to be an 
independent organization, I do not believe the Treasury 
Department should be soliciting information on behalf of the 
entity. So I would appreciate answers to the following 
questions. Some of these will be more detailed than the time 
that we have for them, but I would like to know what authority 
the Treasury Department relied on to include that information 
in the IRS tax refunds. What agency paid to print and mail 
those fliers? Have you respected all the boundaries concerning 
confidential taxpayer information? Could hackers be getting 
data from the Consumer Financial Protection Bureau that is used 
with the IRS from data that maybe the IRS is sharing with that 
department?
    Mr. Commissioner, could you--some of those I will put in 
more detail for written answers, but my best chance of getting 
an answer is right now. So how did that happen to wind up in my 
statement?
    Commissioner Koskinen. I am delighted to respond. First, I 
should make a correction to the record. I just talked about 13 
million returns. It is 13,000 returns had a false refund, 
potentially false refund. There may have been real taxpayers in 
my previous question.
    With regard to this, we often provide taxpayers with 
information that may be of interest or support to them, 
particularly in financial matters. We do not share--under our 
protection of taxpayer data--information with other Federal 
agencies unless there is a specific statutory authorization for 
that, and to my knowledge, there is not one with the Consumer 
Financial Protection Bureau.
    I will be happy to get you further details as to who paid 
for the flier, why it was put in there. Generally, if we 
provide information to taxpayers, it is for their assistance, 
for their information, in ways that may be helpful to them. We 
are not asking for them to provide us additional information in 
those filings, but we will get you more detailed information, 
and I will get you that answer, again, if you will provide the 
detail of that question. Do not wait for the record. If you 
will just send me a note, I will get you the answer back 
quickly.
    Senator Enzi. Okay. I will be asking you some questions 
about that, because I know there is even a cost to putting 
something in an envelope.
    A different question. Some unlicensed tax return preparers 
maybe are preying on uninformed taxpayers, and I did not 
exactly see that in the testimony, but I know that is one of 
the possibilities for places where people may be getting the 
information. To what degree is the IRS working to eliminate 
these fraudulent taxpayer return people?
    Commissioner Koskinen. We monitor tax preparers. We have 
actually had criminal prosecutions against a number that have 
taken advantage of their clients. We are concerned about, not 
only criminal tax preparers, but uninformed tax preparers, and, 
as you know, we requested legislation that would allow us to 
require minimum qualifications for a tax preparer. If you go 
into particularly low-income or immigrant communities, you will 
see people advertising, ``Come with us. We will get you a big 
refund.'' They do not say, ``Whether you are entitled to it or 
not,'' but that is basically what they are up to.
    And so, to the extent we can, we have a voluntary program 
that provides continuing education for tax preparers who want 
to sign up, but we do monitor fraudulent returns, and, if there 
is a pattern that they come from an individual preparer or 
group of preparers, we refer those cases for prosecution.
    Senator Enzi. Thank you. I appreciate you being here.
    The Chairman. Well, I think I might as well ask a couple 
questions. But first we will go to the senior Senator from 
Kansas.
    Senator Roberts. Well, thank you, Mr. Chairman.
    Gentlemen, thank you for coming. Thank you for endeavoring 
to get to the bottom of this and come up with some answers.
    I must tell you, just the other day, when coming back to 
Washington on an airplane from Kansas, somebody leaned over and 
said, ``What is this business with the IRS?'' And I responded 
with regards to what I thought was his concern with regards to 
the ongoing targeting of conservative groups applying for 
exempt status. He says, ``No, no, no, no, no. There has been an 
attack.'' I said, ``Oh, well, we have a breach. We have a 
cyber-attack.'' He said, ``Well, what was that all about?'' And 
I said, ``Well, we do not know yet, but we are going to have a 
hearing, and I know we can try to get to the bottom of it. But 
what we do know is that this is a foreign hacker, probably from 
Russia, probably Russian mafia.'' There was a long pause, and 
he looked at me, and he said, ``I do not really have anything 
more to say.'' So this whole thing just rendered him 
speechless, and I think a lot of people are in the same boat. 
And it is a paradox of enormous irony.
    My staff tells me that just prior to this breach, privacy 
experts went in to brief them weeks ago, just weeks ago, on how 
safe data was contained in the Get Transcript system and how it 
was safe, and that is a ``was'' now, not an ``is.''
    I do not think this is a new threat. I know it is not to 
both of you. The agency, the Inspector General, the GAO, and 
the committees with oversight have been concerned about these 
threats for years. GAO reported this March that the data under 
the control of the IRS is ``unnecessarily vulnerable to 
inappropriate and undetected use.''
    I agree with Senator Wyden. There is a war going on. On one 
side we have the government, taxpayers, and business, and on 
the other, hackers and criminals, organized syndicates, some 
lone wolves, perhaps even national governments. Right now, it 
looks like we are losing this war, so we certainly need to use 
this latest breach to consider how we can regroup and win the 
fight.
    My concern is whether the IRS has the tools and mind-set to 
achieve better security and whether it is even capable of 
safeguarding this core function. I am very concerned that, in a 
rush to push out programs like Get Transcript--albeit this was 
pushed out some time ago--we have let access and purported cost 
savings overtake the absolute need to safeguard taxpayer 
information.
    So to the Honorable John Koskinen, thank you for coming, 
sir. To what extent do you partner with the private sector on 
data security? Do you need any additional flexibility or 
authority to work with outside experts to make sure you have 
access to the tools and the technology to address the privacy 
and also the data security issues?
    Commissioner Koskinen. We have an ongoing partnership with 
various elements of the private sector. We have a great working 
relationship with financial institutions that work with us on 
stopping improper refund payments. As I noted, we pulled 
together 3 months ago what we call a ``Security Summit,'' where 
I asked the CEOs of the major tax preparers, tax software 
providers, and State tax administrators to sit down with us, 
and I told them when we started: ``The purpose of this meeting 
is not for me to tell you what we are going to do or what you 
ought to do. The purpose of this meeting is to start a 
partnership where we work together to figure out how the three 
of us--the private sector, States, and the Internal Revenue 
Service--can work together in the battle.
    Senator Roberts. Is that ongoing?
    Commissioner Koskinen. And that is ongoing. We expect 
probably next week to give a public discussion of what we are 
going to do for the next filing season. But I told them it is 
not just for the next filing season. We need to begin to take a 
look at, on a longer-term basis, what are the things we need to 
do.
    One of the issues we may need to discuss, although we think 
we have the authority, is the private sector noted that they 
need a level playing field, so if we come up jointly with 
requirements as to sharing of data or the implementation or 
what we are going to require from taxpayers, we are the only 
ones who can require that across the board so that one person 
is not getting an advantage. And we will do that if necessary, 
and, if we need legislation, we will be back. But thus far, it 
has been a wonderful working relationship.
    Senator Roberts. I appreciate that. My time is running out. 
I just have one more question for Mr. George. I understand the 
IRS has shut down the Get Transcript program for the time 
being, and this hack has been stopped. But in looking at this 
program moving forward, how should we close the door to future 
attacks? How will you know that we have even succeeded in 
shutting the door?
    Mr. George. Great question, Senator. I do not have a 
definitive answer at this time. As the IRS is attempting to 
make the experience between the taxpayer and the IRS more user-
friendly, they are giving people opportunities to access 
information in ways that heretofore did not exist. It is a true 
challenge for the IRS to strike a balance between ease of 
access and security.
    Now, the private sector, as has been pointed out, has 
experienced these types of problems. They have adapted, 
acquired different systems that would allow people to further 
authenticate who they are. There is a cost associated with 
doing that, and whether or not the IRS is in a position right 
now, resource-wise, to do that, I would defer to the 
Commissioner.
    But, sir, if I may, Mr. Chairman, one thing I do want to 
clarify is, we are still again at the outset of this 
investigation, but there have been reports that this data 
breach originated solely from Russia, and I want to make it 
clear that is not the case. It is beyond Russia. So I just 
wanted to get that on the record.
    The Chairman. When you say ``beyond Russia,'' what do you 
mean?
    Mr. George. That there are other domains--the domains are 
located in nations other than Russia, in addition to Russia.
    Commissioner Koskinen. I would just note that our 
experience with the criminal syndicates we are dealing with is 
that they are not limited by national boundaries. They are, in 
fact, operating globally. They are located and headquartered 
oftentimes in one country or another, but they are not 
constrained by geographic locations. And so our experience is, 
analyzing the data of the Inspector General, this is coming 
from several different, perhaps organized--clearly, it was an 
organized attack--but our experience in looking at syndicates 
around the world is that they cooperate when it is in their 
interests, and they cross national boundaries very easily.
    Senator Roberts. Mr. Chairman, it occurs to me that perhaps 
we could have something called a ``National Security Agency'' 
or something that could monitor this kind of data and then see 
how the phone calls come in. Something like that might----
    The Chairman. Sounds like a good idea.
    Senator Roberts. Yeah, it sounds like a good idea to me.
    Could I simply ask that a New York Times article which 
contains a statement by Nina Olson, who leads the Taxpayer 
Advocate Service, an independent office at the IRS, be inserted 
in the record at this point? I apologize to my colleagues for 
going over time.
    The Chairman. Without objection.
    [The article appears in the appendix on p. 63.]
    The Chairman. Now, before I go to Senator Isakson, have you 
pinpointed any country or countries from which this came?
    Mr. George. Yes, but, again, we have to be careful because 
of the active investigation, Mr. Chairman. But as the 
Commissioner pointed out, you could be in Florida and you can 
use, you know, a router or a server in a different country on 
the other side of the world. I mean, eventually we are able to 
track them down, but at this stage, with the report that it was 
solely Russia, that is not accurate.
    The Chairman. That was just a speculation, as far as I was 
concerned. But you are not in a position to name any country or 
countries?
    Mr. George. At this stage, I would prefer not to publicly, 
but privately we would certainly share that information with 
you, Mr. Chairman.
    The Chairman. Fine. Senator Isakson?
    Senator Isakson. Thank you, Mr. Chairman. I would be happy 
to defer if you are in a hurry.
    You know, I think it is ironic. Senator Roberts made an 
interesting observation, but for the last 6 days, the United 
States Senate has been debating the merit of whether or not 41 
members of the NSA should have access to two phone numbers, the 
date of a call, and the duration of the call, without any 
personally identifying information whatsoever. We are getting 
ready to take that authority away from them, yet we have the 
Commissioner of IRS talking about 104,000 Americans who had 
their identities stolen. And when I file my tax return on April 
15th, they know how much money I make, how much my wife makes, 
what church I go to, whom I give the money to, whether or not I 
had a casualty loss, where I buy stocks, where I buy bonds, 
where my money is deposited, and how much I owe on my house.
    So I just want to put things in perspective, that this is 
an important hearing, but that information is a lot more 
private, a lot more personally identifying, and a lot more 
dangerous for the average American citizen than whatever the 
NSA ever does, and they are looking out for our physical 
safety. I just had to make that statement.
    Secondly, it is ironic----
    The Chairman. You summed that up very well.
    Senator Isakson. Thank you. Experian just e-mailed me to 
tell me my credit card has just changed and I need to check 
with them on the potential of identity theft having taken 
place, and that just came in at 10:24 on my BlackBerry. I had 
mine stolen about 3 years ago, and I want to commend the 
Department, the Internal Revenue Service, for providing 
taxpayers whose identities have been breached with the right 
type of Experian or Equifax protection to see to it their 
identity is protected, just like mine is being protected 
because of the loss that I had.
    I guess my question is on the IP numbers. Georgia is one of 
the States--there are three: the District of Columbia, Georgia, 
and I have forgotten the name of the other State where----
    Commissioner Koskinen. Florida.
    Senator Isakson [continuing]. Florida, where the IRS gave 
taxpayers the option to apply for an IP number, which is a 
self-identifying number for a tax return. Is that correct?
    Commissioner Koskinen. That is correct.
    Senator Isakson. And there are a million and a half of 
those IP numbers now issued. Is that right?
    Commissioner Koskinen. A million and a half are issued to 
those who have been victims of identity theft. We have had the 
pilot program where we had a few thousand. We are trying to get 
more people--we are running it as a pilot to see what the costs 
would be and the burden would be. We have had a relatively 
modest take-up on that, but we are encouraging taxpayers to 
take advantage of it.
    Senator Isakson. Have you found it to be a foolproof system 
yet, or is that why you are doing a test?
    Commissioner Koskinen. We are doing the test primarily to 
see what the burden on taxpayers is and what the cost to the 
IRS is. It is foolproof to the extent that you do not lose it. 
What happens with Social Security Numbers is they are, you 
know, out in the world. They are used for children's 
identification in school. On everybody's Medicare card is a 
Social Security Number. The IP PIN has no other use, so our 
experience thus far is we can authenticate to make sure that 
the taxpayer who gets the IP PIN is the legitimate taxpayer. If 
they keep it secure, there is no way anybody gets access to 
that number, and their returns, therefore, are safe.
    Senator Isakson. It would seem to me that if the trial that 
you are doing in Georgia and Florida and the District works and 
does seem to be foolproof, you would give every American 
taxpayer the ability to apply for one of those. I mean, you 
would not want to make them take one for fear of some sinister 
government plot somewhere, but you would certainly give them 
all the opportunity to get one.
    Commissioner Koskinen. Right. Our challenge, what we are 
looking at with the PIN is, if people lose it, we have a lot of 
people then--if we get, for instance, 50 million people with IP 
PINs and half of them lose them, we are going to end up with a 
tremendous amount of background noise just trying to make sure 
we get them the right PINs and replacement PINs. So that is one 
of the things we are looking at: how does it work when you have 
people who otherwise have not been victims sign up? But it is 
ultimately a way to go.
    When we get down to the bottom of it, our analysis over 4 
or 5 years is, authentication is going to turn out to be the 
key, whether it is authenticating you to get an IP PIN which 
allows you to get in--and that is what we are working on with 
the private sector and the States. We need to, together among 
all of us, have a way of sharing information about who is 
actually the customer. Are you who you say you are? When you 
call us, you know you are you, but then you wonder why we have 
to authenticate you to make sure you are not somebody 
impersonating you.
    So it is a multifaceted approach we are taking, trying a 
lot of different things to figure out, again, as the chairman 
said, how we get even or get ahead of the game. Ultimately, we 
will never put them out of business. The goal is to make it so 
difficult and expensive that it is not worth their while.
    Senator Isakson. Mr. George, I want to ask you a question. 
It would probably be unfair of me to ask Mr. Koskinen this 
question, although he is welcome to comment if he likes. But I 
have been thinking, as I listened to both of your testimonies, 
that the best way to protect taxpayer identity and limit fraud 
is to change the way in which we do our taxation.
    There is a Georgian by the name of Neal Boortz who wrote a 
book called ``The Fair Tax,'' which advocates going to a retail 
sales tax and eliminating the inheritance tax, the payroll tax, 
and the income tax. If you paid at the retail purchase a tax to 
the Federal Government to supplant those three taxes, would it 
not be a seamless protection against identity theft?
    Mr. George. I cannot give you a definitive answer on that 
one, Senator. Suffice it to say the more information, the 
earlier the IRS gets it, and an easier way of doing taxes would 
assist the system overall, the taxpayers and what have you. But 
the various proposals, such as the ones that you mentioned, I 
am not certain whether they would have a direct impact on 
identity theft.
    Senator Isakson. I am not necessarily selling the proposal, 
but what I am saying is, if I paid my tax to the Federal 
Government on a retail purchase and it was collected by the 
retailer, who does that for the States anyway, it would 
eliminate any of this self-identifying information, and the tax 
would end up being collected, which would be a protection 
against some of the identity theft.
    Mr. Koskinen?
    Commissioner Koskinen. I think that is right. If we did not 
deal with taxpayers individually, we would not have individual 
information.
    The issue globally would still exist, as with your credit 
card, and that is: are criminals accessing enough personal 
information to access your bank accounts, your credit cards, 
your mortgage accounts? But from the standpoint of the IRS, if 
we were dealing with a system where we collected funds, the 
government collected funds, with a value-added tax or a fair 
tax or something that did not require individuals to register 
with us, almost by definition we would not have the risk of 
individual identity theft, because we would not have 
individuals identified.
    Senator Isakson. Mr. Chairman, my time is up, but I want to 
thank Mr. Koskinen for taking the time to invite me to the 
Chamblee headquarters of IRS in Georgia and giving me a tour. I 
appreciate the connectivity that you have there. I appreciate 
what you are trying to do.
    The Chairman. Thank you, Senator.
    Senator Scott, we will call on you.
    Commissioner Koskinen. I might just note that the irony of 
that visit, which our employees genuinely appreciated, was the 
Senator and I spent an hour on a briefing on identity theft.
    The Chairman. Good. Senator Scott?
    Senator Scott. Thank you, Mr. Chairman. Commissioner, Mr. 
George, thank you for being here this morning.
    Commissioner, can you tell me how many South Carolinians 
have been affected or had information stolen by the breach?
    Commissioner Koskinen. I cannot tell you that. As I said 
earlier, we have sent letters to the 104,000 whose data was 
accessed, so anybody in South Carolina should be getting a 
letter in the next few days. We can go back through and get you 
that information.
    Senator Scott. That would be great.
    Commissioner Koskinen. We have not segregated it by State 
at this point.
    Senator Scott. Thank you very much.
    Whenever I go throughout South Carolina, my constituents 
are incredibly concerned about the IRS. They really feel like 
your agency is the agency that truly has the power of 
intimidation. So when we hear about breaches, 104,000 folks 
violated by this breach, my citizens are incredibly excited and 
passionate and concerned about the activities at the IRS, and 
it did not simply start with the breach. It started when we had 
the conversation last time about groups being targeted because 
of their religious beliefs or their political doctrine. It 
flows into the Lois Lerner e-mails and the inability to figure 
out if you have or if you do not have the e-mails. It continues 
on down the road as they call during tax season and they are 
unable to get someone to answer the phone, so they have these 
courtesy hang-ups.
    It is consistent, as I talk to my constituents, that their 
concerns continue to grow, and this breach will only add more 
fuel to the fire for people who are absolutely petrified by the 
IRS. And now having their information exposed to criminal 
elements, criminal cartels, is even more disconcerting.
    I would love to hear what it is exactly that you are doing 
in order to secure the IT at the IRS. And then, Mr. George, I 
have a question for you about the 19 recommendations that were 
made and only 8 were implemented.
    Commissioner Koskinen. What we are doing is, for years now, 
security has been a high priority for us. We understand, 
particularly with identity theft, which is based on information 
stolen elsewhere and then used to file a false return, that 
that is a difficult and traumatic situation for taxpayers. So 
one of our highest priorities is making sure that, if that 
happens to a taxpayer, they get a prompt response from us.
    As I have noted, we work closely with the Inspector General 
and GAO. We value their recommendations. In some cases, we have 
actually asked them to take a look at our systems and to make 
sure they are not breached. As I said, we get pinged, not 
necessarily attacked, over a billion times a year. So we are 
aware--no one at the IRS is under any illusions that we are not 
at risk--and so we spend as much time and effort and resources 
as we can focused on that. Anytime we make a change in a 
system, anytime we make a change in a new application, we look 
at the security aspects of it.
    As the Inspector General said, we are balancing off trying 
to provide better taxpayer service. As you noted, with the 
resource constraints, we did not answer the phones at anything 
like the rate we would like to have. We had 23 million 
transcripts successfully downloaded last year. Those were 
requests, otherwise, taxpayers would have had to make either on 
the phone or in person.
    So to the extent that we can provide better service to 
taxpayers, that is a high priority for us. But ultimately I 
take your point--we take it very seriously--that taxpayers have 
to feel they are going to get treated fairly, no matter who 
they are, no matter what organization they belong to, no matter 
who they voted for. And we have done everything we can. We have 
implemented all the Inspector General's recommendations in 
those regards, and I think it is important for taxpayers to 
know that we take their concerns seriously. They are ultimately 
our customers. We work for taxpayers. We do not work for 
anybody else.
    Senator Scott. Thank you, sir. I will say that, from a 
resourcing standpoint, it appears that during the Obama 
administration about $5 billion has been dedicated to the IRS 
for IT. Under the Bush administration, the number was somewhere 
around $5.3 billion. So in the last decade or so, over $10 
billion for IT, and it just does not seem like the type of 
security that we would anticipate and expect is there.
    And I am running out of time, Mr. George, so, of the 19 
recommendations that were made previously for corrective 
action, it appears that only 8 of those 19 were implemented, 
and perhaps some were closed before they were fully 
implemented. Can you shed a little light on that for me?
    Mr. George. I will in the amount of time that we have left, 
and I would ask for permission to supplement my response in 
writing.
    Senator Scott. Thank you very much.
    Mr. George. We have made a number of recommendations, 
actually a total of 44 recommendations, as of March of this 
year. Eighteen of those have been recommendations from security 
audits that have yet to be implemented.
    Ten of those recommendations come from five security audits 
that were completed during fiscal year 2008 to 2012, so they 
are very dated. And there are a couple of examples of some of 
the oldest recommendations that we made that we think might 
have had some bearing on the IRS's ability, if not to stop, 
again----
    Senator Scott. Can you name just one?
    Mr. George. Certainly. The IRS should require system 
administrators and their managers to correct user account 
deficiencies identified during the audit. Managers need to 
periodically review and validate access to systems, limiting it 
to people who only have a need for that information.
    Senator Scott. Mr. George, that does not sound like a 
resource issue. That sounds like a management issue.
    Mr. George. I agree, sir. I agree there.
    Senator Scott. Okay.
    Mr. George. I agree. And if I may add just one factoid, 
sir, that I just think is important to point out. The 104,000 
figure is used a lot. We have to keep in mind those are the 
records, the transcripts that were accessed. A lot more people 
could be affected by that, because spouses and dependents of 
the taxpayer, their information is contained within those 
reports. So at this stage, again, I cannot give you a 
definitive number, and I do not believe the Commissioner is in 
a position to do so either. But it is more than 104,000 people 
certainly.
    Senator Scott. Thank you, sir.
    Mr. Chairman, thank you for the time.
    The Chairman. Senator Casey, we will turn to you.
    Senator Casey. Mr. Chairman, thank you very much, and 
thanks for this hearing. Commissioner and Mr. Inspector 
General, thank you for your appearance here and your service. 
We appreciate it.
    I want to start with the issue through the lens of 
Pennsylvania. We have had a number of reports--and I have heard 
directly from law enforcement in Pennsylvania--about identity 
theft, and not just the broad-based or the significant 
challenge it presents generally, but specifically because the 
response to it often involves many different agencies, for 
example, in addition to the IRS, the Department of Justice, the 
Social Security Administration, and State and local law 
enforcement.
    So I would ask you first, Commissioner, about what we refer 
to as interagency and interstate coordination. Tell me about 
that in terms of what you have been able to do since you have 
been Commissioner.
    Commissioner Koskinen. When all of this, as I said, 
exploded in 2010 to 2012, it overwhelmed law enforcement, 
overwhelmed everybody. Since then, we have established very 
successful partnerships actually with State and local law 
enforcement across the country, particularly in States like 
Georgia and Florida where all of this seems to have started.
    So they, together with our working relationship with the 
Department of Justice and U.S. Attorneys--we have a very active 
Criminal Investigation Division, but we do not prosecute 
people, we do not bring charges. So we have to work, again, in 
partnership with U.S. Attorneys across the country, and that 
has been a very successful and effective partnership. As I 
said, we have thrown almost 2,000 people in jail over the last 
few years who have been convicted and sentenced to long 
sentences as a result of those partnerships.
    Senator Casey. One of the realities of this for a State 
like ours--and I am sure this is true in other States as well--
is local prosecutors, meaning District Attorneys, for example, 
at the county level, are among the law enforcement officials 
who have to confront the problem. So, Commissioner, I would ask 
for your commitment to work with our folks, both local 
officials and State officials, as well as taxpayers, on a 
coordinated approach to solve the problem.
    Commissioner Koskinen. We are delighted to do that. We have 
no illusion we can do this by ourselves. We need as much help 
as we can get, and we have a great working partnership with the 
investigative arm of the Inspector General as well.
    Senator Casey. I appreciate that. Thank you for that 
commitment.
    I want to turn to the question of resources. I know that 
often we in the Congress will point to a problem, and that is 
part of our job in terms of oversight and in terms of making 
sure taxpayers have their concerns responded to. But as we 
point fingers, we also ought to be constructive in terms of 
providing support. And sometimes that happens, and sometimes it 
does not.
    But I noted in your testimony, Commissioner, on page 5--and 
I guess I am asking a question and answering it by reading 
this, but on the question of resources, you say, and I quote, 
``Congress can help by approving the President's fiscal year 
2016 budget request, which includes $101 million specifically 
devoted to identity theft and refund fraud, plus $188 million 
for critical information technology infrastructure.'' So $101 
million plus $188 million.
    Can you tell us what those dollars would be used for?
    Commissioner Koskinen. Yes. What they would do is, on the 
one hand, in terms of identity theft, they would improve our 
ability to more quickly upgrade our filter process. We have 
been building that for some time. We would go faster with that. 
It would allow us to, in fact, respond more specifically to 
individual taxpayers and their concerns. Most importantly, it 
would allow us to upgrade our basic IT infrastructure. As I 
noted earlier, we are running antiquated systems, some of which 
are no longer supported by the software companies.
    And I would stress this particular problem was not a 
question of resources. My concern about it is, it is really a 
shot across the bow. The overall, ongoing challenge of dealing 
with sophisticated criminals around the world is the security 
of the entire system, and that is where the weaknesses in our 
antiquated system come to bear. So whatever resources we can 
have to continue to improve the overall system will be helpful.
    Senator Casey. And I hope if there is anything additional, 
either by way of authority or resources you need when it comes 
to dealing with the international dimensions to this, which I 
am sure are challenging, I hope you indicate that to us.
    Thanks very much, Mr. Chairman.
    The Chairman. Thank you, Senator.
    Senator Heller, you are next.
    Senator Heller. Mr. Chairman, thank you. Thanks for holding 
this hearing. I also want to thank our witnesses for being here 
also.
    Commissioner, I want to thank you for the call we had 
yesterday. It was very, very helpful, and hopefully we can move 
forward on some ideas. In fact, I will even bring them up, for 
that matter, as you probably anticipated. They will not be part 
of my questioning, but I think they are issues that are 
important to my home State.
    I have heard from many of my constituents their strong 
concerns over the proposed IRS changes to the filing of 
information returns for reported winnings from bingo, keno, and 
slot machines. Due to the administrative burden proposed, 
13,000 customers have signed a petition so that the reporting 
threshold for bingo, keno, and slot machines would not be 
reduced, and I too share their concerns about these proposed 
rules.
    Across the U.S., the gaming industry supports 1.7 million 
jobs and about $240 billion in activity--no small sum. My staff 
has had multiple conversations with your office in regards to 
these proposed rules, and I am pleased that we had that 
opportunity to have the same discussion between you and me 
yesterday.
    That said, I, like many other taxpayers, was frankly kept 
in the dark with regards to receiving responses from the IRS to 
better address these proposed rules. My questions were answered 
yesterday, some of them. I am grateful for that. Your comment 
period is extended, and I appreciate that, since it did take a 
couple months in order to get a response from your office. So, 
as I mentioned yesterday, my comments will be coming in the 
next week or so. Anyway, thank you for your help and support in 
extending the deadline in order to get those questions in.
    The chairman talked a little bit about public trust for the 
IRS's success, and you are familiar with that. The number of 
weaknesses--the ability to effectively protect taxpayers' 
confidentiality, integrity, and availability of certain 
taxpayer data unfortunately was not implemented. The Inspector 
General is here. He spoke on it a little bit, and you alluded 
to it during your testimony.
    It is my opinion, though, that a properly done tax reform 
would not only provide a simpler code, but would also provide 
the IRS with tools to combat tax-related identity theft and 
assist the victims of this crime.
    I told you yesterday on the phone that I am here to help. 
How can I help you?
    Commissioner Koskinen. Well, I appreciate that, and I 
appreciate, again, the chairman's clarity about how we need to 
work together on this. It is not a political issue. As we have 
said for some time, we need to get information returns earlier. 
It would be a great help to us. We need to have the authority 
to do what is called ``mark'' W-2s so that we can assure that 
they are produced by legitimate companies, not by fraudulent 
companies, as we go forward.
    We may need authority, to work with the partnership we have 
with the tax preparers and tax software companies as well as 
the States, to provide minimum requirements for data that 
authenticates taxpayers when they file their tax returns as we 
go forward.
    And then, ultimately, as I have noted, our discussion today 
is not about something that was a result of a funding shortage, 
but the challenge we face more broadly dealing with the 
criminal enterprises around the world does depend upon making 
sure we have adequate funding to continue to rebuild our 
systems to get them into what I call ``the early 21st century'' 
rather than the late 19th century.
    Senator Heller. Yes. Commissioner, a previous Finance 
Committee Chairman, Max Baucus, had discussed a draft that 
would disallow taxpayer Social Security Numbers on W-2 forms. 
What is your view of this proposal? I would ask the same thing 
of the Inspector General.
    Commissioner Koskinen. We have suggested that actually we 
just ought to get the last four digits on a W-2 form. What is 
more important to us is, if we can put so-called hashtags on 
those--and then we may need legislative authority--much like 
the number of companies that can provide paper that produces 
the money is allowed to be constrained by statute, we may need 
to be able to have those who produce W-2s through a competitive 
process be limited in number so that we can make sure that W-2s 
and the hashtags are appropriate as a way of, again, trying to 
make sure that the identifier is legitimate.
    Senator Heller. Okay. Mr. George, do you think that would 
be helpful?
    Mr. George. I do, actually, Senator. I agree with the 
Commissioner there.
    Senator Heller. Okay. Mr. Chairman, my time has run out. 
Thank you.
    The Chairman. Well, thank you, Senator.
    Mr. George, let me just ask you an unrelated question while 
you are here. It is an important subject. For almost a year, at 
our request, TIGTA has been investigating Lois Lerner's hard 
drive crash. Last month, TIGTA gave the committee the last of 
the e-mails pulled from IRS backup tapes. As I understand it, 
the next and final step is for you to provide us with a report 
on your investigation, and now that all of the recovery work is 
done, can we get a commitment from you today to submit your 
report to us on the hard drive crash by mid-June?
    Mr. George. I can commit, Mr. Chairman, to having it to you 
by the end of the month. I spoke with my chief investigator 
prior to this hearing in anticipation of the subject coming up. 
As of now, we have conducted over 100, almost 150 interviews of 
people related to the lost e-mails, and, as you can imagine, 
each interview leads to more information that needs to be 
tracked down.
    Given the nature of this matter, we need to be as thorough 
as possible, and we are endeavoring to do just that. And I can 
say there are still very important interviews to come. So we 
will do our level best to try to accommodate that request, sir, 
but I can assure you, you will have it before the end of the 
month, the Congress will.
    The Chairman. Okay. Well, we will live with that. We would 
like to get our final report done, if we can.
    Commissioner Koskinen. I would just like to go on the 
record saying I would be delighted to get everybody's final 
reports.
    The Chairman. I am not sure that was helpful. [Laughter.] 
But we are glad you are glad, is all I can say.
    Senator Roberts has a question or two. Then I would like to 
start the second round.
    Senator Roberts. I would like to go back to that statement 
I inserted for the record. Nina Olson leads the Taxpayer 
Advocate Service, an independent office at the IRS. And in her 
annual report, she noted that victims must often navigate a 
labyrinth of IRS operations and recount their experience time 
and time again to different employees. Even when cases remain 
in one IRS function, they may be transferred from one assister 
to another with significant periods of non-activity. On 
average, the agency took nearly 6 months to resolve cases. She 
added that cases were also frequently closed prematurely before 
all related issues had been fully addressed. She recommended 
that a single officer be assigned to handle each case, and then 
she spoke to a broader issue, which I think really sums up what 
we are after here. While granting taxpayers enhanced access to 
their tax information, which was the laudable goal that even 
Congress agreed to when we passed this bill, the overriding 
priority now must be to protect taxpayers' confidential tax 
information from exposure. Is that a fair statement?
    Commissioner Koskinen. I think, you know, as the Inspector 
General said and most people have said, it is a balancing act. 
As I say, we had 23 million successful downloads of the 
transcript. If those people had to call us or show up in person 
to get their transcript, it would have been a problem.
    But, on the other hand, we need to make sure that we are as 
secure as possible. I think what is happening across the 
economy is that customers and taxpayers now understand that it 
may be harder to get access to their accounts, whether it is a 
bank account or--not harder in the sense it takes you 2 weeks, 
but there may be more hurdles you have to go through. You may 
have to have more information available to be able to get 
access. And I think taxpayers and customers are willing now and 
understand the need to accept the higher level of burden. And 
so we are reconsidering all of our work in that context in 
terms of where we go.
    It should be noted that over 20 percent of the people who 
try to get their transcript downloaded cannot answer the 
questions, their own personal questions. But on the other hand, 
I think what this does remind us all is that, no matter how 
important it is to be providing excellent taxpayer service, we 
have to focus as much as we can on the security of the data, 
and that is a critical issue for us.
    Senator Roberts. Mr. George, do you agree with that?
    Mr. George. I do, Senator.
    Senator Roberts. The IRS urged taxpayers not to contact the 
agency, the 104,000, saying it would only delay the already 
overburdened staff. Anyone whose information was stolen will be 
contacted. Sort of like ``hurry up and wait.''
    Commissioner Koskinen. Well, they will not have to wait 
long. The letters are already----
    Senator Roberts. Have letters been sent to all the 104,000?
    Commissioner Koskinen. Yes--104,000 letters.
    Senator Roberts. And what do the letters say that the 
person should do?
    Commissioner Koskinen. They basically give instructions 
about how to get credit protection at our expense. They give 
them information about how to obtain an IP PIN if they would 
like one, the documentation they will have to provide. It gives 
them a number to call, but suggests that if they have question, 
they go to our website where we have provided a set of 
frequently asked questions about the situation and what can be 
done.
    Senator Roberts. And you are confident you have the ability 
to protect this information with the suggestions you have in 
that letter?
    Commissioner Koskinen. Yes. In fact, we advise them in that 
letter that we have marked their account so that no one else 
can file a return with their own information, and we----
    Senator Roberts. I appreciate that. Thank you, Mr. 
Chairman.
    The Chairman. Thank you.
    Let me just ask--I apologize to you, Senator Carper. I 
should have called on you first.
    Senator Carper. Mr. Chairman, I have already had one bite 
out of the apple while you were out of the room, and I will 
wait my turn.
    The Chairman. Okay. Well, let me just--Mr. George, in 2012 
TIGTA did an audit of the IRS Computer Security Incident 
Response Center, or CSIRC, which is responsible for preventing 
and detecting computer security threats to IRS systems. In that 
2012 audit, TIGTA found that the IRS was not monitoring 34 
percent of its servers, and you noted that, ``Without adequate 
monitoring of IRS servers, the CSIRC may not timely detect 
malicious activity or cyber-security incidents.''
    Could the IRS's failure to monitor its servers lead to the 
type of breach that occurred in May? That is question number 
one. And does TIGTA plan to reassess whether the CSIRC is now 
actively monitoring all IRS servers?
    Mr. George. ``Yes'' is the answer to your first question, 
Mr. Chairman, and, yes, we will also be monitoring that.
    The Chairman. Okay. Mr. George, the IRS is planning to 
expand the additional online services that it offers in the 
coming years. One notable example is the secure messaging pilot 
program that is scheduled to launch in 2016 that will allow the 
IRS to e-mail taxpayers and practitioners about sensitive tax 
information, something which the IRS has not done in the past, 
as I understand it.
    In light of the recent data breach, do you have concerns 
about the security of online services that the IRS plans to 
introduce? And beyond current measures, what must the IRS do to 
ensure that these services are secure?
    Mr. George. The IRS has sent the message in the wake of a 
lot of these attempts to gain access to taxpayers' identity or 
other information, and the message was, you know, ``We never 
reach out to you by e-mail,'' and the like. And so they will 
have to engage in a public service information effort, I think, 
to inform taxpayers about these new ways of approaching the 
system of tax administration.
    Ultimately, it is a worthwhile goal to be able to contact 
people by way of e-mails and alternate ways of contacting them 
versus paper contact, which is much more expensive--and 
obviously so when you have individuals attempting to help 
taxpayers at Taxpayer Assistance Centers and the like. So it is 
a way for the IRS to more efficiently and effectively assist 
taxpayers to comply with their tax obligation. It is a good 
thing. There is no question that TIGTA will be looking at the 
overall proposal, how it is implemented, and the impact that it 
has on taxpayers.
    The Chairman. Well, thank you. We appreciate the service 
that you render. It is a tough job, both of you.
    Senator Heller, do you have any questions?
    Senator Heller. Mr. Chairman, thank you. I just have a 
couple of quick questions. I probably will not take all my 5 
minutes, but these are issues that I think are important.
    The last question I asked, Commissioner, was: How can we 
help? And I want you to explain to me why critical pay 
authority should be renewed.
    Commissioner Koskinen. The streamlined critical pay 
authority has two aspects. The most important in many ways is 
the streamlined part, and primarily we use it for advanced-
technology people. We can find somebody like the head of our 
Information Technology system, who worked at Boeing, and we can 
recruit them, and, much as in the private sector, if we find 
the right person, we can make them an offer, and they can 
accept it and start immediately.
    The government process requires us to go through a 
complicated process that takes sometimes 3 to 4 months, and for 
the kind of people, the handful you are talking about 
recruiting, they often cannot wait 3 to 4 months or will not 
wait 3 to 4 months. Our IT head told me we have two people we 
have tried to hire in the IT department who, if we had 
streamlined critical pay, would have come. They did not want to 
participate in a 3- to 5-month process and, therefore, turned 
us down.
    Senator Heller. The authority expired in 2013.
    Commissioner Koskinen. Correct.
    Senator Heller. What has been the impact between then and 
today, outside the story you just told me?
    Commissioner Koskinen. Well, we have had 29 people on 
streamlined critical pay authority. We were authorized no more 
than 40, and we never used more than 34 of them, so we did not 
just put people in. We are down now to 15 or 16. We have lost 
our Senior International Expert in Tax Enforcement. We have 
lost the Deputy CIO. We have lost the three people who are best 
at big data analysis, including our expert on authentication. 
Their term ran out, and we have not been able to replace them.
    Senator Heller. One follow-up. I do not have to tell you 
about your budget. You know your budget a lot better than I do. 
But in 2014, it is my understanding you spent in the area of 
$2.4 billion or 21 percent of your budget in information 
technology. With that budget being that substantial, do you 
have the experts that you need in cyber-security?
    Commissioner Koskinen. We at this point have the experts. 
In fact, a key executive in cyber-security is on streamlined 
critical pay. He will rotate off.
    Senator Heller. Okay. That was my next question.
    Commissioner Koskinen. If we do not have the possibility, 
we will not be able to get them in. Of the budget in 2014, 
about 80 percent of it goes to simply operating and maintaining 
our system, so that our challenge in 2014 was, for instance, we 
asked for $300 million in IT to implement the Affordable Care 
Act. We got zero. So we had to take $300 million out of other 
IT programs, and the same thing happened in 2015.
    Senator Heller. Do you feel you have well-qualified hires?
    Commissioner Koskinen. We have a spectacular workforce. It 
is the best workforce I have ever dealt with, and I have dealt 
with a lot of different enterprises in the private sector for 
20 years and in the government. It is a dedicated workforce. 
Even with all the pressure and sometimes the abuse they take, 
they are dedicated to the mission, and the mission is based on 
helping taxpayers.
    Senator Heller. Okay. Commissioner, thank you.
    Mr. Chairman, thank you.
    The Chairman. My understanding is that Senator Carper would 
like to ask a couple of questions, but first I would like to 
thank both of you for being here, and I appreciate the 
testimony you have given here today.
    Mr. Koskinen, you have a tough job. There is no question 
about it. I do not know anybody who approaches it with a smile 
like you do, and I would be upset every day. And I think there 
is something wrong with you that you are not upset every day. 
[Laughter.]
    On the other hand, I know you are.
    And, Mr. George, we are very pleased with the hard work 
that you do--and your group down there. It is important that we 
have both of you working in the best interests of our country 
and of our taxpayers, and I really have appreciated you over 
the time that I have known you and the time you have been 
advising the committee.
    Mr. George. Thank you, Senator.
    The Chairman. With that, we will turn to Senator Carper, 
and hopefully finish up with Senator Carper.
    Senator Carper. Thanks, Mr. Chairman.
    I am an old State treasurer and an old Governor, and I have 
been thinking about these attacks on the IRS. And, as you know, 
there are 50 States. They all have their own divisions of 
revenue. Has anyone given any thought to how to better help 
them prepare to defend information and defend their treasuries 
from attacks like this? Is there any discussion of that?
    Commissioner Koskinen. As I say, we have had and now have a 
much more formal partnership and working relationship with 
States, with tax administrators. We are sharing information. We 
are trying to provide them as much assistance as we can about 
what we know. As I say, this is no longer the problem of any 
individual organization. This is a systemic challenge across 
the entire economy. There is a website somebody sent me that 
had the indications that of the 25 cyber-attacks and data 
breaches in May alone, 25 around the world, we are just one of 
those 25.
    So we take it seriously. We need to deal with it 
aggressively. But we need to understand, it is in the context 
of a significant systemic set of attacks.
    Senator Carper. I think I heard you say, Commissioner 
Koskinen, describing the information that was included in the 
letters going out, I thought I heard you say the term ``IP 
PIN'' in one of your answers. Would you just elaborate on that, 
please?
    Commissioner Koskinen. Yes. An Identity Protection PIN is a 
separate 6-digit number that is given to taxpayers if they are 
the victims of identity theft which they use to file in 
addition to their Social Security Numbers. They will have their 
Social Security Number, because we can check that against W-2s. 
But on the 1040 there is a point where they will include their 
IP PIN. If the IP PIN does not appear, the return is not 
accepted. So it protects them against anyone filing a 
fraudulent return with their Social Security Number alone.
    Senator Carper. All right. Thank you. I know it is still 
early in the review process, but do you intend to reinstate the 
Get Transcript online application? And if so, how do you 
balance the need for additional security against the need for 
taxpayers to have a convenient means of gathering access to old 
returns?
    Commissioner Koskinen. Well, it is the conundrum we face in 
any of these applications. As I say, we had 23 million 
successful downloads. That is a lot of taxpayer service. We 
will not put it back up unless we are satisfied that the 
security is, in fact, appropriate. It does mean that it is 
going to be more difficult for taxpayers, and more of them will 
not be able to get through. Already some of them cannot get 
through the existing security measures. But again, I think 
taxpayers are in a position to understand that.
    We are looking at the lessons learned from this event. We 
are delving into at great length exactly how it happened, what 
could be done in the security issues to make it more difficult 
for it to happen, if not impossible. But as you know, it is a 
continual trade-off of trying to provide as much information as 
readily to taxpayers as we can, but at the same time protecting 
that data.
    Senator Carper. We have heard a fair amount today about 
upgrading the IRS's IT systems. Will the President's fiscal 
year budget request be sufficient, if it is met, to meet those 
needs? Or is that request from the President, from the 
administration, for 2016 just the beginning of a multiyear 
effort to upgrade your computer systems?
    Commissioner Koskinen. The President's budget would allow 
us to, in fact, make significant progress in 2016, but your 
point is well taken. We have been working on upgrading the 
system for some time. We are not going to be able to do it in 1 
year. One of the things we are working on with the 
appropriators is to give them a longer-term view of what it 
actually takes both to upgrade the systems and also to provide 
secure, increased availability of information to taxpayers.
    Senator Carper. All right. We talked a moment ago about 
partnership and reaching out to the States and making sure that 
they learn from us at the Federal level, and maybe we can learn 
a few things from them to provide better protection against 
these attacks. Are there any other countries that we are 
communicating with that have thought through these problems and 
responded to these same kinds of challenges that we may be able 
to glean some helpful ideas from?
    Commissioner Koskinen. We are in contact--I belong to a 
group of the 43, in effect, largest tax administrators around 
the world. We seem, primarily because, I think, of the size of 
the economy and the attractiveness of it, to have more of these 
challenges than others. But security is on all of their minds. 
Those with a value-added tax have less concern about individual 
taxpayers, as noted in the earlier discussion. But we are 
sharing information particularly with the OECD countries. But 
as I say, thus far in the meetings I have had with them, we 
seem to be having more challenges as an economy as well as a 
tax administration system.
    Senator Carper. And a last question, if I could, Mr. 
Chairman, maybe of Inspector General George. A year or so ago a 
firm, I want to say it might have been--I am not sure of the 
name of the firm--but a U.S. firm that specializes in 
protection against cyber-attacks, a private firm--Mandiant. I 
think it was Mandiant. Someone did a fair amount of work on 
attacks emanating from China, and they actually drilled down 
and said, ``These are the folks, this is where they are 
located, these are the people who are actually launching these 
attacks against our country.'' The Chinese did not accept it 
very well, but I have not seen anything to refute the veracity 
of the assertions.
    I always like to focus on root causes. I like to focus on 
root causes, and I keep trying to figure out how do we go on a 
root-cause approach to deal with this issue, but it is just 
spreading. In our own family, we have been involved in a hack 
against the university that we are associated with, with our 
health care provider, now in this case with the issue at hand. 
So I like to say, the third time is the charm, I hope. I hope 
it is over. But my guess is it is not for us. But how do we go 
about the root cause of getting to this? Again, is there some 
way--everybody keeps saying it is coming from Russia, Russian 
criminal organizations. Is there not anything we can do about 
that?
    Mr. George. Well, if it is addressed to me, sir, I mean, 
Willie Sutton said, ``That is where the money is.'' And of 
course, having the world's largest economy, as the Commissioner 
suggested, you know, it attracts the bad guys.
    While I am not familiar with the study you just cited 
citing China as the source of a lot of these problems, on a 
number of the criminal investigations that have been completed 
by us, a lot of them did emanate from former Soviet republics--
Belarus and places like that. It is again, sir, just too many 
people who have too much time on their hands, and with their 
sophistication that relates to computers and networks and 
servers and the like, it is truly a challenge, and not just for 
the Internal Revenue Service. As has been stated before, both 
by the Commissioner and members of this panel, this is a 
Federal, State, local, global problem. And I do not see it 
ending any time soon, sir, because, just as soon as the IRS 
increases its security posture, the bad guys will increase 
their efforts to overcome those, and they have a lot of time on 
their hands.
    Senator Carper. Mr. Chairman, I would just say in closing, 
we spend a lot of time trying to focus on the symptoms of 
problems in all kinds of ways. We do not always focus on the 
root causes. And one of the things that it is important that we 
focus on is the symptoms and defending against these attacks in 
ways that have been discussed here today. But at the same time, 
we need to be thinking about root causes as well. And I am not 
sure how to do that, but we need to think about that.
    Thank you so much, and thanks to our witnesses.
    The Chairman. Thank you, Senator Carper.
    Senator Nelson?
    Senator Nelson. Mr. Chairman, these are numbers of 
confirmed tax-related identity theft victims: Florida, 334,962; 
Utah, 10,654; Delaware, 4,703. Senator Carper, you had 4,703 of 
your constituency who were victims of identity theft. Total 
U.S., D.C.: 1,889,736. If you include the U.S. territories and 
unconfirmed residents, we are talking about 2.75 million.
    Now, Mr. Chairman, we have had six hearings on identity 
theft, and yet we continue to bring in the IRS. We ought to 
take care of this by passing legislation. I filed legislation, 
you filed legislation. Your legislation has a lot of 
similarities with our legislation. We ought to get something 
moving.
    The Chairman. Let us get together and get it done. I agree 
with you.
    Senator Nelson. Excellent.
    The Chairman. All right.
    Senator Nelson. So put on the record, Mr. Commissioner, 
what tool would help you on this, which I think is in the 
legislation, but I suspect you want to get that out there on 
the record.
    Commissioner Koskinen. Yes. As we said earlier in the 
hearing, the legislation we have increasing support on the Hill 
for--we need to get information returns, particularly W-2s, 
earlier. We need to get them in January when employees get them 
so that we can, in fact, before we send out refunds, have a 
better chance of checking the return data.
    We also need to have authority to, in effect, use what are 
called hashtags with industry on those W-2s to make sure that 
the W-2s themselves are accurate. Criminals are now forming 
false corporations and generating false W-2s to go along with 
their fraudulent returns.
    We need to provide minimum standards for qualifications for 
education for tax preparers, which you have talked about in 
your bill. We need to increase the penalties for engaging in 
identity theft and refund fraud. Those are requests in our 
budget proposal. They are in your legislation. We are delighted 
to work with you and with the chairman to put together a final 
package that would give us additional tools.
    I would stress they will be important and very helpful, but 
as the Inspector General and I have both been saying, there is 
no magic silver bullet that tomorrow morning is going to put 
this all to an end. We need to continue to be vigilant. We will 
need to continue to do everything we can with our systems, with 
our security, with our monitoring of it. But clearly, the items 
that are contained in the legislative discussions you and the 
chairman have been having are going to be important.
    Senator Nelson. Okay. That is my point, Mr. Chairman, and--
--
    The Chairman. Still, let us get together.
    Senator Nelson. Let us do it. And, Mr. Chairman, I became 
alerted to this--this is what is shocking. This was about 4 
years ago. Street crime in Tampa, FL dropped--burglaries, auto 
thefts, muggings dropped--because the criminals suddenly 
realized: get a laptop, go in and create a false return, and 
get a refund. And it was all of a sudden too easy to get money.
    Now, it is a good thing that people's homes were not being 
burglarized, but nevertheless, people were being robbed. In 
this case, it is not only individuals who had a nightmare, by 
the way--and thanks to the IRS; you have helped us 
administratively once a taxpayer has a false return in their 
name--but then all of the other ID trauma that they go through 
getting back their ID. But it suddenly had a whole shift, and 
the taxpayers are paying because of this theft.
    So thank you, Mr. Chairman.
    The Chairman. Thank you, Senator.
    I want to thank Commissioner Koskinen and Inspector General 
George for appearing before the committee today, as well as all 
of the Senators who have participated. This has been a very 
interesting hearing for me.
    Commissioner Koskinen, three unrelated but important points 
before we wrap up.
    First, in recent months I have written to you regarding the 
reissuance of the proposed rule on political activity by tax-
exempt organizations. You know how interested this committee is 
in this matter. Can you tell me when the IRS and Treasury 
Department will reissue the proposal?
    Commissioner Koskinen. If I had a crystal ball, I would be 
better at giving you that information. We have spent a lot of 
time, we had 160,000 responses we took very seriously. I 
personally have read over 1,200 pages of thoughtful responses. 
We are moving forward. My commitment has been that----
    The Chairman. Keep me informed.
    Commissioner Koskinen. Yes. My commitment has been that we 
will keep you informed. You will not be surprised. We will keep 
you updated before we actually issue a proposal, and it will 
provide for 90 days of comment and a subsequent public hearing. 
So we do not want anybody to think we are rushing this. We are 
only going to do this once. We are not going to do it every 2 
or 3 years.
    The Chairman. Well, I want to end that chapter of 
mistreatment of conservative groups--liberal groups. I do not 
care. It just should not happen, and I am counting on you to 
straighten it out.
    Commissioner Koskinen. Yes. As I have said, we want to have 
a rule that is clear, fair to everybody, easy to administer, 
and easy to operate a (c)(4) organization under so you do not 
have to worry about somebody second-guessing you in the future.
    The Chairman. That would be great.
    Second, in April, I wrote to Secretary Lew requesting 
documents relating to the 2013 political activity rule. He has 
declined that request, and I will be responding to him on the 
matter.
    Now, I wanted to give you notice that I will be sending a 
similar request to your agency, and I look forward to working 
with you on that in the near future.
    Finally, in April, I wrote to you regarding the IRS's 
spending on information technology, and I want to thank you for 
acknowledging my letter, and I look forward to receiving a 
thorough response as soon as possible, if you can.
    Commissioner Koskinen. It is a lot of data to pull 
together, but I think it will be very helpful because it does 
answer a range of very detailed questions about priorities, 
about our experience, how we monitor it all, and, with a little 
luck, we will get it to you very quickly.
    The Chairman. Well, thank you. I hope you are very lucky. I 
want to thank both of you very much. This has meant a lot that 
you would come up on such short notice.
    Any questions for the record should be submitted by no 
later than Tuesday, June 9th.
    With that, the hearing is adjourned.
    [Whereupon, at 11:56 a.m., the committee was adjourned.]

                            A P P E N D I X

              Additional Material Submitted for the Record

                              ----------                              


   Prepared Statement of Hon. J. Russell George, Treasury Inspector 
       General for Tax Administration, Department of the Treasury
    Chairman Hatch, Ranking Member Wyden, and Members of the Committee, 
thank you for the opportunity to testify on the data breach that 
occurred at the Internal Revenue Service (IRS).

    The Treasury Inspector General for Tax Administration, also known 
as ``TIGTA,'' is statutorily mandated to provide independent audit and 
investigative services necessary to improve the economy, efficiency, 
and effectiveness of the IRS. TIGTA's oversight activities are designed 
to identify high-risk systemic inefficiencies in IRS operations and to 
investigate exploited weaknesses in tax administration. TIGTA's role is 
critical in that we provide the American taxpayer with assurance that 
the approximately 91,000 \1\ IRS employees, who collected over $3.1 
trillion in tax revenue, processed over 242 million tax returns and 
other forms, and issued $374 billion in tax refunds \2\ during Fiscal 
Year 2014, perform their duties in an effective and efficient manner 
while minimizing the risks of waste, fraud, or abuse. This includes 
investigating individuals who use the IRS as a means of furthering 
fraudulent, criminal activity that negatively impacts the operations of 
the IRS, as well as investigating allegations of serious misconduct by 
IRS employees and threats of violence against the IRS, its employees, 
and facilities. Over the past year, a significant part of our workload 
has been devoted to investigating scams that can negatively impact the 
integrity of tax administration.
---------------------------------------------------------------------------
    \1\ Total IRS staffing as of January 24, 2015. Included in the 
total are approximately 19,000 seasonal and part-time employees.
    \2\ IRS, Management's Discussion and Analysis, Fiscal Year 2014, 
page 2.
---------------------------------------------------------------------------
                 overview of the recent irs data breach
    On May 26, 2015, the IRS announced that criminals had used 
taxpayer-specific data acquired from non-IRS sources to gain 
unauthorized access to information onapproximately 100,000 tax accounts 
through the IRS's Get Transcript application.\3\ TIGTA's Office of 
Investigations continues to investigate this incident, coordinating 
with other Federal law enforcement agencies. We ask for patience while 
we gather the evidence we need to determine who is responsible for this 
intrusion so they can be brought to justice. In addition, the evidence 
we are gathering is also critically important for us to understand the 
impact on the victims as well as to document exactly how this happened 
so it can be prevented in the future.
---------------------------------------------------------------------------
    \3\ Information available on the Get Transcript application can 
include account transactions, line-by-line tax return information, and 
income reported to the IRS.

    According to reports we received from the IRS, which we have not 
yet validated, an individual or individuals succeeded in clearing an 
authentication process that required knowledge of information about the 
taxpayer, including Social Security information, date of birth, tax 
filing status, and street address. In addition, it appears that these 
third-parties had access to private personal information that allowed 
them to correctly answer questions which typically only the taxpayer 
would know. This type of information can be purchased from illicit 
---------------------------------------------------------------------------
sources or fee-based databases, or obtained from social media sites.

    The proliferation of data breaches reported in recent years and the 
types of information available on the Internet has resulted in a 
degradation of controls used to authenticate individuals accessing 
personal data in some systems. The expansion of e-commerce services 
often conflicts with the tenets of strict security standards. Providing 
taxpayers more avenues to obtain answers to their tax questions or to 
access their own tax records online also creates greater risk to an 
organization and provides more opportunities for exploitation by 
hackers and other fraudsters.

    In its most recent Strategic Plan,\4\ the IRS acknowledged that the 
current technology environment has raised taxpayers' expectations for 
online customer service interactions and it needs to meet these 
expectations. However, the risk for this type of unauthorized access to 
tax accounts will continue to grow as the IRS focuses its efforts on 
delivering taxpayers self-assisted interactive online tools. The 
Commissioner of Internal Revenue's vision is to provide taxpayers and 
tax professionals with electronic products and services that they 
desire to enable them to interact and communicate with the IRS. This 
includes more robust online services, based on the idea of accessing 
Government services anywhere, any time, on any device, in three to 5 
years. For example, the IRS is acquiring software and contractor 
services for a Secure Messaging Pilot Program to be launched in Fiscal 
Year 2016 that will lay the foundation for a broader taxpayer digital 
communication rollout in the future.
---------------------------------------------------------------------------
    \4\ Internal Revenue Service Strategic Plan--FY 2014-2017 (IRS 
Publication 3744), pgs. 6-7 (June 2014).

    In addition to the IRS's Get Transcript application, the IRS also 
requires taxpayers to authenticate their identities for certain other 
services on its public Internet site or its toll-free customer service 
lines, which could also pose a risk for unauthorized access. In June 
2014, the IRS established its Authentication Group to provide oversight 
and facilitate the development and implementation of authentication 
policies and processes across the IRS's business functions. Due to the 
significant risks in this area, we currently have an audit underway to 
assess the IRS's processes for authenticating taxpayers at the time tax 
returns are processed and when accessing IRS services.\5\
---------------------------------------------------------------------------
    \5\ TIGTA, Audit No. 201440016, Efforts to Authenticate Individual 
Income Tax Return Filers Before Tax Returns Are Processed, report 
planned for August 2015.
---------------------------------------------------------------------------
              data security remains a top concern of tigta
    Since Fiscal Year 2011, TIGTA has designated the security of 
taxpayer data as the top concern facing the IRS based on the increased 
number and sophistication of threats to taxpayer information and the 
need for the IRS to better protect taxpayer data and improve its 
enterprise security program. In addition, the IRS has declared its 
Information Security program as a ``significant deficiency'' from a 
financial reporting standpoint, which means weaknesses in its internal 
control environment are important enough to merit the attention of 
those charged with IRS governance.

    To provide oversight of the IRS's Information Security program, 
TIGTA completes approximately seven audits each year on various 
security programs, systems, and solutions. As of March 2015, these 
audits have resulted in 44 recommendations that have yet to be 
implemented. While most of these recommendations are based on recent 
audits, there are 10 recommendations from five audits that are over 
three years old. In addition, the IRS has disagreed with 10 of 109 
recommendations from 19 audits relating to security that we performed 
during the period of Fiscal Year 2012 through Fiscal Year 2014.

    We have identified a number of areas in which the IRS could better 
protect taxpayer data and improve its overall security posture. Most 
recently, we found two areas that did not meet the level of performance 
specified by the Office of Management and Budget and the Department of 
Homeland Security: (1) Identity and Access Management, and (2) 
Configuration Management.\6\
---------------------------------------------------------------------------
    \6\ TIGTA, Ref. No. 2014-20-090, Treasury Inspector General for Tax 
Administration--Federal Information Security Management Act Report for 
Fiscal Year 2014 (Sept. 2014).

    Identity and Access Management ensures that only those with a 
business need are able to obtain access to IRS systems and data. 
However, we found that the IRS needs to fully implement unique user 
identification and authentication that complies with Department of 
Homeland Security directives, ensure that users are only granted access 
based on needs, ensure that user accounts are terminated when no longer 
---------------------------------------------------------------------------
required, and control the improper use of shared accounts.

    Configuration Management ensures that settings on IRS systems are 
maintained in an organized, secure, and approved manner, including 
timely updating patches to known security vulnerabilities. We found 
that the IRS needs to improve enterprise-wide processes for assessing 
configuration settings and vulnerabilities by means of automated 
scanning, timely remediating scan result deviations, timely installing 
software patches, and controlling changes to hardware and software 
configurations.

    Patch \7\ management is an important element in mitigating the 
security risks associated with known vulnerabilities to computer 
systems. This is critical to prevent intrusions by unauthorized 
individuals or entities. Due to its importance, TIGTA evaluated the 
effectiveness of the IRS security patch management process, which has 
been an ongoing challenge for the IRS.\8\ We found that the IRS has 
made progress in automating installation and monitoring in a large 
segment of its computers, but it has not yet implemented key patch 
management policies and procedures needed to ensure that all IRS 
systems are patched timely and operating securely. Any significant 
delays in patching software with critical vulnerabilities provides 
ample opportunity for persistent attackers to gain control over 
vulnerable computers and get access to the sensitive data the computer 
systems may contain, including taxpayer data.
---------------------------------------------------------------------------
    \7\ A patch is a fix of a design flaw in a computer program. 
Patches must be installed or applied to the appropriate computer for 
the flaw to be corrected.
    \8\ TIGTA, Ref. No. 2012-20-112, An Enterprise Approach Is Needed 
to Address the Security Risk of Unpatched Computers (Sept. 2012).

    We have also identified other areas that would improve the IRS's 
ability to defend its systems against cyber-attacks. Monitoring IRS 
networks 24 hours a day year-round for cyber-attacks and responding to 
various computer security incidents is the responsibility of the IRS's 
Computer Security Incident Response Center (CSIRC). TIGTA evaluated the 
effectiveness of the CSIRC at preventing, detecting, reporting, and 
responding to computer security incidents targeting IRS computers and 
data.\9\ We found that the CSIRC is effectively performing most of its 
responsibilities for preventing, detecting, and responding to computer 
security incidents. However, further improvements could be made. At the 
time of our review, the CSIRC's host-based intrusion detection system 
was not monitoring a significant percentage of IRS servers, which 
leaves that portion of the IRS network and data at risk. In addition, 
the CSIRC was not reporting all computer security incidents to the 
Department of the Treasury, as required. Finally, incident response 
policies, plans, and procedures were either nonexistent, inaccurate, or 
incomplete.
---------------------------------------------------------------------------
    \9\ TIGTA, Ref. No. 2012-20-019, The Computer Security Incident 
Response Center Is Effectively Performing Most of Its Responsibilities, 
but Further Improvements Are Needed (Mar. 2012).

    One of the Federal Government's latest security initiatives is the 
implementation of information security continuous monitoring, which is 
defined as maintaining ongoing, real-time awareness of information 
security, vulnerabilities, and threats to support organizational risk 
decisions. While the IRS has made progress and is in compliance with 
Department of Homeland Security and Department of the Treasury 
guidelines, we have found that, based on the large scale of the IRS's 
computer environment, a one-size-fits-all approach does not provide the 
best security for the IRS.\10\
---------------------------------------------------------------------------
    \10\ TIGTA, Ref. No. 2014-20-083, The Internal Revenue Service 
Should Implement an Efficient Internal Information Security Continuous 
Monitoring Program That Meets Its Security Needs (Sept. 2014).

    We have also previously raised concerns over the remediation of 
security weaknesses identified in our audits. Management controls are a 
major part of managing an organization and provide reasonable assurance 
that organizational objectives are achieved. We have reviewed closed 
corrective actions to security weaknesses and findings reported by 
TIGTA and identified weak management controls in the IRS over its 
closed planned corrective actions for the security of systems involving 
taxpayer data.\11\ During our audit, TIGTA determined that eight (42 
percent) of 19 planned corrective actions that were approved and closed 
by the IRS as fully implemented in response to reported security 
weaknesses from prior TIGTA audits were only partially implemented.
---------------------------------------------------------------------------
    \11\ TIGTA, Ref. No. 2013-20-117, Improved Controls Are Needed to 
Ensure That All Planned Corrective Actions for Security Weaknesses Are 
Fully Implemented to Protect Taxpayer Data (Sept. 2013).

    Management control also involves the use of risk-based decisions by 
IRS management to make an exception to its own policies and 
requirements based on suitable justification and a thorough assessment 
of evident and potential risks. For decisions related to the security 
of information systems, exceptions are allowed if meeting the 
requirement is: (1) not technically or operationally possible, or (2) 
not cost effective. We found that these risk-based decisions were not 
adequately tracked and documented. Without required supporting 
documentation, we could not determine why decisions were made and 
whether the information technology risks were appropriately accepted 
and approved.\12\
---------------------------------------------------------------------------
    \12\ TIGTA, Ref. No. 2014-20-092, The Internal Revenue Service Does 
Not Adequately Manage Information Technology Security Risk-Based 
Decisions (Sept. 2014).
---------------------------------------------------------------------------
         attempts to defraud tax administration are increasing
    Due to its mission, the trillions of dollars that flow through the 
IRS each year, and the hundreds of millions of taxpayer data sets used 
and maintained by the IRS, the IRS is continuously under attack by 
criminals using the tax administration system for personal gain in 
various ways. These scams, and the methods used to perpetrate them, are 
constantly changing and require constant monitoring by the IRS. For at 
least the last decade, the IRS has provided the public with information 
about what it sees as the ``Dirty Dozen'' tax scams on its website. 
These scams range from offshore tax avoidance to fake charities, and 
inflated refund claims. Compiled annually, the ``Dirty Dozen'' lists a 
variety of common scams that taxpayers may encounter.

    In addition to the data breach discussed previously, two of the 
most pervasive frauds currently being perpetrated that impact tax 
administration are the phone impersonation scheme and identity theft.
Phone Impersonation Scam
    The phone impersonation scam has proven to be so large that it is 
one of TIGTA's Office of Investigation's top priorities, and it has 
also landed at the top of the IRS's ``Dirty Dozen'' tax scams this 
year. It has proven to be a surprisingly effective and fast way to 
steal taxpayers' money, and in this fast-paced electronic environment, 
the money can be gone before the victims ever realize that they have 
been scammed. The number of complaints we have received about this scam 
makes it the largest, most pervasive impersonation scam in the history 
of our agency. It has claimed thousands of victims with reported losses 
totaling almost $19 million to date.

    We first started seeing concentrated reporting of these calls in 
August 2013. As the reporting continued through the fall, in October 
2013 we started to specifically track this crime. To date, we have 
received hundreds of thousands of complaints about these calls. 
According to the victims, the scam artists made threatening statements 
and then demanded that the victims immediately put money on prepaid 
debit cards in order to avoid being arrested. The callers often warned 
the victims that if they hung up, local police would come to their 
homes to arrest them. The scammers may also send bogus IRS e-mails to 
support their scam. Those who fell for the scam withdrew thousands of 
dollars from their bank accounts and then purchased the prepaid debit 
cards as instructed by the callers. Once the prepaid debit cards were 
purchased, the perpetrators instructed the victims to call them back 
and read them the numbers on the prepaid card. By the time the victims 
realized they had been scammed, the perpetrators had negotiated the 
prepaid cards and the money was gone.

    To date, TIGTA has received over 525,000 reports of these calls. We 
continue to receive between 9,000 and 12,000 reports of these calls 
each week. As of May 25, 2015, 3,700 individuals have been victimized 
by this scam and have paid a total of almost $19 million, an average of 
approximately $5,100 per victim. The highest reported loss by one 
individual was over $500,000. In addition, 296 of these victims also 
provided sensitive identity information to these scammers.

    The perpetrators do not discriminate; they are calling people 
everywhere, of all income levels and backgrounds. Based on a review of 
the complaints we have received, we believe the calls are now being 
placed from more than one source. This scam is the subject of an 
ongoing multi-agency investigation. There is much that we are doing to 
apprehend the perpetrators, but TIGTA is not at liberty to disclose 
specifically what is being done as it may impede our ability to 
successfully bring these criminals to justice. I can tell you that it 
is a matter of high priority for law enforcement.

    However, there is much more that needs to be done, as these 
examples are part of a broader ring of scam artists operating beyond 
our borders. This is unfortunately similar to most of the cyber-crime 
we are seeing today--it is international in nature and committed by 
means of technology (e.g., in the case of the phone fraud scam, the use 
of Voice over Internet Protocol technology), and much of it originates 
from computers outside the United States. To further deceive their 
intended victims, by using this technology, the criminals create false 
telephone numbers that show up on the victim's caller ID system. For 
example, the criminals make it appear as though the calls are 
originating from Washington, DC or elsewhere in the United States.
Identity Theft
    Another challenging area impacting tax administration is the growth 
in identity theft. At the same time the IRS is operating with a reduced 
budget, it continues to dedicate significant resources to detect and 
review potential identity theft tax returns as well as to assist 
victims. Resources have not been sufficient for the IRS to work 
identity theft cases dealing with refund fraud, which continues to be a 
concern. A critical component of preventing and combating identity 
theft refund fraud is the authentication of a taxpayer's identity at 
the time tax returns are processed.

    During the past several years, the IRS has continued to take steps 
to more effectively detect and prevent the issuance of fraudulent 
refunds resulting from identity theft tax return filings. The IRS 
reported that in Filing Season 2013, its efforts prevented between $22 
billion and $24 billion in identity theft tax refunds from being 
issued.\13\ This is a result of the IRS's continued enhancement of 
filters used to detect tax returns that have a high likelihood of 
involving identity theft at the time the returns are processed. For 
example, the IRS used 11 filters in Processing Year (PY) 2012 to 
identify tax returns with a high likelihood of involving identity 
theft, compared to the 114 filters it used in PY 2014. The use of these 
filters assists the IRS in more effectively allocating its resources to 
address identity theft tax refund fraud.
---------------------------------------------------------------------------
    \13\  IRS Identity Theft Taxonomy, dated September 15, 2014, page 
1.

    The IRS has also taken steps to more effectively prevent the filing 
of identity theft tax returns by locking the tax accounts of deceased 
individuals to prevent others from filing a tax return using their 
names and Social Security Numbers. The IRS has locked approximately 
26.3 million taxpayer accounts between January 2011 and December 31, 
2014. In addition, the IRS issues an Identity Protection Personal 
Identification Number (IP PIN) to any taxpayer who is a confirmed 
victim of identity theft or who has reported to the IRS that he or she 
could be at risk of identity theft. However, we reported that the IRS 
did not provide an IP PIN to 557,265 eligible taxpayers for Processing 
Year 2013.\14\ Once the IRS confirms the identity of a victim or ``at-
risk'' taxpayer, the IRS will issue the taxpayer an IP PIN for use by 
the taxpayer when filing his or her tax return. The presence of a valid 
IP PIN on the tax return tells the IRS that the rightful taxpayer filed 
the tax return, thus reducing the need for the IRS to screen the tax 
return for potential identity theft. The IRS has issued more than 1.5 
million IP PINs for PY 2015.
---------------------------------------------------------------------------
    \14\ TIGTA, Ref. No. 2014-40-086, Identity Protection Personal 
Identification Numbers Are Not Provided to All Eligible Taxpayers 
(Sept. 2014).

    Despite these improvements, the IRS recognizes that new identity 
theft patterns are constantly evolving and that consequently, it needs 
to adapt its detection and prevention processes. The IRS's own analysis 
estimates that identity thieves were successful in receiving over $5 
---------------------------------------------------------------------------
billion in fraudulent tax refunds in Filing Season 2013.

    In summary, the IRS faces the daunting task of protecting its data 
and IT environment from the ever-changing and rapidly-evolving hacker 
world. This incident provides a stark reminder that even security 
controls that may have been adequate in the past can be overcome by 
hackers, who are anonymous, persistent, and have access to vast amounts 
of personal data and knowledge. The IRS needs to be even more vigilant 
in protecting the confidentiality of sensitive taxpayer information. 
Otherwise, as shown by this incident, taxpayers can be exposed to the 
loss of privacy and to financial damages resulting from identity theft 
or other financial crimes.

    We at TIGTA are committed to our mission of ensuring an effective 
and efficient tax administration system and preventing, detecting, and 
deterring waste, fraud, and abuse. As such, we plan to provide 
continuing audit and investigative coverage of the IRS's efforts to 
effectively protect sensitive taxpayer data and investigate any 
instances of attempts to corrupt or otherwise interfere with tax 
administration.

    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
thank you for the opportunity to share my view.
                                 ______
                                 
      Questions Submitted for the Record to Hon. J. Russell George
               Question Submitted by Hon. Mark R. Warner
    Question. It is my understanding that third-party vendors have 
signed up with the IRS to access taxpayer transcripts via the Income 
Verification Express Service. What is the IRS doing to ensure that 
these third-party vendors that have signed up with the IRS to access 
taxpayer transcripts have appropriate safeguards in place and are not 
vulnerable to data breaches?

    Answer. In January 2011, we evaluated regulations and Income 
Verification Express Service (IVES) enrollment policies to ensure 
lenders, such as banks, and companies that specialize in making third-
party requests for lenders (Income Verification Specialists) properly 
protect taxpayers' tax return information.\1\ At that time, we 
determined that the IRS did not have a screening process and did not 
define minimum requirements in the form of a user agreement to help 
ensure IVES Program participants meet minimum standards and protect tax 
return information. In addition, we found the IRS did not require IVES 
Program participants to maintain electronic security and not disclose 
the information they receive from the IRS to nonaffiliated third 
parties.
---------------------------------------------------------------------------
    \1\ TIGTA, Ref. No. 2011-40-014, The Income Verification Express 
Services Program Needs Improvements to Better Protect Tax Return 
Information (Jan. 2011).

    We recently performed a review to determine if the IVES and Return 
and Income Verification Services programs had adequate processes and 
procedures in place designed to prevent inadvertent disclosures of 
taxpayer information.\2\ The scope of this review was limited to the 
environment and processes under the IRS's direct control. We found that 
generally the appropriate controls were in place and that for Fiscal 
Years 2009 through 2013 approximately 118 million requests were 
processed and fewer than 800 inadvertent disclosure incidents were 
recorded. Our report recommendations related to how quickly disclosures 
should be reported, determining the method to document and fully report 
disclosures, ensuring quality review teams conduct all established 
tests, and ensuring that internal policies are properly updated to 
document the correct process for reporting inadvertent disclosures.
---------------------------------------------------------------------------
    \2\ TIGTA, Ref. No. 2015-IE-R004, Requests for Taxpayer Information 
Were Generally Processed Properly in the Return and Income Verification 
Services and the Income Verification Express Service Programs (Mar. 
2015).

    On June 1, 2016, we became aware of a fraud scheme in which 
perpetrators obtained sensitive tax and other identifying information 
and are using that information to order tax transcripts using the 
Transcript Delivery System (TDS). We have initiated a review to 
evaluate this issue as well as the adequacy of TDS's processes and 
procedures to ensure only authorized users obtain access to taxpayer 
information.\3\
---------------------------------------------------------------------------
    \3\ TIGTA, Audit No. 201640032, Review of the Transcript Delivery 
System, report planned for June 2017.

                                 ______
                                 
                 Questions Submitted by Hon. John Thune
    Question. I understand that based on TIGTA's audit of tax year 
2012, you reported that there were 787,000 fraudulent tax returns that 
went undetected by the IRS. This is actually an improvement, down from 
1.1 million years for tax year 2011. How would you assess the progress 
being made by the IRS in preventing identity-theft related tax fraud? 
What overall grade would you give the IRS in this area?

    Answer. The IRS continues to make significant improvements in its 
identification of identity theft tax returns at the time the returns 
are processed and before fraudulent tax refunds are released. For 
example, the IRS reports that in the 2013 Filing Season,\4\ it detected 
approximately $24.3 billion in identity theft refund fraud. However, 
the IRS also recognizes that new identity theft patterns are constantly 
evolving and, as such, it needs to continue to adapt its detection and 
prevention processes. Consequently, the IRS continues to expand its 
filters used to detect identity theft refund fraud at the time tax 
returns are processed.
---------------------------------------------------------------------------
    \4\ The period from January through mid-April when most individual 
income tax returns are filed.

    For example, the IRS used 11 filters in Processing Year 2012 to 
detect approximately 325,000 tax returns that prevented the issuance of 
approximately $2.2 billion in fraudulent tax refunds. In Processing 
Year \5\ 2014 as of September 30, 2014, the IRS increased its filters 
to 114 and detected 832,412 tax returns, preventing the issuance of 
approximately $5.5 billion in fraudulent tax refunds. According to the 
IRS, for Processing Year 2015, it has increased the number of filters 
to 196 and detected 306,708 tax returns, preventing the issuance of 
about $2.2 billion in fraudulent tax refunds as of May 31st, 2015.
---------------------------------------------------------------------------
    \5\ The calendar year in which the tax return or document is 
processed by the IRS.

    In addition, the IRS continues to expand the locking of tax 
accounts, which results in the rejection of an electronically filed (e-
filed) tax return (i.e., the IRS will not accept the tax return for 
processing). A locked tax account also prevents paper-filed tax returns 
from posting to the Master File if the Social Security Number 
associated with the locked tax account is used to file a tax return. 
Between January 2011 and May 31, 2015, the IRS locked approximately 
28.6 million taxpayer accounts of deceased individuals. For Processing 
Year 2015 as of May 31, 2015, the IRS stopped 18,996 processed tax 
returns with refunds totaling approximately $31.4 million from posting 
to the Master File using the account locks. Additionally, the IRS has 
rejected (i.e., did not accept for processing) 85,811 e-filed tax 
---------------------------------------------------------------------------
returns through the use of these locks.

    For the 2013 Filing Season, the IRS also developed and implemented 
a clustering filter tool in response to TIGTA's continued 
identification of large volumes of undetected potentially fraudulent 
tax returns for which tax refunds had been issued to the same address 
or deposited into the same bank account. Tax returns identified are 
withheld from processing until the IRS can verify the taxpayer's 
identity. For Filing Season 2015 as of May 2, 2015, the IRS reports 
that, using this tool, it has identified 201,373 tax returns and 
prevented the issuance of approximately $496.5 million in fraudulent 
tax refunds.

    Despite the improvements in identification of identity theft tax 
returns at the time the returns are processed and before fraudulent tax 
refunds are released, the IRS still does not have timely access to 
third-party income and withholding information. Most third-party income 
and withholding information is not received by the IRS until well after 
tax return filing begins. For example, the deadline for filing most 
information returns with the IRS is March 31st, yet taxpayers can begin 
filing their tax returns as early as mid-January. In its Fiscal Year 
2015 Revenue Proposal, the IRS once again included a request for a 
legislative proposal to accelerate the deadline for filing third-party 
income and withholding information returns and eliminate the extended 
due date for electronically filed information returns.

    In continuing our assessment of the IRS's identification of 
fraudulent tax returns involving identity theft, we initiated a review 
in August 2015 to follow-up on the IRS's identity theft detection and 
prevention efforts, including assessing the IRS's efforts to quantify 
undetected identity theft through its Taxonomy project.\6\ The Taxonomy 
project aggregates the impact and loss of identity theft protection 
efforts across several IRS organizations and its goal is to achieve the 
level of precision and completeness required to provide critical 
strategic insights on identity theft affecting tax administration. We 
plan to issue our report by December 2016.
---------------------------------------------------------------------------
    \6\ TIGTA, Audit No. 201540001, Detection and Prevention of 
Identity Theft on Individual Tax Accounts--Follow-Up, report planned 
for Dec. 2016.

    Question. Mr. George, in your testimony you note that there are 44 
recommendations by TIGTA to the IRS in the area of information security 
that the IRS has yet to implement. Do you believe that these are 
recommendations the IRS can implement within its current budget? Has 
---------------------------------------------------------------------------
the IRS made a commitment to TIGTA to implement these recommendations?

    Answer. We cannot definitively answer whether the IRS can implement 
our recommendations as it is up to the IRS to prioritize its planned 
corrective actions.

    As of June 15, 2015, the IRS reported that it had recently closed 
eight of the 44 recommendations cited in our testimony. Of the 36 
remaining recommendations, the IRS indicated in its response to our 
report that the completion of corrective actions in response to two of 
these recommendations may be contingent on available funding: (1) 
identifying funding needed to support implementation of a Homeland 
Security Directive to require Personal Identity Verification card 
access to the IRS network and information systems;\7\ and (2) fully 
implementing software that will enable the IRS to identify where its 
most sensitive data are stored, who has access to the data, and where 
and by whom the data are sent to outside the IRS network.\8\
---------------------------------------------------------------------------
    \7\ TIGTA, Ref. No. 2014-20-069, Progress Has Been Made; However, 
Significant Work Remains to Achieve Full Implementation of Homeland 
Security Presidential Directive (Sept. 2014).
    \8\ TIGTA, Ref. No. 2014-20-087, While the Data Loss Prevention 
Solution Is Being Developed, Stronger Oversight and Process 
Enhancements Are Needed for Timely Implementation Within Budget (Sept. 
2014).

    As part of our audit process, the IRS can either agree or disagree 
with our audit recommendations. When it agrees, the IRS commits that 
they will correct the deficiency that we identified. In a prior audit, 
we assessed whether closed corrective actions to security weaknesses 
and findings reported by TIGTA had been fully implemented, validated, 
and documented as implemented.\9\ During our audit, we determined that 
eight (42 percent) of 19 corrective actions that were approved and 
closed as fully implemented to address reported security weaknesses 
from prior TIGTA audits were only partially implemented. These 
corrective actions involved systems with taxpayer data.
---------------------------------------------------------------------------
    \9\ TIGTA, Ref. No. 2013-20-117, Improved Controls Are Needed to 
Ensure That All Planned Corrective Actions for Security Weaknesses Are 
Fully Implemented to Protect Taxpayer Data (Sept. 2013).

    On occasion, the IRS will disagree with our audit recommendations. 
In fact, during the last three fiscal years (Fiscal Years 2012 to 
2014), the IRS disagreed with 10 of our 109 recommendations relating to 
---------------------------------------------------------------------------
information security in the following reports.

        Using SmartID Cards to Access Computer Systems Is Taking 
Longer Than Expected (Ref # 2012-20-115, dated September 28, 2012). The 
IRS disagreed with two of nine recommendations.
        Improvements Are Needed to Ensure the Effectiveness of the 
Privacy Impact Assessment Process (Ref # 2013-20-023, dated February 
27, 2013). The IRS disagreed with two of 11 recommendations.
        Better Cost-Benefit Analysis and Security Considerations Are 
Needed for the Bring Your Own Device Pilot Project (Ref # 2013-20-108, 
dated September 24, 2013). The IRS disagreed with one of five 
recommendations.
        While Efforts Are Ongoing to Deploy A Secure Mechanism to 
Verify Taxpayer Identifies, the Public Still Cannot Access Their Tax 
Account Information Via the Internet (Ref # 2013-20-127, dated 
September 25, 2013). The IRS disagreed with one of four 
recommendations.
        Improved Controls Are Needed to Ensure All Planned Corrective 
Actions for Security-Related Weaknesses Are Fully Implemented to 
Protect Taxpayer Data (Ref # 2013-20-117, dated September 27, 2013). 
The IRS disagreed with one of six recommendations.
        Planning is Underway for the Enterprise-Wide Transition to 
Internet Protocol Version 6 but Further Actions Are Needed (Ref # 2014-
20-016, dated February 27, 2014). The IRS disagreed with two of seven 
recommendations.
        While the Data Loss Prevention Solution Is Being Developed, 
Stronger Oversight and Process Enhancements Are Needed for Timely 
Implementation Within Budget (Ref # 2014-20-087, dated September 22, 
2014). The IRS disagreed with one of 12 recommendations.

                                 ______
                                 
              Question Submitted by Hon. Thomas R. Carper
    Question. Please provide additional information on the cost of 
critical pay at the Internal Revenue Service (IRS).

    Answer. TIGTA determined that the extra salary costs of the 
Streamlined Critical Pay program totaled approximately $1.7 million 
over the period reviewed (Calendar Years 2010 through 2013). The 
average pay of the highest graded Senior Executive Service Positions 
(ES-6) was approximately $179,000 a year while the average pay for the 
Streamlined Critical Pay positions was $ 198,000.
                                 ______
                                 
              Prepared Statement of Hon. Orrin G. Hatch, 
                        a U.S. Senator From Utah
WASHINGTON--Senate Finance Committee Chairman Orrin Hatch (R-Utah) 
today delivered the following opening statement at a committee hearing 
regarding the data theft at the Internal Revenue Service (IRS) which 
compromised the private information of over 100,000 taxpayers:

    Our hearing today concerns recent revelations that the Internal 
Revenue Service was the target of an organized service breach aimed at 
roughly 200,000 taxpayer accounts. We understand that over 100,000 of 
these breaches were successful, with cyber-criminals obtaining 
confidential taxpayer information from the agency's Get Transcript 
application.

    In dealing with this breach here in the Senate, this Committee 
stands alone, having legislative jurisdiction over the Internal Revenue 
Code, oversight jurisdiction over the IRS, and wide-ranging abilities 
to conduct investigations dealing with individual taxpayer information.

    While I have raised questions in the past about the way the IRS 
prioritizes its spending, today's hearing is about finding out how 
criminals stole vast amounts of taxpayer information. Any questions 
regarding funding levels for the agency should wait until we have a 
complete understanding about what occurred.

    Before we turn to the technological issues, let's focus for a 
moment on the victims. Because of this breach, criminals were able to 
get personal information about roughly 104,000 taxpayers, potentially 
including Social Security Numbers, bank account numbers, and other 
sensitive information. These taxpayers, and their families, must now 
begin the long and difficult process of repairing their reputations. 
And they must do so with the knowledge that the thieves who stole their 
data will likely try to use it to perpetrate further fraud against 
them.

    Commissioner Koskinen, put simply, your agency has failed these 
taxpayers.

    This hearing is of utmost importance as we work to find out what 
individuals and organizations were behind this breach; discover how 
this breach occurred, and what steps the IRS might have taken to 
prevent it; find out what taxpayer information was compromised, and how 
this may affect both taxpayers and tax administration going forward; 
and determine what tools and resources are necessary to better protect 
taxpayers, catch cyber-criminals, and prevent this type of breach from 
being successful in the future.

    Most of all, we must pledge to work together to make sure that this 
type of breach does not happen again.

    The secure movement of information is the lifeblood of 
international commerce and a necessary predicate for efficient 
government administration. Unfortunately, this information is also 
highly valuable to criminals.

    We see it in the headlines nearly every week--a major insurance 
company, bank, or retailer, has its information security compromised 
and personal information or corporate data is stolen. Federal 
departments--especially defense related agencies--come under attack 
each and every day.

    The IRS is not, and will never be, exempted from this constant 
threat.

    In fact, there is reason to believe the IRS will be more frequently 
targeted in the future. After all, the IRS stores highly sensitive 
information on each and every American taxpayer, from individual 
taxpayers to large organizations and from mom and pop businesses to 
multinational corporations. The challenge of data security matters a 
great deal to every single taxpayer and will continue to be a central 
challenge to tax administration in the coming years.

    Of course, data security and the protection of taxpayer information 
are of the highest importance in the prevention of stolen identity 
refund fraud. Identity theft, and the resulting tax fraud, costs 
taxpayers billions of dollars every year, and, once it occurs, it can 
take months or years for a taxpayer to mitigate the damage.

    It was out of concern over stolen identity refund fraud that 
Ranking Member Wyden and I quietly launched an investigation earlier 
this year, requesting information and documents from the country's 
largest tax return preparers and debit card companies.

    We look forward to working with the IRS as we move forward with 
this investigation and consider policy changes. We also look forward to 
hearing the report from your preparer working groups, and the committee 
looks forward to weighing in on those matters in the near future.

    So I welcome our witnesses today, IRS Commissioner Koskinen and 
Inspector General George. Commissioner Koskinen, earlier this year, 
when I first welcomed you before the Committee as Chairman, I noted 
that I hoped it would be the beginning of a new chapter in the long, 
historic relationship between the Internal Revenue Service and the 
Senate Finance Committee. I said that because the issues before us are 
too great for that relationship to be anything but open, honest, and 
productive.

    Today's topic is a great example of why that relationship is so 
important. Cyber-threats will only continue to grow, and those types of 
threats go to the core of our voluntary tax system. We must work 
together to figure out what happened, what went wrong in allowing the 
breach to occur, and how we can prevent another successful attack from 
taking place in the future.

    Finally, I would like to acknowledge that today's hearing occurs 
during somewhat unusual circumstances.

    The issue before us is the subject of several recently opened 
investigations, including a criminal investigation conducted by TIGTA. 
I caution members of the committee to be sensitive to these 
investigations when asking questions of the witnesses, and be aware 
that they may not be able to provide full answers to every question in 
this public forum. In spite of these limitations, it is important to 
discuss this matter today as fully and candidly as possible.

                                 ______
                                 
      Prepared Statement of Hon. John A. Koskinen, Commissioner, 
                        Internal Revenue Service
    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
thank you for the opportunity to appear before you today to provide 
information on the recent unauthorized attempts to obtain taxpayer data 
through the IRS's Get Transcript online application.

    While we are continuing our in-depth analysis of what happened, the 
analysis thus far has found that the unauthorized attempts to request 
information from the Get Transcript application were complex and 
sophisticated in nature. These attempts were made using taxpayers' 
personal information already obtained from sources outside the IRS--
meaning the parties making the attempts had enough information to clear 
the Get Transcript application's multi-step authentication process.

    For now, our biggest concern is for the affected taxpayers, to make 
sure they are protected against fraud in the future. We recognize the 
severity of the situation for these taxpayers, and we are doing 
everything we can to help them.

    Securing our systems and protecting taxpayers' information is a top 
priority for the IRS. Even with our constrained resources as a result 
of cuts to our budget totaling $1.2 billion since 2010, we continue to 
devote significant time and attention to this challenge. At the same 
time, it is clear that criminals have been able to gather increasing 
amounts of personal data as the result of data breaches at sources 
outside the IRS, which makes protecting taxpayers increasingly 
challenging and difficult.

    The problem of personal data being stolen from sources outside the 
IRS to perpetrate tax refund fraud exploded from 2010 to 2012, and for 
a time overwhelmed law enforcement and the IRS. Since then, we have 
been making steady progress, both in terms of protecting against 
fraudulent refund claims and prosecuting those who engage in this 
crime. Over the past few years, almost 2,000 individuals were convicted 
in connection with refund fraud related to identity theft. The average 
prison sentence for identity theft-related tax refund fraud grew to 43 
months in Fiscal Year (FY) 2014 from 38 months in FY 2013, with the 
longest sentence being 27 years.

    Additionally, as our processing filters have improved, we have also 
been able to stop more suspicious returns at the door, rather than 
accepting them for processing. This past filing season, our fraud 
filters stopped almost 3 million fraudulent returns before processing 
them, an increase of over 700,000 from the year before. But, even 
though we have been effective at stopping individuals perpetrating 
these crimes, we find that we are dealing more and more with organized 
crime syndicates here and around the world.

    At the same time, over the last several years, the IRS has been 
working to meet taxpayers' increasing demand for self-service and 
electronic service options by providing them with more web-based tools, 
to make their interactions with us simpler and easier. As part of that 
effort, we launched the Get Transcript online application in January 
2014. Get Transcript allows taxpayers to view and print a copy of their 
prior-year tax information, also known as a transcript, in a matter of 
minutes. Prior to the introduction of this online tool, taxpayers had 
to wait 5 to 7 days after placing an order by phone or by mail to 
receive a paper transcript by mail. Taxpayers use tax transcript 
information for a variety of financial activities, such as verifying 
income when applying for a mortgage or student loan.

    To access Get Transcript, taxpayers must go through a multi-step 
authentication process to prove their identity, consistent with many 
organizations in the financial services industry. They must first 
submit personal information such as their Social Security Number (SSN), 
date of birth, tax filing status, and home address, as well as an e-
mail address. The taxpayer then receives an e-mail from the Get 
Transcript system containing a confirmation code that they enter to 
access the application and request a transcript. Before the request is 
processed, the taxpayer must respond to several ``out-of-wallet'' 
questions--a customer authentication method that is standard within the 
financial services industry. The questions are designed to elicit 
information that only the taxpayer would normally know, such as the 
amount of their monthly mortgage or car payment.

    During the 2015 filing season, taxpayers used the Get Transcript 
application to successfully obtain approximately 23 million copies of 
their recently filed tax information. If this application had not 
existed and these taxpayers had to call or write us to order a 
transcript, it would have stretched our limited resources even further. 
That is important to note, given our limitations during the past filing 
season. We would have been much less efficient in providing taxpayer 
service, not to mention the additional burden placed on taxpayers.

    During the middle of May, our cyber-security team noticed unusual 
activity on the Get Transcript application. At the time, our team 
thought this might be a ``denial of service'' attack, where hackers try 
to disrupt a website's normal functioning. Our teams worked 
aggressively to look deeper into the situation during the following 
days, and ultimately uncovered questionable attempts to access the Get 
Transcript application.

    As a result, the IRS shut down the Get Transcript application on 
May 21st. The application will remain disabled until the IRS makes 
modifications and further strengthens security for the application. It 
should be noted that the third parties who made these unauthorized 
attempts to obtain tax account information did not attempt to gain 
access to the main IRS computer system that handles tax filing 
submissions. The main IRS computer system remains secure, as do other 
online IRS applications such as ``Where's My Refund?'' Unlike Get 
Transcript, the other online applications do not allow taxpayers to 
access their personal tax data.

    As they continued to investigate, our team determined that a total 
of approximately 200,000 suspicious attempts to gain access to taxpayer 
information on the Get Transcript application had been made between 
mid-February and mid-May. About 100,000 of the attempts were 
unsuccessful, with the parties making these attempts unable to work 
their way through the protections in place.

    But we know that the other 100,000 or so attempts to request 
information from the Get Transcript application between mid-February 
and mid-May were successful. We are analyzing what, if anything, was 
done with the personal information of these taxpayers obtained using 
the Get Transcript application, and have discovered the following:

    About 35,000 taxpayers had already filed their 2014 income tax 
        returns before the unauthorized attempts at access. This means 
        that these taxpayers' 2014 returns and refund claims were not 
        affected by this fraudulent activity, because any fraudulent 
        return subsequently filed in their names would be automatically 
        rejected by our systems;

    For another 33,000, there is no record of any return having been 
        filed in 2015. This could be the case for a number of reasons. 
        For example, the SSNs associated with these individuals may 
        belong to those who have no obligation to file, such as 
        children, or anyone below the tax filing threshold;

    Unsuccessful attempts were made to file approximately 23,500 
        returns. These 23,500 returns were flagged by our fraud filters 
        and stopped by our processing systems before refunds were 
        issued; and

    Since this activity occurred, about 13,000 suspect returns were 
        filed for tax year 2014 for which the IRS issued refunds. 
        Refunds issued for these 13,000 suspect returns totaled about 
        $39 million, and the average refund was approximately $3,000 
        per return. We are still determining how many of these returns 
        were filed by the actual taxpayers and which were filed using 
        stolen identities. We will work with any of these affected 
        taxpayers who had fraudulent returns filed in their name.

    As I mentioned at the outset, our analysis thus far has found that 
the unauthorized attempts to access information using the Get 
Transcript application were complex and sophisticated in nature. These 
attempts were made using personal information already obtained from 
sources outside the IRS--meaning the parties making the attempts had 
enough information to clear the Get Transcript application's multi-step 
authentication process, including answers to the out-of-wallet 
questions.

    We believe it is possible that some of the attempts to access tax 
transcripts were made with an eye toward using the information to file 
fraudulent tax returns next year. For example, any prior-year return 
information criminals obtain would help them more easily craft 
seemingly authentic returns, making it more difficult for our filters 
to detect the fraudulent nature of the returns.

    As noted above, since we have already disabled Get Transcript, our 
biggest concern right now is for the affected taxpayers, to make sure 
they are protected against fraud in the future. We recognize the 
severity of the situation for these taxpayers, and have taken a number 
of immediate steps to assist the affected taxpayers in protecting their 
data against fraud that might be perpetrated against them. First, we 
have placed an identifier on the accounts of the roughly 200,000 
affected taxpayers on our core tax account system to prevent someone 
else from filing a tax return in their name--both now and in future 
years.

    Second, we are in the process of writing to all 200,000 taxpayers 
to let them know that third parties appear to have gained access from 
outside the IRS to personal information such as their SSNs, in an 
attempt to obtain their tax information from the IRS. Although half of 
this group did not actually have their transcript accessed because 
those who were trying to gain this information failed the 
authentication tests, the IRS believes it is important to make these 
taxpayers aware that someone else has their personal data. We want them 
to be able to take steps to safeguard their data.

    Letters have already been sent to all of the approximately 100,000 
taxpayers whose tax information was successfully obtained by 
unauthorized third parties. We are offering credit monitoring, at our 
expense, to this group of taxpayers. We strongly encourage people who 
receive this letter to take advantage of this offer. We are also giving 
them the opportunity to provide us with the authentication 
documentation necessary to obtain an Identity Protection Personal 
Identification Number (IP PIN). This will further safeguard their IRS 
accounts and help them avoid any problems filing returns in future 
years.

    As further analysis is done, we may uncover evidence that personal 
information of others, such as spouses and dependents of the taxpayers 
already identified, was also compromised, and we will take similar 
steps to protect those individuals.

    More broadly, the IRS continues to work to help taxpayers who have 
been victims of identity theft. For example, for the 2015 filing 
season, the IRS has issued IP PINs to 1.5 million taxpayers previously 
identified by the IRS as victims of identity theft. Also during this 
period, the IRS notified another 1.7 million taxpayers that they were 
eligible to visit IRS.gov and opt in to the IP PIN program. Meanwhile, 
taxpayers living in Florida, Georgia, and Washington, DC--three areas 
where there have been particularly high concentrations of identity-
theft related refund fraud--are eligible to participate in a pilot 
where they can receive an IP PIN upon request, regardless of whether 
the IRS has identified them as a victim of identity theft.

    In terms of our investigative work on identity theft, it is 
important to note that our Criminal Investigation (CI) division has 
seen an increase in identity theft crime being perpetrated by organized 
crime syndicates. The IRS is working closely with law enforcement 
agencies in the U.S. and around the world to prosecute these criminals 
and protect taxpayers. But the fact remains that these cyber-criminals 
are increasingly sophisticated enemies, with access to substantial 
volumes of data on millions of people.

    For that reason, we recently held a sit-down meeting with the 
leaders of the tax software and payroll industries and state tax 
administrators, and agreed to build on our cooperative efforts of the 
past and find new ways to leverage this public-private partnership to 
help battle identity theft. The working groups that were formed out of 
this meeting have continued to meet, and later this month we expect to 
announce an agreement on short-term solutions to help better protect 
personal information in the upcoming tax filing season, and to continue 
to work on longer-term efforts to protect the integrity of the nation's 
tax system.

    One of the three working groups formed out of this meeting focuses 
on authentication. As criminals obtain more personal information, 
authentication protocols need to become more sophisticated, moving 
beyond information that used to be known only to individuals but now, 
in many cases, is readily available to criminal organizations from 
various sources. We must balance the strongest possible authentication 
processes with the ability of taxpayers to legitimately access their 
data and use IRS services online. The challenge will always be to keep 
up with, if not get ahead of, our enemies in this area.

    Congress has an important role to play here. Congress can help by 
approving the President's FY 2016 Budget request, which includes $101 
million specifically devoted to identity theft and refund fraud, plus 
$188 million for critical information technology infrastructure. Along 
with providing adequate funding, lawmakers can help the IRS in the 
fight against refund fraud and identity theft by passing several 
important legislative proposals in the President's FY 2016 Budget 
proposal. A key item on this list is a proposal to accelerate 
information return filing dates.

    Under current law, most information returns, including Forms 1099 
and 1098, must be filed with the IRS by February 28 of the year 
following the year for which the information is being reported, while 
Form W-2 must be filed with the Social Security Administration (SSA) by 
the last day of February. The due date for filing information returns 
with the IRS or SSA is generally extended until March 31st if the 
returns are filed electronically. The Budget proposal would require 
these information returns to be filed when copies of this information 
are provided to the taxpayers, generally by January 31st of the year 
following the year for which the information is being reported, which 
would assist the IRS in identifying fraudulent returns and reduce 
refund fraud related to identity theft.

    There are a number of other legislative proposals in the 
Administration's FY 2016 Budget that would also assist the IRS in its 
efforts to combat identity theft, including: giving Treasury and the 
IRS authority to require or permit employers to mask a portion of an 
employee's SSN on W-2s, which would make it more difficult for identity 
thieves to steal SSNs; adding tax-related offenses to the list of 
crimes in the Aggravated Identity Theft Statute, which would subject 
criminals convicted of tax-related identity theft crimes to longer 
sentences than those that apply under current law; and adding a $5,000 
civil penalty to the Internal Revenue Code for tax-related identity 
theft cases, to provide an additional enforcement tool that could be 
used in conjunction with criminal prosecutions.

    Chairman Hatch, Ranking Member Wyden, and members of the committee, 
thank you again for the opportunity to provide information on the 
recent unauthorized attempts to obtain taxpayer data through the IRS's 
Get Transcript online application. This concludes my statement, and I 
would be happy to take your questions.

                                 ______
                                 
      Questions Submitted for the Record to Hon. John A. Koskinen
                Questions Submitted by Hon. Dean Heller
    Question. The recent IRS data breach of 104,000 victims only 
emphasizes how tax schemes, such as identity theft and return preparer 
fraud, are on the rise. For the 2014 tax year, it is estimated there 
have been close to 2 million in confirmed tax related identity thefts. 
In my home state alone, there have been over 14,000 victims. These 
numbers are disturbing, but what is more upsetting is the complex and 
frustrating process that these innocent victims are put through. It is 
my understanding refunds can take almost a year to get back to the true 
taxpayer. For this recent data breach, how is the IRS addressing the 
affected taxpayers, especially the ones where a return had been 
illegally filed and a refund issued?

    Answer. We realize the importance of resolving cases involving 
identity theft quickly and efficiently, thus allowing taxpayers 
victimized by identity theft to receive their refunds as soon as 
possible and helping to reduce the risk that adverse enforcement 
actions will be taken against them. To that end, we continue to develop 
and implement new procedures to improve the service provided to 
identity theft victims.

    Due to the complexity of these situations, identity theft victim 
case resolution can be a time-consuming process. However, the IRS has 
successfully reduced the case-processing and resolution time for 
identity-theft cases to improve service to the taxpayer. During the 
past fiscal year, taxpayers who became identity theft victims had their 
situations resolved in roughly 120 days, far more quickly than in 
previous years, when cases could take over 300 days to resolve. The IRS 
continues to evaluate systems and processes to improve the taxpayer 
experience.

    The IRS continues to expand its outreach initiatives to provide 
taxpayers, return preparers, state tax agencies, and other stakeholders 
with the information they need to prevent tax-related identity theft 
and, when identity theft does occur, to resolve issues as quickly and 
efficiently as possible. We also partner with other federal agencies to 
further these outreach efforts.

    Ensuring the security of our systems and the protection of 
taxpayers and their information are top priorities. Even with our 
constrained resources over the past few years, we continue to devote 
significant time and attention to these challenges. Ongoing data 
breaches involving other companies and organizations, through which 
criminals have been able to gather increasing amounts of personal data, 
make it even more challenging and difficult to protect taxpayers.

    You asked how the IRS is addressing the taxpayers affected by the 
recent unauthorized-access incident involving the Get Transcript 
application. In May, the IRS determined unauthorized third parties 
already had sufficient information from a source outside the tax agency 
before accessing the Get Transcript application. This allowed them to 
clear a multi-step authentication process, including several personal 
verification questions that typically are only known by the taxpayer.

    When the IRS first identified the problem in May, we determined 
that these third parties with taxpayer-specific sensitive data from 
non-IRS sources had cleared the Get Transcript verification process on 
about 114,000 total attempts. In addition, it appeared at that time 
that third parties had made attempts that failed to pass the final 
verification step, meaning they were unable to access account 
information through the Get Transcript service.

    Since then, as part of the IRS's continued efforts to protect 
taxpayer data, the IRS conducted a deeper analysis over a wider time 
period covering the 2015 filing season, analyzing more than 23 million 
uses of the Get Transcript system. The new review identified an 
estimated additional 220,000 attempts where individuals with taxpayer-
specific sensitive data cleared the Get Transcript verification 
process. The review also identified an additional 170,000 suspected 
attempts that failed to clear the authentication processes.

    The IRS mailed letters to all taxpayers identified in May and, 
later, we also mailed letters to the population identified in August as 
part of our continued analysis. To the taxpayers whose tax information 
was successfully obtained by unauthorized third parties, we are 
offering credit monitoring, at our expense. We strongly encourage the 
recipients of these letters to take advantage of the credit monitoring. 
We are also giving them the opportunity to provide us with the 
authentication documentation necessary to get an Identity Protection 
Personal Identification Number (IP PIN). This will further safeguard 
their IRS accounts and help them avoid any problems filing returns in 
future years. The IRS is marking all of the affected accounts with 
indicators that will help identify and prevent any fraudulent returns 
from being filed under those Social Security Numbers (SSN).

    The Get Transcript application was shut down in May, and the IRS 
continues to work on strengthening the system. In the meantime, 
taxpayers have several other options to obtain transcripts.

    The IRS takes the security of taxpayer data extremely seriously, 
and we are working aggressively to protect affected taxpayers and 
continue to strengthen our systems.

    The matter remains under review by the Treasury Inspector General 
for Tax Administration as well as IRS Criminal Investigation.

    Question. I understand that the IRS is considering allowing these 
individuals to receive a secure PIN, also known as the IP PIN, as part 
of an IRS pilot program. Could a secure PIN be provided to all 
taxpayers? If not, why not?

    Answer. The Identity Protection Personal Identification Number (IP 
PIN) is one component of the IRS arsenal to combat identity theft and 
fraud. We have many other tools and solutions in use and under 
development to increase security of taxpayer data.

    We are conducting research and analysis to determine the 
feasibility of expanding the IP PIN program. Although additional 
expansion of the IP PIN program may help safeguard more taxpayers from 
tax-related identity theft and refund fraud, it would require a 
substantial investment of financial resources which are not available 
at this time.

    Question. Public trust is crucial to the IRS's success. I was 
disturbed to understand that a recent GAO report found that a number of 
weaknesses, to effectively protect taxpayers' confidentiality, 
integrity and availability of sensitive taxpayer data, had not been 
implemented. My understanding is that less than a third of changes were 
implemented remain open between the last GAO audit and this year. How 
can the committee or taxpayers have faith in the IRS, if significant 
deficiencies in internal controls are not being addressed? Follow-up 
when do you expect to have these weaknesses addressed?

    Answer. The security and privacy of taxpayer information and the 
integrity of our computer systems continue to be sound. Our Cyber-
security program provides proactive defenses by implementing world-
class security practices in planning, implementation, management, and 
operations involving people, process, and technologies. We continually 
monitor the security controls in our information systems and the 
environments in which those systems operate. We also maintain awareness 
of information security, vulnerabilities, and threats to support 
organizational risk management decisions. We remain committed to our 
ongoing programs to manage the security risks in our IT infrastructure 
in accordance with industry standards and as required by the Federal 
Information Security Management Act (FISMA) and the National Institute 
of Standards and Technology guidance, and we continue to decrease the 
number of our unresolved weaknesses.

    We are working diligently to address all of the findings identified 
by GAO. The IRS has submitted 31 of the 79 open findings to GAO for 
closure during the FY 2015 audit. Currently, up to 30 of the remaining 
open items are in progress and scheduled to be submitted to GAO for 
closure in FY 2016. The balance of the open findings are scheduled for 
closure by FY 2019. It should be noted that GAO's recommendations do 
not concern fundamental weaknesses in taxpayer-facing systems. Rather, 
they concern weaknesses in our controls for internal systems--that is, 
systems and data that are behind our portal and firewalls. These 
systems have less risk of experiencing security issues because they are 
not connected directly to the external internet. In addition, factors 
such as budget uncertainties, hiring freezes, skillset deficits, and 
complexities associated with our antiquated legacy environment, as well 
as cutbacks affecting our ability to update our infrastructure, must 
also be considered. Nonetheless, we continue to review and evaluate all 
of GAO's recommendations along with other outstanding recommendations 
in light of risk and security controls and processes currently in 
place. We are building corrective action plans where appropriate to 
address the recommendations, and we are prioritizing and addressing 
them as resources permit. Significant progress has been made in 
addressing these recommendations in areas where we are most vulnerable.

    Our efforts to install software patches for security 
vulnerabilities continue to improve with the implementation of newer 
releases of more efficient and effective patching tools. We are 
developing our enterprise-wide processes to deliver software patches 
across all of our environments. This extensive effort continues to 
improve our vulnerable systems and the timeliness of patching provided 
by our patching teams. These improvements have been realized in spite 
of increasing challenges such as more sophisticated attackers, 
increased system complexity in our environments, and loss of some of 
our most experienced staff. While some patch management activities may 
take longer than we would like due to funding reductions, resource 
constraints, and the complexity of our environments, we expect to 
address the GAO findings related to patch management in FY 2016 as we 
continue to improve the program.

    We are making steady progress in closing vulnerabilities and 
addressing GAO findings associated with passwords. We have implemented 
standards that create systemic fixes for common issues in creating 
employee and administrator passwords. We also conduct monthly 
vulnerability scanning to ensure systems compliance with the password 
policy. Although we have not had sufficient funding and capacity to 
implement the Homeland Security Presidential Directive (HSPD)-12 
initiative as quickly as we would like, we are continuing to transition 
from using passwords to using the Personal Identity Verification (PIV) 
card for system sign-on for all users. This required substantial effort 
due to the number of systems that need updating, the advanced age of 
some of these systems, the complexity of system interactions, and the 
high cost to update them. We expect 100% of users with regular access 
privileges to be HSPD-12 ready by the end of FY 2016.

    We are enhancing our auditing and monitoring capabilities by 
dedicating our limited resources in this area to our highest risk 
systems. This will help us track security violations and confirm 
individual accountability. In FY 2014, we developed a risk-based 
prioritization strategy to align the schedules of systems needing audit 
trails. Since FY 2014, we have been dedicating significant financial 
resources to ensure all new systems are implemented with audit trails, 
and to expand the audit trails infrastructure capacity to support the 
new data collection. We have prioritized the audit trails findings in 
the GAO report and we expect that the systems documented in the report 
will be completed in FY 2016 and FY 2017.

    Question. The Committee held a hearing, earlier this year, on tax 
scams including identity theft, ``Protecting Taxpayers from Schemes and 
Scams during the 2015 Filing Season.'' Mr. Alley, the Commissioner of 
the Indiana Department of Revenue, stressed that the identity 
confirmation quiz was a significant and powerful tool to combat ID 
fraud. Has the IRS considered implementing a similar procedure such as 
this to reduce tax scams?

    Answer. The IRS currently uses an identity-confirmation quiz, 
called out-of-wallet questions, to authenticate taxpayers. The name 
refers to questions that would not be easily answerable with the 
information in a person's wallet if it were stolen.

    The IRS is reviewing multiple-authentication policy and 
capabilities in response to the unauthorized disclosures associated 
with the Get Transcript application. We are researching internal 
capabilities as well as those available from third parties through 
existing and planned contracts. These options include, but are not 
limited to:

        Third-party configuration changes to strengthen out-of-wallet 
questions;

        Internal IRS configuration updates to limit fraud and 
vulnerabilities to scripting attacks;

        Additional levels of assurance and authentication points; and

        Additional risk-based authentication capabilities.

    We must balance the strongest possible authentication processes 
with the ability of taxpayers to legitimately access their data and use 
IRS services online. The challenge will always be to keep up with, if 
not get ahead of, fraudsters in this area.

    Question. In Mr. Alley's testimony, he also focused on how the 
identity confirmation quiz is only part of a larger process to 
strategically focus on identity theft and refund fraud. This 
encompassed hiring additional talent, implementing new procedures and 
new IT systems and conducting a public relations campaign. What steps 
are the IRS taking to address identity theft?

    Answer. The IRS has a comprehensive and aggressive identity-theft 
strategy focused on preventing refund fraud, investigating these 
crimes, and assisting taxpayers victimized by identity thieves. We are 
also continuously conducting analysis and looking for ways to improve 
identity-theft detection. Because identity-theft criminals have 
significant resources to devote to these schemes, their methods are 
constantly evolving, forcing us to continually adjust our filters and 
processes accordingly.

    Realizing that we are only one stakeholder in the battle against 
identity theft, in March we organized a Security Summit that included 
representatives from the IRS, state tax agencies and private industry, 
such as software vendors, to work on collaborative solutions to combat 
fraud schemes. The Summit established a new public/private partnership 
effort to combat identify theft, refund fraud and protect the nation's 
taxpayers. In addition, participants reached agreement on several 
initiatives to address identity theft. These initiatives were announced 
on June 11, 2015. The agreement includes identifying new steps to 
validate taxpayer and tax return data at the time of filing. The effort 
will increase information sharing between industry and government. This 
public/private partnership is continuing to work on initiatives to be 
implemented in 2017 and beyond.

    In addition to victim assistance and outreach, the IRS's identity 
theft strategy also focuses on preventing refund fraud and 
investigating these crimes. Additional initiatives include these FY 
2015 items:

        We now limit the number of tax refund deposits to a single 
account to three (3). Additional refunds to the same account are 
converted to paper checks. We believe this initiative has had a 
positive impact on our efforts to deter fraud and identity theft.

        We began receiving device ID information to identify potential 
identity theft or fraud. The device ID is the serial number (or 
fingerprint) of the device (for example, computer, smart phone, or 
tablet). The unique ID is transmitted as part of the electronically 
filed return via our existing transmission process and enables the IRS 
to associate fraudulent returns that are filed from the same device.

        In addition to the nearly 1.5 million taxpayers that are given 
an Identity Protection Personal Identification Number (IP PIN), we 
expanded the population eligible for IP PINs to taxpayers previously 
identified by the IRS as victims of identity theft. This allowed 
approximately 1.7 million more taxpayers to opt in to the IP PIN 
program.

        We continue to accelerate the use of more types of information 
returns to identify mismatches earlier.

        We provide phone, online and in person channels to enable 
taxpayers inadvertently caught up in our protective filters to validate 
their identity and have their return processed. We continue to 
implement new identity theft screening filters to improve our ability 
to spot false returns before we process them and issue refunds.

    The IRS also continues to collaborate with software companies and 
financial institutions to identify patterns, trends and schemes that 
affect refund returns.

    The IRS also has initiated additional collaboration with the Bureau 
of Fiscal Service (BFS) on multiple direct deposits and payments shared 
between government agencies in the development of the new Payment 
Processing System. This collaboration provides an opportunity for IRS 
and other government agencies to work through BFS to identify 
fraudulent payments, increase recovery opportunities, improve data 
access, and reduce time in extracting or analyzing information from 
multiple data sources. This will also afford the opportunity for IRS 
and BFS to collaborate on refunds that have made it through IRS systems 
but appear suspicious based upon additional information and data 
external to IRS. The BFS system is expected to be online in September 
2016.

    In addition, Congress can help us in the fight against refund fraud 
and identity theft, by enacting several important legislative proposals 
in the President's FY 2016 Budget proposal, including the following:

        Acceleration of information return filing due dates. Under 
current law, most information returns, including Forms 1099 and 1098, 
must be filed with the IRS by February 28th of the year following the 
year for which the information is being reported, while Form W-2 must 
be filed with the Social Security Administration (SSA) by the last day 
of February. The due date for filing information returns with the IRS 
or SSA is generally extended until March 31st if the returns are filed 
electronically. The Budget proposal would require these information 
returns to be filed earlier, which would assist the IRS in identifying 
fraudulent returns and reduce refund fraud, including refund fraud 
related to identity theft.

        Correctible error authority. The IRS has authority in limited 
circumstances to identify certain computation or other irregularities 
on returns and automatically adjust the return for a taxpayer, 
colloquially known as ``math error authority.'' At various times, 
Congress has expanded this limited authority on a case-by-case basis to 
cover specific, newly enacted tax code amendments. The IRS would be 
able to significantly improve tax administration--including reducing 
improper payments and refund fraud as well as cutting down on the need 
for costly audits--if Congress were to enact the Budget proposal to 
replace the existing specific grants of this authority with more 
general authority covering computation errors and incorrect use of IRS 
tables. Congress could also help in this regard by creating a new 
category of ``correctable errors,'' allowing the IRS to fix errors in 
several specific situations, such as when a taxpayer's information does 
not match the data in certain government databases. To correct these 
errors today, IRS must open an audit, and we are limited in the number 
of audits we conduct by the resources available to engage with the 
taxpayer in the full audit process. Being able to correct certain 
mismatch errors would help with reducing some types of refund fraud.

        Authority to ensure minimum qualifications for return 
preparers. In the wake of court decisions striking down the IRS's 
authority to regulate unenrolled and unlicensed paid tax return 
preparers, Congress should enact the Budget proposal to provide the 
agency with explicit authority to ensure paid preparers maintain 
minimum qualifications. This authority would help promote high quality 
services from tax return preparers, reduce refund fraud, improve 
voluntary compliance, foster taxpayer confidence in the fairness of the 
tax system, and protect taxpayers from preparer errors.

        Expanded access to Directory of New Hires. Under current law, 
the IRS is permitted to access the Department of Health and Human 
Services' National Directory of New Hires only for purposes of 
enforcing the Earned Income Tax Credit and verifying employment 
reported on a tax return. The proposal would allow IRS access to the 
directory for tax administration purposes that include data matching, 
verification of taxpayer claims during return processing, preparation 
of substitute returns for non-compliant taxpayers, and identification 
of levy sources.

    There are a number of other legislative proposals in the 
Administration's FY 2016 Budget request that would also assist the IRS 
in its efforts to combat identity theft, including: giving Treasury and 
the IRS authority to require or permit employers to mask a portion of 
an employee's SSN on W-2s, which would make it more difficult for 
identity thieves to steal SSNs; adding tax-related offenses to the list 
of crimes in the Aggravated Identity Theft Statute, which would subject 
criminals convicted of tax-related identity theft crimes to longer 
sentences than those that apply under current law; and adding a $5,000 
civil penalty to the Internal Revenue Code for tax-related identity 
theft cases, to provide an additional enforcement tool that could be 
used in conjunction with criminal prosecutions.

    It is important to note that these legislative proposals, while 
they would be very helpful, only would be partially effective in 
achieving their intended goals without adequate resources for the 
agency.

    With limited resources and information, the IRS currently is only 
able to review fewer than 5% of the 100 million returns that request a 
refund. If, prior to issuing refunds, the IRS had access to third-party 
documents for matching earlier in the filing season (e.g., W-2), we 
would be able to stop more refund fraud.

    With additional resources, the IRS could implement the following 
improvements to protect revenue and taxpayers:

        Expand the pre-refund filters and improve systemic coverage of 
potential ID Theft returns;

        Increase the number of analysts manually reviewing filing 
patterns to identify new suspicious patterns and react to newly 
submitted leads; and

        Improve service to victims of identity theft by increasing the 
number of IRS employees who manually review returns, contact taxpayers 
when needed, and make account adjustments for taxpayers affected by ID 
Theft.

    Question. During the summer of 2012, the IRS worked with an 
incumbent consulting firm to conduct tests of third-party, commercially 
available analytics to determine how well those solutions could detect 
and prevent fraudulent tax returns. What were the results of those 
tests and if they were successful, why have none of those solutions 
been implemented?

    Answer. In 2012, the IRS conducted a study to determine if third-
party, commercially available analytics might improve identity theft 
protection beyond existing IRS Identity Theft (IDT) capabilities. 
Today, the IRS uses third-party data to facilitate validating 
identities and deterring ID theft fraud. For example, the Taxpayer 
Protection Program currently uses a third-party vendor's data to 
support ID Verify challenge questions used to authenticate taxpayers 
whose returns appear to be compromised by identity theft. In addition, 
the IRS is further partnering with industry to determine if new data 
sources and data elements can help IRS increase identity theft 
detection capabilities.

    Question. Does IRC 7216 need to be permanently amended to allow for 
the disclosure of limited filer information for the purposes of 
preventing fraudulent returns?

    Answer. Section 7216 does not require amendment to allow for the 
disclosure of limited filer information for purposes of preventing 
fraudulent returns. Regulations under section 7216 currently allow any 
disclosure of tax return information to an officer or employee of the 
IRS. Treas. Reg. Sec. 301.7216-2(b). They also allow disclosure of any 
tax return information to the proper Federal, State, or local officials 
to inform them of activities that may constitute a violation of any 
criminal law or to assist the investigation or prosecution of a 
violation of criminal law. Treas. Reg. Sec. 301.7216-2(q).

    Question. Has the IRS considered allowing consumers to opt into an 
alerting service that would notify them whenever a tax return has been 
filed using a consumer's personal information?

    Answer. Given current funding limitations, the IRS does not plan to 
implement an opt-in plan to notify a taxpayer whenever a tax return has 
been filed using a taxpayer's SSN or Individual Taxpayer Identification 
Number (ITIN). Currently, taxpayers are contacted when an individual 
tax return passes through IRS filters and is flagged for potential 
identity theft.

                                 ______
                                 
              Questions Submitted by Hon. Debbie Stabenow
    Question. Over the last couple of years, we have seen several large 
data breaches involving tens of millions of customers: Target--40 
million people, JPMorgan--76 million people, Home Depot--56 million 
people, Anthem--80 million people.

    The information stolen in the large data breaches is the kind of 
information that is then used to file false tax returns to obtain 
refunds, or, in this case, to access taxpayer information through the 
IRS. It emphasizes the need for greater security throughout the payment 
chain, before identity thieves get to the point of using stolen 
information to file false returns.

    As Commissioner of the IRS, you are limited in your ability to 
combat certain kinds of identity theft because you don't have control 
over the payment chain--identity thieves are using information that 
they have already obtained to file fraudulent returns.

    Can you tell us more about some of the steps that the IRS has been 
exploring to protect against fraudulent returns?

    Answer. The IRS has a comprehensive and aggressive identity theft 
strategy focused on preventing refund fraud, investigating these 
crimes, and assisting taxpayers victimized by identity thieves. We are 
also continuously conducting analysis and looking for ways to improve 
identity theft detection. Because identity theft criminals have 
significant resources to devote to these schemes, their methods are 
constantly evolving, forcing us to continually adjust our filters and 
processes accordingly. Realizing that we are only one participant in 
the battle against identity theft, we recently organized a Security 
Summit and invited representatives from state tax agencies and private 
industry, such as software vendors, to work on collaborative solutions 
to combat fraud schemes.

    In addition to victim assistance and outreach, the IRS's identity 
theft strategy also focuses on preventing refund fraud and 
investigating these crimes. Additional initiatives include these FY 
2015 items:

        We now limit the number of tax refund deposits to a single 
account to three (3). Additional refunds to the same account are 
converted to paper checks. We believe this initiative has had a 
positive impact on our efforts to deter fraud and identity theft.

        We began receiving Device ID information to identify potential 
identity theft or fraud. The Device ID is the serial number (or 
fingerprint) of the device (for example, Computer, Smart Phone or 
Tablet). The unique ID is transmitted as part of the electronically 
filed return via our existing transmission process and enables the IRS 
to associate fraudulent returns that are filed from the same device.

        In addition to the nearly 1.5 million taxpayers that are given 
an Identity Protection Personal Identification Number (IP PIN), we 
expanded the population eligible to opt-in for IP PINs to taxpayers 
previously identified by the IRS as victims of identity theft. This 
allowed approximately 1.7 million more taxpayers to opt in to the IP 
PIN program.

        We continue to accelerate the use of more types of information 
returns to identify mismatches earlier.

        We provide phone, online and in person channels to enable 
those taxpayers, inadvertently caught up in our protective filters, to 
validate their identities and have their return processed.

        We continue to implement new identity theft screening filters 
to improve our ability to spot false returns before we process them and 
issue refunds.

    The IRS also continues to collaborate with software companies and 
financial institutions to identify patterns, trends and schemes that 
impact refund returns. The IRS also has initiated additional 
collaboration with the Bureau of Fiscal Service (BFS) on multiple 
direct deposits and payments shared between government agencies in the 
development of the new Payment Processing System. This collaboration 
provides an opportunity for IRS and other government agencies to work 
through BFS to identify fraudulent payments, increase recovery 
opportunities, improve data access, and reduce time in extracting or 
analyzing information from multiple data sources. This will also afford 
the opportunity for IRS and BFS to collaborate on refunds that have 
made it through IRS systems but appear suspicious based upon additional 
information and data external to IRS. The BFS system is expected to be 
online in September 2016.

    Question. Over the last few years, TIGTA and GAO have issued a 
number of reports on data security at the IRS, identifying a great many 
vulnerabilities and making recommendations for how those 
vulnerabilities might be addressed.

    While the IRS has made several efforts to implement recommendations 
and secure vulnerable information, follow-up reports suggest that many 
recommendations, those with which IRS agreed, remain unimplemented and 
many vulnerabilities still exist.

    Can you tell us more about the difficulties that the IRS has 
experienced in securing taxpayer data and protecting against fraud?

    Have any factors limited your ability to implement some of the 
measures you might want to take?

    Answer. The IRS is confident that its systems demonstrate high 
resistance to the normal daily cyber-attacks seen across government. 
However, there are no absolutes and, as with nearly all such current 
commercial cyber-defenses, it is very difficult to defend against 
sophisticated technologies. The IRS continues to devote scarce 
resources to cyber-security but after five years of cuts to our budget, 
it is currently much more challenging for the IRS to continuously stay 
ahead of evolving threats to its cyber-security.

    The IRS has been storing taxpayer data in digital form since 1970 
and has a strong culture of protecting this data. Currently, the IRS 
takes a very aggressive approach to protecting taxpayer data through: 
restrictions on internet access; encryption of taxpayer data for any 
transmission externally; content filtering and strict firewall 
policies; and network security monitoring. In fact, the IRS has 
developed a Cyber-security Strategy that is focused on managing 
information security risk on a continuous basis; monitoring the 
security controls in IRS information systems and the environments in 
which those systems operate on an ongoing basis; and maintaining 
ongoing awareness of information security, vulnerabilities and threats.

    The critical risk to continuing to implement this strategy is not 
the sophistication or frequency of cyber-attacks, but instead is the 
IRS's current budget situation which has resulted in the reduction of 
Cyber-security staff and the inability to fill vacant positions. These 
skill sets and talents are under high demand across both the public and 
private sectors. The IRS's Cyber-security staff is currently 356 
personnel, which is down from its high of 408 employees in FY 2012. The 
inability to hire and retain certified Cyber-security staff prevents 
the IRS from sustaining its vigilance against cyber-attack. This 
creates a capacity issue within cyber-security, where there are simply 
too many priorities and not enough time and resources to do all the 
work that needs to be done. In this situation, even high risk 
initiatives are put on hold, which is certainly not optimal with a 
mission as critical as the IRS.

    The IRS's current budget situation is also hampering our ability to 
modernize our antiquated systems and keep current our IT 
infrastructure, which is thwarting progress in implementing security 
controls and protecting us against today's cyber-attacks. For example, 
the design and logic of many of our IT systems dates back to the 1960s, 
and those systems simply do not support protective measures recommended 
by GAO and others that are needed in today's technological environment. 
Similarly, many of our off-the-shelf applications are running on older, 
less secure versions, and some are even reaching end-of-life and are no 
longer supported by the software companies, meaning they are no longer 
receiving security and other patches to ward off cyber-attacks and 
performance issues.

    Funding has clearly limited IRS's ability to improve data security. 
As explained further in response to the next question, fully funding 
the IRS's information-security operations at the levels specified in 
the President's FY 2016 Budget request would allow for significant 
improvements in data security at the IRS.

    Question. Year after year, Congress has cut the budget of the IRS 
while asking you to take on more responsibility. We've given you less 
money and fewer employees with which to protect the information of so 
many millions of taxpayers across the country.

    Some of my colleagues are fond of the saying: when you tax 
something you get less of it. However, I would point out that when you 
pay for less of something, you get less of it. When you pay less for 
data security, you get less data security. It's a pretty 
straightforward concept, but unfortunately, here we are, after five 
years of cutting the IRS budget, being concerned about why more 
resources weren't put into data security.

    Commissioner Koskinen, if this Committee and this Congress would 
give you more tools to combat this sort of data breach and the money to 
implement those tools, could you improve data security at the IRS?

    Answer. Yes. Additional data security tools, and funding for 
people, processes and technologies to implement those tools, would 
allow for significant improvements in data security at the IRS.

    Congress can help by approving the President's FY 2016 Budget 
request for the IRS. The IRS budget includes $281 million (including 
1,270 Full Time Equivalents (FTE)) specifically devoted to combating 
stolen identity refund fraud, cyber-security enhancements and related 
activities. This amount includes:

        $65 million to provide secure digital communications for 
taxpayers and provide leading-edge technologies to protect U.S. 
Treasury revenue through use of the IRS Return Review Program as well 
as advance IRS effectiveness in detecting, addressing, and preventing 
tax refund fraud;

        $42.6 million to enhance investigations of transnational 
organized crime;

        $40.7 million to address international and offshore compliance 
issues;

        $17.2 million to pursue employment tax and abusive tax 
schemes; and

        $8.2 million to improve taxpayer services through e-file 
authentication and mailing address data verification.

    The budget also includes $188 million (including 157 FTE) for 
critical information technology infrastructure that will help ensure 
taxpayer data remains safe.

    In FY 2017, the IRS will continue its commitment to taxpayers by 
building a new era of tax administration that will feature, among other 
priorities, stronger foundational capabilities and greater protection 
for the accounts of America's taxpayers. Additional funding will allow 
us to make these investments to strengthen cyber-defense and prevent 
identity theft and refund fraud by investing in technology and 
workforce skills that will allow for timely risk assessments, efficient 
analysis of vast volumes of data, and quicker reaction times to 
potential risks and incidents.

    Data breaches and identity theft place a huge burden on their 
victims and present a challenge to businesses, organizations, and the 
IRS. The IRS is making progress against these crimes, but in the 
absence of sufficient resources and tools, these problems will continue 
and only compound over time.

    Question. A number of my colleagues, including the Chairman and 
Ranking Member, Senator Nelson, and others, have introduced legislation 
addressing identity theft. The Individual Tax Reform Working Group, of 
which I am a co-chair, has been looking at identity theft and other tax 
administration issues. I hear from constituents who have fraudulent 
returns filed in their names, or whose family members are victimized by 
scammers, with very serious consequences and even heartbreaking 
consequences.

    I hope that we will take up some of these proposals to prevent 
these issues in the near future.

    Are there specific tools or proposals that would be especially 
helpful to you in efforts to prevent identity theft?

    Answer. Congress can help us in the fight against refund fraud and 
identity theft by passing several important legislative proposals in 
the President's FY 2016 Budget proposal, including the following:

        Acceleration of information return filing due dates. Under 
current law, most information returns, including Forms 1099 and 1098, 
must be filed with the IRS by February 28 of the year following the 
year for which the information is being reported, while Form W-2 must 
be filed with the Social Security Administration (SSA) by the last day 
of February. The due date for filing information returns with the IRS 
or SSA is generally extended until March 31 if the returns are filed 
electronically. The Budget proposal would require these information 
returns to be filed earlier, which would assist the IRS in identifying 
fraudulent returns and reduce refund fraud, including refund fraud 
related to identity theft.

        Correctible error authority. The IRS has authority in limited 
circumstances to identify certain computation or other irregularities 
on returns and automatically adjust the return for a taxpayer, 
colloquially known as ``math error authority.'' At various times, 
Congress has expanded this limited authority on a case-by-case basis to 
cover specific, newly enacted tax code amendments. The IRS would be 
able to significantly improve tax administration--including reducing 
improper payments and refund fraud as well as reducing costly audits--
if Congress were to enact the Budget proposal to replace the existing 
specific grants of this authority with more general authority covering 
computation errors and incorrect use of IRS tables. Congress could also 
help in this regard by creating a new category of ``correctible 
errors,'' allowing the IRS to fix errors in several specific 
situations, such as when a taxpayer's information does not match the 
data in certain government databases. To correct these errors today, 
IRS must open an audit, and we are limited in the number of audits we 
conduct by the resources available to engage with the taxpayer in the 
full audit process. Being able to correct certain mismatch errors would 
help with reducing some types of refund fraud.

        Authority to regulate return preparers. In the wake of court 
decisions striking down the IRS's authority to ensure unenrolled and 
unlicensed paid tax return preparers maintain minimum standards of 
competency, Congress should enact the Budget proposal to provide the 
agency with explicit authority to ensure all paid preparers maintain 
minimum standards. This legislation would help promote high quality 
services from tax return preparers and reduce refund fraud, improve 
voluntary compliance, foster taxpayer confidence in the fairness of the 
tax system, and protect taxpayers from preparer errors

        Expanded access to Directory of New Hires. Under current law, 
the IRS is permitted to access the Department of Health and Human 
Services' National Directory of New Hires only for purposes of 
enforcing the Earned Income Tax Credit and verifying employment 
reported on a tax return. The proposal would allow IRS access to the 
directory for tax administration purposes that include data matching, 
verification of taxpayer claims during return processing, preparation 
of substitute returns for non-compliant taxpayers, and identification 
of levy sources.

    There are a number of other legislative proposals in the 
Administration's FY 2016 Budget request that would also assist the IRS 
in its efforts to combat identity theft, including: giving Treasury and 
the IRS authority to require or permit employers to mask a portion of 
an employee's SSN on W-2s, which would make it more difficult for 
identity thieves to steal SSNs; adding tax-related offenses to the list 
of crimes in the Aggravated Identity Theft Statute, which would subject 
criminals convicted of tax-related identity theft crimes to longer 
sentences than those that apply under current law; and adding a $5,000 
civil penalty to the Internal Revenue Code for tax-related identity 
theft cases, to provide an additional enforcement tool that could be 
used in conjunction with criminal prosecutions.

    It is important to note that these legislative proposals, while 
they would be very helpful, only would be partially effective in 
achieving their intended goals without adequate resources for the 
agency.

    With limited resources and information, the IRS currently is only 
able to review fewer than 5% of the 100 million returns that request a 
refund. If, prior to issuing refunds, the IRS had access to third-party 
documents for matching earlier in the filing season (e.g., W-2), the 
IRS would be able to identify fraudulent returns for which there were 
no matching information returns. This would help reduce refund fraud, 
including refund fraud related to identity theft.

    With additional resources, the IRS could implement the following 
improvements to protect revenue and taxpayers:

        Expand the pre-refund filters and improve systemic coverage of 
potential ID Theft returns;

        Increase the number of analysts manually reviewing filing 
patterns to identify new suspicious patterns and react to newly 
submitted leads; and

        Improve service to victims of identity theft by increasing the 
number of IRS employees who manually review returns, contact taxpayers 
when needed, and make account adjustments for taxpayers affected by ID 
Theft.

                                 ______
                                 
               Questions Submitted by Hon. Mark R. Warner
    Question. Commissioner Koskinen, based on your testimony, taxpayers 
used the Get Transcript application to successfully obtain over 20 
million copies of their recently filed tax information. In previous 
statements, you have also mentioned that the ``Where's my Refund?'' 
application has been hugely successful. What does the IRS consider when 
balancing the availability of these services with protecting taxpayer's 
personally identifiable information?

    Answer. In accordance with the National Institute Standards and 
Technology (NIST), the IRS has implemented a holistic, organization-
wide Cyber-security risk management process with the principal goal of 
protecting the IRS organization and the ability to perform the IRS 
mission. The Cyber-security risk management process is treated as an 
essential management function of the organization balancing the 
assessment of management, operational, and technical controls to 
protect IRS systems. This approach includes applying NIST and Federal 
Information Security Management Act (FISMA) guidelines in identifying 
appropriate levels of identity proofing and authentication needed to 
protect IRS data and systems from identity and cyber-thieves.

    We developed our on-line services to facilitate taxpayers' 
increasing demand for self-service and electronic service options by 
providing them with more web-based tools, to make their interactions 
with us simpler and easier. As part of that effort, we launched an 
updated version of the Where's My Refund (WMR) application for the 2003 
filing season and the Get Transcript online application in January 
2014. WMR enables taxpayers to check the status of their refund online 
or through their mobile device. Get Transcript allows taxpayers to view 
and print a copy of their prior-year tax information, also known as a 
transcript, in a matter of minutes. Prior to the introduction of this 
online tool, taxpayers had to wait five to seven days after placing an 
order by phone or by mail to receive a paper transcript by mail. 
Taxpayers use tax transcript information for a variety of financial 
activities, such as verifying income when applying for a mortgage or 
student loan.

    During the 2015 filing season through May 22, 2015, taxpayers used 
WMR more than 217 million times. Without the WMR application, these 
contacts would have been driven primarily to our telephone application 
during a time when less than 40% of taxpayer calls were being answered.

    Before the Get Transcript application was shut down for security 
reasons, taxpayers had used that application to successfully obtain 
approximately 23 million copies of their recently filed tax information 
during the 2015 filing season. If this application had not existed and 
these taxpayers had to call or write us to order a transcript, it would 
have stretched our limited resources even further. That point is 
important to note, given our limitations during the past filing season. 
We would have been much less efficient in providing taxpayer service, 
not to mention the additional burden placed on taxpayers.

    The IRS considers many factors in making decisions around the 
appropriate level of identity proofing and authentication. Striking the 
right balance between a high level of confidence that the data and 
application are secure, and the ability of legitimate taxpayers to 
execute the authentication process and use the services, requires the 
IRS to make risk-based decisions. Today, striking the right balance 
between ease of access for legitimate taxpayers and protection of their 
data is an increasing challenge. As criminals obtain more personal 
information, authentication protocols need to become more 
sophisticated, moving beyond information that used to be known only to 
individuals but now, in many cases, is readily available to criminal 
organizations from various sources.

    The IRS continues to scrutinize and strengthen our authentication 
processes. In March 2015, we held a sit-down meeting with the leaders 
of the tax software and payroll industries and state tax 
administrators. We agreed to build on our cooperative efforts of the 
past and find new ways to leverage this public-private partnership to 
help battle identity theft.

    We formed three working groups, one focusing on authentication, 
that continue to meet. They have agreed on short-term solutions to help 
taxpayers in the next tax season, and continue to work on longer-term 
efforts to protect the integrity of the nation's tax system. We 
identified numerous new data elements that can be shared at the time a 
tax return is filed to detect stolen identity refund fraud. Some issues 
we're focusing on include:

        Reviewing the transmission of the return, including the 
improper or repetitive use of Internet Protocol numbers, and the 
Internet address from which the return is originating.

        Reviewing computer device identification data tied to the 
return's origin.

        Reviewing the time it takes to complete a return, so computer 
mechanized fraud can be detected.

        Capturing meta-data in the computer transaction that will 
allow review for fraud.

    This data will give us a stronger line of sight than ever before at 
the front end of the process and we believe this will help catch more 
bad returns immediately.

    We must balance the strongest possible authentication processes 
with the ability of taxpayers to legitimately access their data and use 
IRS services online. The challenge will always be to keep up with, if 
not get ahead of, fraudsters in this area. The eventual approaches to 
authentication may include a combination of continued IT investments as 
well as modified business processes.

    We continue to work with other federal agencies across government 
to identify best practices, leverage information and identify broader 
solutions. Ultimately, it is investment in our staffing and IT systems 
that will be critical to properly equipping the IRS to combat and 
prevent fraudulent and criminal activity.

    Question. Commissioner Koskinen, last month, I co-sponsored the 
Social Security Identity Defense Act of 2015 with Senators Johnson and 
Ayotte. This bill would require the IRS to notify an individual if the 
agency has reason to believe the individual's Social Security Number 
has been fraudulently used. It also requires that the IRS notify law 
enforcement and that the Social Security Administration notify 
employers who submit fraudulently used Social Security Numbers. In 
addition to this legislation, I have written to you on several 
occasions to understand what the IRS is doing to notify victims of tax-
related identity theft.

    What steps is the IRS taking to notify victims of this recent 
attack, and what will you be doing in the future to protect their tax 
information?

    Answer. Ensuring the security of our systems and the protection of 
taxpayers and their information are top priorities. Even with our 
constrained resources over the past few years, we continue to devote 
significant time and attention to these challenges. Ongoing data 
breaches involving other companies and organizations, through which 
criminals have been able to gather increasing amounts of personal data, 
make it even more challenging and difficult to protect taxpayers.

    In May, the IRS determined unauthorized third parties already had 
sufficient information from a source outside the tax agency before 
accessing the Get Transcript application. This allowed them to clear a 
multi-step authentication process, including several personal 
verification questions that typically are only known by the taxpayer.

    When the IRS first identified the problem in May, we determined 
that these third parties with taxpayer-specific sensitive data from 
non-IRS sources had cleared the Get Transcript verification process on 
about 114,000 total attempts. In addition, it appeared at that time 
that third parties made another 111,000 attempts that failed to pass 
the final verification step, meaning they were unable to access account 
information through the Get Transcript service.

    Since then, as part of the IRS's continued efforts to protect 
taxpayer data, the IRS conducted a deeper analysis over a wider time 
period covering the 2015 filing season, analyzing more than 23 million 
uses of the Get Transcript system. The new review identified an 
estimated additional 220,000 attempts where individuals with taxpayer-
specific sensitive data cleared the Get Transcript verification 
process. The review also identified an additional 170,000 suspected 
attempts that failed to clear the authentication processes.

    The IRS mailed letters to all taxpayers identified in May and later 
we also mailed letters to the population identified in August (as part 
of our continued analysis). To the taxpayers whose tax information was 
successfully obtained by unauthorized third parties, we are offering 
credit monitoring, at our expense. We strongly encourage the recipients 
of these letters to take advantage of the credit monitoring. We are 
also giving them the opportunity to provide us with the authentication 
documentation necessary to get an Identity Protection Personal 
Identification Number (IP PIN). This will further safeguard their IRS 
accounts and help them avoid any problems filing returns in future 
years. The IRS is marking all of the impacted accounts will indicators 
that will help identify and prevent any fraudulent returns from being 
filed under those SSNs.

    The Get Transcript application was shut down in May, and the IRS 
continues to work on strengthening the system. In the meantime, 
taxpayers have several other options to obtain transcripts.

    The IRS takes the security of taxpayer data extremely seriously, 
and we are working aggressively to protect affected taxpayers and 
continue to strengthen our systems.

    The matter remains under review by the Treasury Inspector General 
for Tax Administration as well as IRS Criminal Investigation.

    Question. Commissioner Koskinen, the nation's economy and 
Americans' personal and financial information are increasingly under 
threat from cyber-attacks aimed at stealing personal data. In recent 
years, hundreds of millions of Americans have had their information 
compromised through high-profile breaches at Target, Neiman Marcus, 
Michaels, Home Depot, JPMorgan and Anthem.

    I am working on a proposal to create a comprehensive, nationwide 
and uniform data breach law that is consistently applied and enforced 
across industries, and requires minimum data security standards and 
consumer notification for breaches of financial data and other 
sensitive information.

    This recent theft at the IRS of over 100,000 taxpayer records by 
sophisticated attackers is yet another example of how stolen personal 
data can perpetuate an even larger fraud problem. What is the IRS doing 
to understand and react to the newest developments in cyber-security 
and data breach?

    Answer. Cyber-security is a primary component of the IRS's 
information technology infrastructure. We use a proactive, layered set 
of cyber-defenses, and we assess risks in our management approach. The 
IRS's policy is to assume that a penetration can occur, and so we focus 
on prevention, constantly assessing our digital defenses, seeking to 
detect intrusions rapidly, quarantining infections, and taking prompt 
counter measures. The IRS works closely with partners in the Federal 
Government, such as: the Treasury Department's Government Security 
Operations Center (GSOC); the Department of Homeland Security's (DHS) 
Computer Emergency Readiness Team (US-CERT) as well as DHS's Government 
Forum of Incident Response and Security Team (GFIRST); and the Treasury 
Inspector General for Tax Administration (TIGTA).

    While the IRS has a long history of successfully defending against 
attempts to steal taxpayer data, constant vigilance is needed, as the 
Get Transcript incident shows. Currently, the IRS takes a very 
aggressive approach to protecting taxpayer data by: restricting 
internet access; encryption of taxpayer data for any transmission 
externally; content filtering and strict firewall policies, and network 
security monitoring. In fact, the IRS has developed a Cyber-security 
Strategy that is focused on managing information security risk on a 
continuous basis; monitoring the security controls in IRS information 
systems and the environments in which those systems operate on an 
ongoing basis; and maintaining ongoing awareness of information 
security, vulnerabilities and threats to support organizational risk 
management decisions. The critical risk to continuing to implement this 
strategy is not the sophistication or frequency of cyber-attacks, but 
instead is the IRS's current budget situation which has resulted in the 
reduction of Cyber-security staff and the inability to fill vacant 
positions. These skill sets and talents are under high demand across 
both the public and private sectors. The IRS's Cyber-security staff is 
currently 356 personnel, which is down from its high of 408 employees 
in FY 2012. The inability to hire and retain certified Cyber-security 
staff prevents the IRS from sustaining its vigilance against cyber-
attack.

    In addition to addressing the cyber-security issues of today, the 
IRS is working to anticipate the challenges of evolving technology used 
by taxpayers. The IRS is currently trying to move to a more robust 
interactive web-based means of interacting with taxpayers. The American 
people have grown accustomed to instant financial exchanges with 
lenders, brokers, and banks. The IRS believes that delivering top 
quality service to America's taxpayers requires catching up to those 
expectations in order to operate seamlessly but securely in a digital 
and global environment.

    This evolution will increase cyber-security risks, requiring more 
resilience and protection of data. In response to the recent fraud 
incident referenced in your question, we are reviewing multiple 
authentication policies and capabilities with particular focus on 
updating our e-Authentication system for accessing a variety of online 
applications. The IRS is researching internal capabilities as well as 
those available from third parties through existing and planned 
contracts. These options include, but are not limited to:

        Internal IRS configuration updates to limit fraud and 
vulnerabilities to scripting attacks;

        Implementing the ability to add additional levels of 
assurance;

        Layering additional capabilities such as multi-factor 
authentication to complement assurance gained through taxpayer 
interactions; and

        Third-party configuration changes to improve and strengthen 
out-of-wallet questions for applications with the ability to use this 
type of authentication, such as online payment options.

    We must balance the strongest possible authentication processes 
with the ability of taxpayers to legitimately access their data and use 
IRS services online. The challenge will always be to get ahead of our 
enemies in this area.

    In addition to e-authentication improvements, the IRS also plans to 
enhance return filing by conducting the Processing Year W-2 
Verification Code Pilot which will test the capability of a hash-based 
authentication code. The test will confirm the authenticity of Forms W-
2 data on a pilot population of e-filed Forms 1040. The pilot is one of 
multiple IRS efforts to develop capabilities for authenticating 
taxpayers, and taxpayer data, at the point of filing to prevent 
identity theft and first party refund fraud.

    And finally, Cyber-security and related initiatives submitted as 
part of the President's FY 2016 budget submission are specifically 
devoted to combating identity theft and refund fraud, as well as 
investing in critical information technology infrastructure. These 
initiatives will help enhance security in digital communications for 
taxpayers; provide leading-edge technologies to protect tax revenue 
through use of the IRS Return Review Program as well as advance IRS 
effectiveness in detecting, addressing, and preventing tax refund 
fraud; and improve taxpayer services with e-file authentication 
enhancements.

    Question. Commissioner Koskinen, it is my understanding that third-
party vendors have signed up with the IRS to access taxpayer 
transcripts via the Income Verification Express Service. What is the 
IRS doing to ensure that these third-party vendors that have signed up 
with the IRS to access taxpayer transcripts have appropriate safeguards 
in place and are not vulnerable to data breaches?

    Answer. The IRS discloses return information to an Income 
Verification Express Services (IVES) participant pursuant to the 
taxpayer's authorization and request pursuant to Internal Revenue Code 
(IRC) section 6103(c). The taxpayer provides this authorization by 
completing and signing Form 4506-T, Request for Transcript of Tax 
Return. Form 4506-T includes this important statement to the taxpayer:

        Caution. If the tax transcript is being mailed to a third 
        party, ensure that you have filled in lines 6 through 9 before 
        signing. Sign and date the form once you have filled in these 
        lines. Completing these steps helps to protect your privacy. 
        Once the IRS discloses your tax transcript to the third party 
        listed on line 5, the IRS has no control over what the third 
        party does with the information. If you would like to limit the 
        third party's authority to disclose your transcript 
        information, you can specify this limitation in your written 
        agreement with the third party.

    Once the IRS discloses the information to the IVES participant 
pursuant to a valid Form 4605-T authorization, the IRS generally has no 
legal control over what the third party does with the information.

    The IRS added a checkbox to Form 13803, IVES Applicant Agreement, 
listing additional limited use or non-disclosure restrictions. The 
checkbox states:

        By marking this box, you acknowledge that you have read 
        Publication 4557, Safeguarding Taxpayer Data, and will abide by 
        the guidelines of the publication. In addition, you agree to 
        use the taxpayer information you receive only for the 
        purpose(s) the taxpayer/requestor intended on the Form 4506-T. 
        Failure to complete this box will result in the application 
        being rejected and returned.

    By checking the box, each IVES applicant acknowledges these non-
disclosure restrictions as a condition of participating in the program. 
In addition, Publication 4557 addresses the responsibility of non-
government service providers to secure information systems and security 
systems in addition to facilities and personal security required.

                                 ______
                                 
       Submitted by Hon. Pat Roberts, a U.S. Senator From Kansas

                           The New York Times

                              May 28, 2015

      I.R.S. Data Breach May Be Sign of More Personalized Schemes
                           By Patricia Cohen
    The plot to steal information on 100,000 taxpayers from the 
Internal Revenue Service and hijack nearly $50 million in refunds not 
only reveals a previous security breach but hints at a wider fraud that 
may bedevil Americans in the future.

    Some security and tax experts warned that this latest data theft 
might be a prelude to more targeted schemes aimed at duping taxpayers 
into handing millions of dollars over to criminals or to help thieves 
circumvent the agency's security filters next year and beyond.

    ``This breach is not just about what this single group is going to 
do with the information, but what happens when this information gets 
sold on the black market,'' said Peter Warren Singer, the author of 
``Cybersecurity and Cyberwar: What Everyone Needs to Know.'' ``It's 
rare for the actual attackers to turn the information directly into 
money. They're stealing the data and selling it off to other people.''

    It is almost impossible to find a business or government agency 
that has not had some kind of security breach, he noted. Millions of 
customers at companies like Target and the private insurer Anthem have 
had data compromised. And this year, TurboTax temporarily halted 
electronic filing of state income tax returns after seeing an uptick in 
attempts to use stolen information to file fraudulent returns and 
wrongly claim tax refunds.

    With the I.R.S., it was not the agency's own system that was 
hacked. Criminals had already obtained individuals' Social Security 
Numbers, addresses and birth dates and then used the information to 
trick the network and gain access to taxpayers' returns and filings 
through an application on the I.R.S. website.

    ``There was no identity theft within the I.R.S.'s actual system,'' 
said Aaron Blau, a tax expert in Tempe, AZ. ``These people already had 
all of this data. They could have used this information to call your 
bank, your doctor, your insurance carrier, and they would have gotten 
through 100 percent of the time. In this case they chose to use the 
I.R.S.''

    Many Americans are being attacked more directly, Mr. Blau said. One 
popular scheme is to cold-call taxpayers and threaten them with 
prosecution if they do not immediately pay money supposedly owed to the 
I.R.S. by directing them to purchase a prepaid debit card and then 
transfer the money. Now, with more detailed information from returns, 
criminals could better target potential victims, and bolster their 
credibility with information stolen from taxpayer filings, Mr. Blau 
said.

    Reusable prepaid cards have become a magnet for fraud, according to 
law enforcement officials, with criminals often posing as bill 
collectors, government agents and others.

    Without more information about the individuals who were targeted, 
it is hard to know the endgame, said Marc Goodman, the author of 
``Future Crimes.'' Mr. Goodman noted that previous security breaches 
had sometimes been used to embarrass politicians, celebrities or 
corporate figures, and tax returns would provide a rich source of 
personal information.

    Although some critics have been quick to condemn the I.R.S., 
several tax experts said using this episode to vilify the agency was 
unfair.

    ``The I.R.S. takes data, privacy and data security extremely 
seriously,'' said Edward Kleinbard, a professor of law at the 
University of Southern California and former staff director of the 
Joint Tax Committee of Congress. ``They do their best, but the 
resources arrayed against it have become increasingly well-funded and 
sophisticated, and the problems will only compound over time.''

    William Gale, co-director of the tax policy center at the Brookings 
Institution, agreed that the issue extended beyond a single agency. ``I 
don't think this is an I.R.S. problem per se. It is facing the same 
problems that all the major data providers have.''

    The I.R.S. has repeatedly said that protecting taxpayer information 
and combating fraud were priorities. Half of the attempted information 
thefts were rebuffed through a system of filters that are used to 
detect fraud, the agency said.

    Still, there is little debate that its efforts have been hampered 
by budget cuts. Just two months ago, an agency overseer issued what now 
seems to be a prescient warning.

    ``Resources have not been sufficient for the I.R.S. to work 
identity theft cases dealing with refund fraud, which continues to be a 
concern,'' J. Russell George, the Treasury Inspector General for Tax 
Administration, testified before a Senate subcommittee.

    The agency's budget has been cut by 17 percent over the last four 
years after taking inflation into account, and its work force, now at 
roughly 83,000, has been reduced by 12,000. This year, John A. 
Koskinen, the I.R.S. commissioner, warned that impending budget cuts 
would have devastating effects, including the delay of new protections 
against identity theft and refund fraud.

    Chuck Marr, director of federal tax policy at the Center on Budget 
and Policy Priorities in Washington, said that the agency has been 
starved for funds: ``The Congress has been targeting the I.R.S. for 
years.''

    Nina E. Olson, who leads the Taxpayer Advocate Service, an 
independent office at the I.R.S., has criticized the agency for its 
handling of identity theft cases.

    In her annual report, she noted that victims often must ``navigate 
a labyrinth of I.R.S. operations and recount their experience time and 
again to different employees. Even when cases remain in one I.R.S. 
function, they may be transferred from one assistor to another with 
significant periods of non-activity.'' On average, the agency took 
nearly six months to resolve cases.

    She added that cases were also frequently closed prematurely, 
``before all related issues have been fully addressed.''

    Her office recommended that a single officer be assigned to handle 
each case.

    In an email, she spoke to a broader issue: ``While granting 
taxpayers enhanced access to their tax information remains a laudable 
goal, the overriding priority must be to protect taxpayers' 
confidential tax information from exposure.''

    As for this most recent data theft, the I.R.S. urged taxpayers not 
to contact the agency, saying it would only delay the already 
overburdened staff. Anyone whose information was stolen will be 
contacted, the agency said.

    The best advice at this stage, Mr. Blau, the tax expert, said, is, 
``Hurry up and wait.''

                                 ______
                                 
                 Prepared Statement of Hon. Ron Wyden, 
                       a U.S. Senator From Oregon
    Three months ago, the Finance Committee met in a hearing on the 
latest ID theft and other scams plaguing taxpayers, and I said that 
wave of attacks sure looks to me like organized crime. Today, we meet 
after 104,000 tax returns have been hoovered up by what appears to be a 
sophisticated organized crime syndicate.

    This problem continues to spiral, with hackers targeting Federal 
agencies, State governments including Oregon's, and private companies 
alike to steal money and data. One recent report from the Department of 
Homeland Security said federal agencies' computer systems come under 
attack hundreds of times a day, tens of thousands of times a year.

    The investigation of the stolen tax returns is ongoing as of this 
morning. But once again, it seems the thieves are one step ahead of the 
authorities. They gained access to enormous amounts of personal data, 
which is up for purchase at extraordinary cost in the Internet's 
shadowy corners. These rip-off artists used that data to slip past the 
security filters at the IRS and steal taxpayers' most sensitive 
financial information.

    So in my view, it's fair to say that once again, this conduct fits 
the definition of organized crime.

    The thieves who steal taxpayer information could wipe out people's 
life savings and leave them in financial ruin. They could falsify tax 
returns next year or further down the road. They could take out huge, 
fraudulent home or student loans. And on a bigger scale, the money 
stolen in this cyber-crime wave could be funneled into more criminal 
activity. It could wind up in war zones. There's a possibility that it 
could fund acts of terrorism without being traced.

    Just like when the White House and the Department of Defense were 
targeted in the past, this was an attack on Americans' security. I will 
be very direct about what's needed here. To protect taxpayers from this 
onslaught of cyber-crime, the IRS needs a 21st-century IT system.

    This is not just a question of resources, and certainly it is not a 
lack of commitment from the IRS staff. It's also a question of 
expertise. The era of punch cards and paper forms ended long ago. 
Federal agencies like the IRS need to tap into the expertise of our 
leading web firms--the pros who serve not millions or tens of millions, 
but hundreds of millions of users.

    That expertise will allow the IRS to avoid the pitfalls of the past 
and to implement a 21st-century IT system that protects taxpayers' 
privacy, catches hackers and cheats, and funds the government as 
efficiently as possible. When that system is in place, Congress must 
step up and appropriate the funds necessary to manage it effectively.

    Legislators would not call for the DOD or White House security 
budgets to be slashed after cyber-attacks, but the IRS's security 
funding has been shrinking for years. No company would try to defend 
against modern cyber-criminals with technology that's 20 or 30 years 
old, but that's what the IRS is stuck using in the absence of the 
expertise and resources to serve the American taxpayer.

    Congress could also make sure the IRS has the information it needs 
to mount the strongest possible fight against fraudsters. If the IRS 
had access to the data on 
W-2 and 1099 forms from the very beginning of tax season, it would be 
much easier to catch fraudulent returns early and save taxpayers the 
nightmare of a stolen refund. Senator Hatch and I developed a 
bipartisan proposal to add an extra level of security by expanding the 
program that distributes unique passwords for individual taxpayers to 
use when they file.

    And when taxpayers do become victims of fraud, they should get more 
help undoing the damage quickly and restoring their credit.

    It should be clear to everybody that beefing up cyber-security at 
the IRS must be a top priority and draw on the tech expertise that 
exists in Oregon and in states across the country. So it's my hope that 
our hearing today will set aside politics and focus on fresh ideas of 
how to best protect taxpayers.

                                   [all]