Chief Compliance Officer Committee
Chief Information Security Officer Committee
Compliance Advisory Committee
Operations Committee
Privacy Issues Working Group
Tax Committee
Transfer Agent Advisory CommitteeSUBJECTS:Compliance
Cybersecurity
Privacy
TaxRE:IRS Notices of Tax Information Breach
Several ICI member firms have reported receiving notifications from the Internal Revenue Service (IRS) informing them that their funds' tax information was leaked as part of the "Littlejohn" data breach at the IRS. These notices state that a former IRS contractor "has been charged with the unauthorized inspection or disclosure of your tax return or return information," and specify the tax years for which the funds' tax information was breached. The notices inform taxpayers of their rights under federal tax law to civil claims,[1] and provide an email address for questions related to the matter (Notification.7431@irs.gov). Some members reported receiving the first round of notices in Spring 2024, and additional members reported receiving notices recently (December and January). A law firm article describing these notices indicates that the December notices were sent to taxpayers that had not previously been notified (in the spring), and the IRS would notify more taxpayers as they are identified.[2] The notices are addressed to specific funds, with some members reporting many notices for funds they manage.
The notices include little detail. They do not indicate what data was breached, how it was used, how widely it may have been circulated, or whether the breached data was the fund's tax information, or shareholder tax information. Several members consulted advisors to determine whether the fund had any obligation to inform shareholders of the data breach. Several members also expressed concern that contacting shareholders would imply that the fund was somehow involved in the data breach, when they weren't, as the data was leaked by a former IRS contractor.[3]
In May, the IRS published a news alert with some additional general information about the data breach.[4] Additionally, an advisor shared with ICI an example of a follow-up letter the IRS sent to several of the advisor's clients. Both the news alert and follow-up letter indicate that the IRS is directly contacting all taxpayers with breached data:
"Among other things, we are continuing to contact any additional impacted taxpayers that we identify, including Form K-1 recipients that may have had their information disclosed. Of particular relevance for individual taxpayers, the IRS has in place screening and review procedures to identify and address potential identity theft and/or tax refund fraud."
While this letter references "Forms" (Schedules) K-1, one member reported receiving a letter that references Forms 1099. Forms 1099 include tax information about both the payor (the fund) and the payee (shareholder), such as: name, address, taxpayer identification number, and information about the dividends paid by that fund to that shareholder. If a fund's Form 1099-DIV to a shareholder was leaked, the IRS letter quoted above implies that it would separately and independently inform both the payor (the fund) and the payee (the shareholder) that their data was breached. The notices that ICI members have received inform them that the fund's tax information was breached.
While we cannot advise members on their responses (if any) to these IRS notices, it may be helpful to reference the IRS news release and follow-up letters, and to know that the IRS intends to contact all taxpayers (including fund shareholders) who had data breached. Contact michael.horn@ici.org or 202.326.5832 or katie.sunderland@ici.org or 202.326.5826 if you have additional information to share or would like to discuss these notices.
Mike Horn
Deputy General Counsel - Tax
Notes
[1] Internal Revenue Code §7431.
[2] https://www.morganlewis.com/pubs/2024/12/irs-issues-second-littlejohn-victim-notices-but-questions-remain.
[3] To date, we are not aware of any firms that have informed shareholders of the data breach.
[4] https://www.irs.gov/newsroom/irs-communication-on-data-disclosure