Vermont tax preparer gets IRS to change its data privacy policy, but it may be too little too late

The Internal Revenue Service has changed its data privacy policy after a six-year debacle involving hundreds of email-based phishing scams and one Vermont tax preparer who was determined to stop them.

Steve Cairns, owner of Advisor Tax Services in Stowe, fought for six long years to get the IRS to change how it handles personal information of tax preparers and taxpayers — especially their private email addresses.

Courtesy of the Internal Revenue Service

Internal Revenue Service logo

The agency’s 2011 policy required all tax preparers to provide clients’ personal and business email addresses when filing, making them vulnerable to cyber hackers and anyone requesting such information through the Freedom of Information Act.

RELATED: Vermont tax practitioner: IRS putting tax professionals at risk of cybercrime

In an interview with True North, Cairns said he “lost it” when he heard about the policy. He began calling as many people as he could, including the Taxpayers Advocate Service, Security Summit, his own personal liaison, various media outlets and U.S. Sen. Patrick Leahy’s office in Burlington.

“I tried Katherine Long at Leahy’s office off and on for a year or so,” Cairns said. “[Then] I pretty much dropped the issue.”

Then in January 2017, the IRS issued a statement saying it would be posting a spreadsheet on its website that provided 700,000 personal email addresses that could be accessed by anyone, stoking Cairns’ interest once again.

“[I had] been trying for years to get this to stop and here they are making it free to the world,” Cairns said.

When he contacted Leahy’s again, he wasn’t surprised to hear that no action was taken, even after multiple attempts. “[Long] admitted to dropping the ball a few years ago and never getting around to it,” Cairns said.

But Long eventually did contact IRS on behalf of Cairns, and the service responded by saying it was required to make the emails public per the FOIA Improvement Act of 2016. Cairns didn’t find that answer acceptable.

“We are private citizens, you have no right to do that,” he remembers saying in protest. “I wrote a letter to the IRS saying ‘I want my email address to be removed.’ I got a nice letter back saying, ‘No, you can’t do that.’”

After years of trying, Cairns finally got a breakthrough. Last month, Long forwarded Cairns an email sent from the IRS District Congressional Liaison. The brief statement read:

Effective December 1, 2017, the electronic listings on IRS.gov containing information about Preparer Tax Identification Number (PTIN) holders and Enrolled Agents will no longer include their email addresses. This decision has been made after carefully considering the challenges related to the interests of data security and protection, especially those directed at tax return preparer information.

Cairns says he was elated, but still not entirely satisfied. He said while it’s good news that sensitive data will longer be available to the public, the sensitive information that was already exposed over the past years continues to be at risk of falling into the wrong hands.

In 2017 alone, 200 tax return offices were penetrated by hackers, Cairns said.

“This year, who knows what will happen,” he said. “Because all those emails are still out there, nobody is being protected.”

Briana Bocelli is a freelance writer for True North Reports. She lives in the Northeast Kingdom and is a senior at Castleton University.

Images courtesy of Wikimedia Commons/Matthew G. Bisanz and Courtesy of the Internal Revenue Service

One thought on “Vermont tax preparer gets IRS to change its data privacy policy, but it may be too little too late

Comments are closed.