Welborn v. Internal Revenue Serv.

• Decision Date: 02 November 2016
• Docket Number: Civil Action No. 15–1352 (RMC)
• Citation: 218 F.Supp.3d 64
• Parties: Becky WELBORN, et al., Plaintiffs, v. INTERNAL REVENUE SERVICE, et al., Defendants.
• Court: U.S. District Court — District of Columbia

218 F.Supp.3d 64

Becky WELBORN, et al., Plaintiffs,

v.INTERNAL REVENUE SERVICE, et al., Defendants.

Civil Action No. 15–1352 (RMC)

United States District Court, District of Columbia.

Signed November 2, 2016

Steven William Teppler, Abbott Law Group P.A., Jacksonville, FL, John Yanchunis, Marcio W. Valladares, Patrick A. Barthle, II, Morgan & Morgan Complex Litigation Group, Tampa, FL, Michele M. Vercoski, Richard D. McCune, McCune Wright, LLP, Redlands, CA, for Plaintiffs.

John Kenneth Theis, Joseph Evan Borson, U.S. Department of Justice, Washington, DC, for Defendants.

OPINION

ROSEMARY M. COLLYER, United States District Judge

Becky Welborn, Wendy Windrich, and Beth DuPree, on behalf of a proposed class, allege that the Internal Revenue Service, IRS Commissioner John A. Koskinen, and IRS employees, identified as Does 1–100, violated their rights under the Privacy Act, 5 U.S.C. § 552a ; the Administrative Procedure Act, 5 U.S.C. § 701 et seq. ; and the Internal Revenue Code, 26 U.S.C. § 6103, by disclosing or failing to prevent the disclosure of their personal identification information to third parties. The Defendants have filed a motion to dismiss, which is meritorious. The Complaint will be dismissed.

I.

A. Background

The IRS administers and enforces the U.S. tax code. The Commissioner's role is to "ensure[ ] that the agency maintains an appropriate balance between taxpayer service and tax enforcement and administers the tax code with fairness and integrity." Am. Compl. [Dkt. 22] ¶ 29. In that role, the Commissioner is "responsible for establishing and interpreting tax administration policy and for developing strategic issues, goals and objectives for managing and operating the IRS." Id.

The IRS "maintains a significant amount of personal and financial information" on each taxpayer and is, therefore, obligated to protect the confidentiality of that information. Id. ¶ 36. The Federal Information Security Management Act of 2002 (FISMA), 44 U.S.C. § 3541 et seq. ,"was enacted to strengthen the security of information and systems within federal government agencies," such as the IRS. Am. Compl. ¶ 36. FISMA requires federal agencies to evaluate periodically the "agency's information security programs and practices." Id. ¶ 37. FISMA specifically requires:

(1) annual agency program reviews; (2) annual Inspector General evaluations; (3) agency reporting to the Office of Management and Budget ("OMB") the results of Inspector General evaluations for unclassified software systems; and (4) an annual OMB report to Congress summarizing the material received from agencies.

Id. To assist Inspectors General in evaluating agency systems, the Department of Homeland Security (DHS) specified eleven (11) information-security program areas and listed the specific attribute(s) within each area that should be evaluated. The eleven areas that were identified for evaluation under FISMA comprised:

(1) continuous monitoring management; (2) configuration management; (3) identity and access management; (4) incident and response reporting; (5) risk management; (6) security training; (7) plan of action and milestones; (8) remote access management; (9) contingency planning; (10) contractor systems; and (11) security capital planning.

Id. The Treasury Inspector General for Tax Administration (TIGTA) is responsible for evaluations of the information security programs at the Department of Treasury, including the IRS. In its Fiscal Year 2014 FISMA report, TIGTA "found four security programs that were not fully effective due to one or more DHS guideline program attributes that were not met,"id. ¶ 42, and that two security program areas "did not meet the level of performance specified by the DHS guidelines due to the majority of the specified attributes not being met," id. ¶ 43.

The President signed the Federal Information Security Modernization Act of 2014 ("Modernization Act") into law on December 18, 2014. Pub. L. No. 113–283, 128 Stat. 3073 (2014). This statute amended FISMA, retaining the authority of the Director of the Office of Management and Budget for oversight and authorizing the Secretary of DHS to administer its implementation by way of improved security policies and practices across the Executive Branch.

B. Breach of the IRS "Get Transcript" On–Line Program

The IRS launched the Get Transcript online application in January 2014 to allow "taxpayers to view and print a copy of their prior-year tax information." Am. Compl. ¶ 31. The purpose of Get Transcript was "to provide taxpayers with self-service and electronic service options in the form of web-based tools." Id. During the 2015 filing season, the Get Transcript software tool was used by taxpayers "to obtain approximately 23 million copies of their recently filed tax information." Id. ¶ 61. The IRS noticed unusual activity in the Get Transcript system in mid–May 2015, which led to the discovery of "questionable attempts to access the Get Transcript application." Id. Get Transcript was shut down on May 21, 2015.

Upon further investigation, the IRS discovered that 330,000 tax-related documents were stolen during a cyber attack that extended from mid-February to mid–May 2015. Id. Plaintiffs allege that the Commissioner reported to the U.S. Senate Finance Committee on June 2, 2015 that "hackers made 200,000 attempts on the ‘Get Transcript’ page, approximately half of which were successful." Id. ¶ 5 (emphasis removed). According to reports from the IRS, one or more individuals succeeded in bypassing the program's authentication process to access taxpayer records. Id. ¶ 62. The information stolen included a wide range of taxpayer information, including personal identification information (identified by the parties as "PII").

Plaintiffs further allege that TIGTA had recommended greater security on Get Transcript but the IRS chose "to roll out a more simple authentication method to encourage use," despite knowing that it "was vulnerable and insecure." Id. ¶¶ 12–13.

C. Plaintiffs' Private Data

In June 2015, Ms. Windrich learned of fraud arising from the mis-use of her tax records when she received a letter from the IRS informing her that an electronic tax return had been processed and a refund deposited, although Ms. Windrich had submitted her tax return via the U.S. Postal Service. As a result, Ms. Windrich and her husband "spent more than 30 hours dealing with the ramifications." Id. ¶ 76. Ms. Windrich "reasonably believes that her PII was compromised and obtained by the cybercriminals through the IRS systems." Id. The IRS now prohibits her and her husband from submitting electronic tax returns and she alleges that she "is at a heightened risk of further identity theft requiring her to pay indefinitely for on-going credit monitoring." Id.

Over the summer of 2015, Ms. Welborn was alerted to possible fraud through a duplicate joint tax return that an unknown person or persons submitted to the IRS in her name. As a result, Ms. Welborn and her husband also "spent dozens of hours dealing with the ramifications." Id. ¶ 83. Ms. Welborn "had to change all of their bank account numbers, file a police report, place fraud alerts with all three credit agencies, file a report with the Federal Trade Commission, submit a fraud affidavit to the IRS, and request written copies of her family's credit reports from the three credit agencies."Id. As is Ms. Windrich, Ms. Welborn is now prohibited by the IRS from submitting her tax returns online. She alleges that she "is at a heightened risk of further identity theft requiring her to pay indefinitely for on-going credit monitoring." Id. ¶ 84.

Ms. DuPree "was notified by a letter dated August 31, 2015 from the IRS that criminal actors potentially used her personal information to view her tax information through the IRS's Get Transcript application on IRS.gov." Id. ¶ 85. Ms. DuPree and her husband "spent numerous hours dealing with the ramifications," id. ¶ 89; specifically, Ms. DuPree "has been the victim of at least two occasions of fraudulent activity in her financial accounts ... after the IRS data breach," id. Ms. DuPree "had to hire an attorney to investigate the fraudulent activity," is no longer eligible for electronic tax return filing, and alleges that she "is at a heightened risk of further identity theft requiring her to pay indefinitely for on-going credit monitoring." Id. ¶¶ 90–91. Overall,

Plaintiffs request damages to compensate them for their current and future losses and injunctive relief to fix the IRS's security protocol, implement TIGTA's audit recommendations, implement President Obama's executive order focused on improving the security of consumer financial transactions, to [sic] provide adequate credit monitoring services for a sufficient time period, and to [sic] provide after-the-fact identity repair services and identity theft insurance to protect Class members from fraud and/or identity theft.

Id. ¶ 15.

D. Procedural History

Plaintiffs filed an Amended Class Action Complaint on January 6, 2016 seeking damages and injunctive relief. See Am. Compl. [Dkt. 22]. Plaintiffs allege that (1) Defendants violated the Privacy Act by intentionally and willfully failing to comply with FISMA and the Modernization Act, thereby allowing the disclosure of Plaintiffs' personal identifying information; (2) Defendants' failures to comply with FISMA and the Modernization Act were arbitrary and capricious, or otherwise violated the Administrative Procedure Act (APA); and (3) Defendants violated the Internal Revenue Code (Code) by disclosing, or allowing the disclosure of, Plaintiffs' personal identifying information to criminals. Plaintiffs intend their suit to be a class action and define that class as "[a]ll Tax filers of the United States and their spouses and/or dependents whose PII was compromised as a result of the ‘Get Transcript’ application data breach." Id. ¶ 92.

Defendants moved to dismiss the Amended Complaint for lack of subject matter jurisdiction, Fed. R. Civ. P. 12(b...