Tax Returns Expose Social Security Numbers to Public: Update

(1)

Social Security Numbers

to Public: Update

Analysis of 3.8 Million Public IRS Form 990 Tax Returns Reveals

Thousands of Data Breaches, 630,000 SSNs Online

February 25, 2014

Identity Finder, LLC

Identity Finder’s Sensitive Data Manager technology has analyzed more than

3.8 million non-profit organizations' tax returns, and discovered an alarming

pattern: Since 2001, Identity Finder estimates that the IRS and non-profits

have published more than 630,000 social security numbers in tax form

990s, which remain permanently in the public domain. This 2014 report

discusses the analysis with new information revealed in the last two years.

The practice of including social security numbers in public tax documents is

decreasing year after year, but many organizations have published lists of

names and social security numbers, unwittingly placing personal information

permanently within reach of identity thieves. Hundreds of thousands of

individuals now face the prospect of living the rest of their lives at increased

risk of identity fraud.

While the problem is still growing, it is doing so at a diminishing rate.

Organizations that take stock of sensitive data, and employ sensitive data

management practices can avoid leaking information like social security

numbers, intellectual property, and other sensitive information.

(2)

United States tax exempt organizations must file an annual tax return using the Internal Revenue Service (IRS) Form 990. Unlike personal tax returns on Form 1040, Form 990s are public documents. As such, they should not contain any personally identifiable information (PII) such as social security numbers (SSNs) yet even today some organizations append lists of individual’s SSNs.

More than 130,000 nonprofit organizations have published an estimated 630,000 SSNs since 2001, belonging to high school and college scholarship recipients, community foundation recipients, board members and employees, and in rare cases even donors. In addition, tax preparers sometimes identify themselves using their SSN rather than their Preparer Tax Identification Number (PTIN).

Identity Finder previously published an analysis of approximately 2.9 million Form 990s for tax years 2001 through 2006 (http://www.identityfinder.com/us /Files/TaxReturnExposure.pdf). In an effort to update and quantify the extent of these practices in recent years, Identity Finder searched 955,737 IRS Form 990 tax returns filed for years 2012 through the first half of 2013, belonging to 647,539 organizations. Using the Identity Finder Sensitive Data Manager 7.1 software’s Optical Character Recognition (OCR) Image Search module and Identity Finder’s powerful data discovery engine, AnyFind™, the software discovered that for the 1 1/2-year period, 2,391 nonprofit organizations published a total of 11,361 social security numbers on their tax returns. Of those, 7,255 SSNs were unique.

Identity Finder has notified the IRS, which determined that "there is low risk of SSNs being improperly included in new Form 990 filings," and made no commitments to remove SSNs from existing documents, but promised to "aggressively reach out to remind exempt organizations not to include SSNs or other unneeded personal information on the filings." Identity Finder counters that thousands of social security numbers have entered the public domain in 2012 and 2013 and more than a half-million social security numbers have been published since 2001. To reduce the risk further, the IRS should scan and remediate all documents before putting them in the public domain and organizations should be more diligent in reviewing them before filing with the IRS.

Key findings for tax years 2012-2013 include:  955,737 Form 990s contained 11,361 SSNs, of

which 7,255 were unique.

 Approximately 3,000 SSNs (26% the total) belonged to tax preparers who did not use their PTIN.

 The primary populations affected by Form 990 SSN exposures were: Tax Preparers, Scholarship Recipients, Directors, Trustees, Employees, and Donors.

 Nonprofit organizations published varying amounts of personal information; some reported no identifying information at all; some published scholarship recipient names; and some published names, full addresses, SSNs, and detailed transaction information. Key Recommendations:

 The IRS should take all available steps to eliminate SSNs from these public documents.  Donors should never share their social

security number with charities.

 Scholarship applicants should always require any organization to justify a request for his or her social security number and should not be afraid to decline to provide it.

 Organizations should avoid placing personal information (especially SSNs) on public documents such as court documents.

 Nonprofit organizations who learn they have published SSNs should warn those affected that their names and SSNs are part of a document on public record and that they may be at increased risk of identity fraud.

 College foundations should analyze whether exposure of student PII and scholarship information on Form 990s violates provisions of the Family Educational Rights and Privacy Act of 1974 (FERPA).

 Tax preparers should provide their PTIN rather than their SSN on tax documents.

 Tax preparers should review IRS forms they approve to ensure no personally identifiable information is unnecessarily disclosed.

 The IRS, courts, and private stewards of public documents should use sensitive data management solutions to prevent the disclosure of PII.

(3)

Background

Each year, non-profit organizations organized under sections 501(c), 527, and 4947(a)(1) must file a tax return with the United States Internal Revenue Service (IRS) using Form 990.1_{These organizations}

include charities, charitable trusts, and scholarship foundations.

Identity Finder previously published an analysis of approximately 2.9 million Form 990s for tax years 2001 through 2006 in April, 2012, titled, Tax Returns Expose Social Security Numbers to Public, located here:

(http://www.identityfinder.com/us/Files/TaxReturnEx posure.pdf). 472,866 SSNs were previously found. The IRS Form 990 is marked “Open to Public Inspection” as a warning to organizations that they should not include non-public personal information (NPPI) on the form (See Figure 1a and 1b).2_{The IRS}

scans each submitted Form 990 and makes the images available to the public. According to IRS Form 4506-A, “Exempt or political organizations must make their returns, reports, notices, and exempt applications available for public inspection. You can visit the organization to inspect the material instead of requesting it from the IRS.”3_{The forms may}

alternatively be accessed through intermediaries such as Guidestar,4_{Foundation Center,}5_{the National}

1_{Internal Revenue Service. (2013). Instructions for Form 990 Return}

of Organization Exempt From Income Tax. Retrieved February 10, 2014, from http://www.irs.gov/pub/irs-pdf/i990.pdf.

2 _{Internal Revenue Service. (2013). Form 990: Return of}

Organization Exempt From Income Tax. Retrieved February 10, 2014, from http://www.irs.gov/pub/irs-pdf/f990.pdf.

3_{Internal Revenue Service (July, 2013). Form 4506-A Request for}

Public Inspection or Copy of Exempt or Political Organization IRS Form. http://www.irs.gov/pub/irs-pdf/f4506a.pdf

4 _{GuideStar USA, Inc. is a 501(c)(3) nonprofit organization whose}

website is located at http://www.guidestar.org/. Retrieved February 10, 2014.

5_{The Foundation Center produces an intuitive “990 Finder” where}

any member of the online public may search for filed Form 990s by Organization Name, State, Zip Code, EIN, or Fiscal Year, at no cost. 990 Finder. Retrieved February 10, 2014 from http://foundationcenter.org/findfunders/990finder/.

Center for Charitable Statistics,6_{Public.Resource.Org,}7

or dozens of other sources online.

Figure 1a: Title Block of the 2000 IRS Form 990 reading

“Open to Public Inspection” on bottom right.

Figure 1b: Title Block of the 2011 IRS Form 990 reading

“Open to Public Inspection” on bottom right.

Identity Finder obtained 955,737 Form 990s for tax years 2012 through the first half of 2013. All tax documents were either TIF images or PDF documents (See Figure 2). Using the Optical Character Recognition (OCR) feature in Identity Finder Sensitive Data Manager 7.1, Identity Finder searched each document for social security numbers.

6_{The National Center for Charitable Statistics produces a free web}

tool to search for filed Form 990s by Organization Name, State, Zip Code, or EIN. NCCS – Search Active Organizations. Retrieved

February 10, 2014 from http://nccsdataweb.urban.org/PubApps/search.php.

7 _{Public.Resource.org is a nonprofit corporation dedicated to}

“Making Government Information More Accessible,” by publishing public-domain documents at no cost. Retrieved February 10, 2014 from https://public.resource.org/.

(5)

Figure 2: Example Scanned Image PDF Form 990 Publicly Available on Internet

Purpose of the Study

The purpose of this study is to raise awareness of this important issue, decrease the amount of sensitive data entering public tax documents, and encourage the IRS to eliminate sensitive data currently in public documents. SSNs are NEVER required to be included on a Form 990 tax return.

By raising awareness of this problem with quantitative analysis, Identity Finder hopes to:

1. Enable individuals to better protect themselves from future occurrences.

2. Encourage not only non-profit organizations, tax preparers, and government agencies, but also corporations to adopt leading practices for data leakage prevention.

3. Alert the public to identity fraud threats not generally known.

Although this study is limited to IRS Form 990s filed for tax years 2012 through the first half of 2013, other bodies of public government documents could contain sensitive personal information that may be used to commit identity fraud. These include but are not limited to professional licensing documents, state and federal court filings, SEC filings, and property documents.

In addition, every year each one of us must file our taxes to the federal government for personal income. Individuals must document their SSN on the Form 1040, however draft and final copies of this form are stored on our computers, in our email, on our accountant’s computer, in our accountant’s email, on the servers that are used for email processing, and potentially within cloud based file storage systems. None of these locations should contain a copy of a Form 1040 with a clear text SSN. All too frequently, a copy of a tax return is forgotten and accidentally exposed through peer to peer file sharing, after obtaining a virus or other malware, by losing a laptop, or by discarding a computer without properly wiping its content.

While the analysis in this whitepaper is focused on Form 990s, the lessons learned must be applied more broadly to Form 1040s, public government documents, and sensitive data containing PII stored by enterprises. The advances in mobile devices and cloud

storage only encourage data sharing. Convenience now makes it too easy for a corporation to leak sensitive information outside their control.

Outreach

Identity Finder has contacted the top 100 organizations responsible for exposing the largest number of social security numbers, with suggestions for remediating the tax forms when possible.

Identity Finder also sent a letter to the IRS with the findings of the previous report and offered to assist the IRS with remediating their public documents; the IRS has thus far declined offers for assistance.

In response to Identity Finder's prior report, Amy Stanton, Director of the Office of Privacy and Information Protection at the Internal Revenue Service, sent a letter to Identity Finder which states, in part, "The IRS conducted an internal review of the Form 990 series. After reviewing a statistically valid sample of recent filings, the IRS confirmed that there is low risk of SSNs being improperly included in new Form 990 filings. Given the low risk, the IRS resumed the release of new Form 990 series to third-party groups in September [2013]…. However, the IRS will periodically conduct a statistically valid sample of new Form 990s to ensure that the risk remains low." (See Appendix A: November 15, 2013 Letter from IRS) However, thousands of social security numbers have entered the public domain in 2012 and 2013, and more than a half-million social security numbers have been published since 2001. Using homegrown or off the shelf sensitive data management technology to automate a process, the IRS could scan all Form 990 filings rather than only review a statistically valid sample. Given this isn’t a practice they currently employ, organizations must be more diligent in reviewing forms before sending to the IRS as they will be made public.

Discovery Methodology

Identity Finder used the same discovery methodology described in the April 9, 2012 report. We refer you to that document for details about the discovery methodology.

Identity Finder scanned all files with the Optical Character Recognition (OCR) Image Search module of Sensitive Data Manager 7.1. All files were either in an image format or a PDF document containing images. Identity Finder’s Sensitive Data Manager performs

(6)

data discovery by automatically converting all images to text and then searching the resultant text using its AnyFind engine. Sensitive Data Manager's industry-leading accuracy is due to its use of validation algorithms, contextual analysis, proximity checks, industry checksums, thresholds, and a variety of proprietary and user customizable settings.

Findings and Statistics

The data demonstrated that nonprofit organizations required to file a Form 990 publish remarkably inconsistent amounts of PII about scholarship recipients, board members, employees, and donors. Fortunately, the majority of Form 990s contain no identifying information at all. Many contained no identifying information except for the tax preparer’s SSN. However some Form 990s contained lists of recipients and some contained names, full addresses, SSNs, and detailed transaction information.

Surprisingly, at least one quarter of all exposed SSNs belonged to the tax preparer, who could have and should have used a PTIN instead of their SSN. Many of the exposures affect student scholarship recipients. Note that this percentage went down from Identity Finder’s previous analysis when approximately one third of the exposed SSNs belonged to tax preparers.

Organizations Included in the Study

647,539 organizations filed 955,737 Form 990, 990-PF (for Private Foundations), Form 990-EZ (Short Return) or a schedule to one of those forms, during tax years 2012 or the first half of 2013. Each of these forms was included in this study (See Figure 4).

Figure 3: Form 990 Types Searched

Month, Year 990s Filed Organizations

Jan, 2012 37,400 35,381 Feb, 2012 26,089 24,622 Mar, 2012 46,357 44,230 Apr, 2012 32,572 31,097 May, 2012 46,125 44,831 Jun, 2012 91,130 87,234 Jul, 2012 40,533 38,001 Aug, 2012 37,352 35,417 Sep, 2012 50,564 48,816 Oct, 2012 95,038 93,026 Nov, 2012 73,517 71,158 Dec, 2012 118,638 115,058 Jan, 2013 30,629 28,379 Feb, 2013 39,051 37,300 Mar, 2013 56,399 53,309 Apr, 2013 27,880 26,375 May, 2013 56,111 53,873 Jun, 2013 63,916 61,408 Total 955,737 (Sum) 647,539 (Unique)

Figure 4: Table of Unique Organizations' Form 990s Searched

990 990PF

990EZ

990O

990EO

Other

(7)

The analyzed tax returns included submissions on the Form 990, the Form 990EZ, the Form 990-PF, and several schedules (such as Schedule EO and O), which are included as attachments to the Form 990. Figure 3 illustrates the relative proportions of each type of file searched by Identity Finder.

Total Number of SSNs Exposed

Based upon Identity Finder's analysis of 3.8 million Form 990s, Identity Finder estimates that more than 630,000 social security numbers have been published on Form 990s since 2001 filings.

This problem continues to get worse, as thousands of new individuals fall victim to their social security numbers being published on public Form 990s each year.

Figure 5: Total Number of SSNs Exposed Over Time

Data Breaches Originating from Form 990s

Because of the permanent and public nature of Form 990s, organizations that published SSNs should, at a minimum, notify the individuals affected by these exposures. Organizations wishing a detailed report may contact Identity Finder for more information. Figure 5 lists the number of organizations exposing a range of SSNs on nonprofit tax returns. When a nonprofit’s tax return only included one SSN, it was most likely the tax preparer’s.

SSNs Exposed Organizations Over 1,000 1 101‐1,000 17 51‐100 15 11‐50 103 2‐10 886 1 1,369

Figure 6: SSNs Exposed per Organization

Types of Organizations Exposing SSNs

A broad array of public charities, private foundations, and other non-profit organizations published SSNs on their Form 990s. These include:

 Agricultural, Youth Development  Alliance/Advocacy Organizations  Alumni Associations

 Community Foundations  Education

 Employment Procurement Assistance and Job Training

 Food Service, Free Food Distribution Programs  Fund Raising and/or Fund Distribution

 Human Service Organizations

 Mutual/Membership Benefit Organizations  Philanthropy, Voluntarism, and Grantmaking

Foundations

 Scholarships, Student Financial Aid Organizations

 Single Organization Support  Sports Training Facilities  University and Colleges

Types of Victims

Victims of these exposures generally fell into broad groups, including:

 Tax Preparers who use their SSN instead of PTIN

 Scholarship and Award Recipients  Officers, Directors and Trustees  Employees  Donors 0 100000 200000 300000 400000 500000 600000 700000

(8)

Conclusion and Recommendations

Most organizations share varying amounts of information with third parties. This information is subsequently handled by multiple individuals, computer systems, and potentially released to additional organizations or the public, purposefully or inadvertently. These copies sit on computers, in emails, and on the web. Drafts sit in email Inboxes, Sent Items, recipient email servers, sender email servers, and backup servers. Recipients detach copies and store them on their computer, in the cloud, on USB drives, and many other locations. All these places are susceptible to theft, viruses, malware, and physical loss.

According to Verizon’s 2013 Data Breach Investigations Report and other research, stored data is the source of more than ⅔ of all breaches. All organizations must engage in sensitive data management practices to protect themselves, their employees, customers, and other constituencies. Readily available tools to protect sensitive data are not used as often as they should be. Identity Finder Sensitive Data Manager’s discovery engine was used to search the Form 990s analyzed in this whitepaper. Many organizations use Identity Finder Sensitive Data Manager internally to not only discover, but also classify, remediate, monitor, and report on data. This allows them to verify that unprotected confidential information is not stored on their systems and that they are not accidentally disclosing SSNs and other sensitive data. However, many organizations and most individuals do not take steps to protect sensitive information. The only sure way to prevent your SSN from being leaked by another party is to never disclose it in the first place.

Recommendations to Individuals

 Do not place personal information (especially SSNs) on public government documents such as court documents.

 Always require anyone who asks for your SSN to justify why they need it. Never be afraid to decline to provide it.

 Individuals should not give their SSN to charities to which they donate.

 High school and college students should review the most recent Form 990 to verify that the trusts do not accidentally publish sensitive personal information.

 Most organizations no longer publish SSNs on Form 990s, though many continue to publish names and addresses. Individuals who have a former relationship with organizations that might have published SSNs should investigate whether their personal information has been exposed.

Recommendations to Non-Profit

Organizations

 High schools, colleges and universities should only advertise scholarships whose foundations do not publish student SSNs on Form 990s.  Nonprofit organizations should review their

privacy and security practices and, at a minimum, warn scholarship recipients, donors, employees or others that their names and SSNs are part of the permanent public record and that they may be at increased risk of identity fraud.

 College foundations should analyze whether exposure of student SSNs, mailing addresses, scholarship and other information on Form 990s violates provisions of the Family Educational Rights and Privacy Act of 1974.  Nonprofit organizations should make sure

their tax preparer does not publish SSNs on the Form 990.

Recommendations to Tax Preparers

 Use your PTIN rather than an SSN on tax documents.

 Do not include individuals' SSNs on Form 990 schedules and attachments.

 Search and secure old documents and emails using a data loss prevention tool such as Identity Finder to determine whether SSNs have been exposed in the past.

Recommendations to the IRS, Government

Agencies, and Private Companies

 The IRS should publish explicit guidance explaining that SSNs are not to be published on Form 990s.

 The IRS, courts, other government agencies, and private stewards of public documents should use sensitive data management tools, like Identity Finder Sensitive Data Manager, to redact sensitive personal information from public documents.

(9)

About Identity Finder

Identity Finder, LLC was founded in 2001 by innovative security experts and is headquartered in New York City. They are a global leader in security and privacy software focusing on sensitive data management. Sensitive Data Manager helps organizations discover, classify, remediate, monitor, and report on sensitive data stored within files, e-mails, desktops, servers, databases, and websites.

The company has quickly grown to become a leader in data loss prevention and identity theft prevention by helping millions of consumers, small businesses, and

enterprises in over fifty countries. Using the company's proprietary AnyFind™ technology, their flagship Sensitive Data Manager software intelligently and automatically locates social security numbers, credit card numbers, bank accounts, passwords, driver's licenses, dates of birth, and other private data that can be used to commit identity fraud. The technology searches within files, e-mails, desktops, servers, databases, websites, cloud, and system areas where people might not even realize their computer stored information. The technology also facilitates remediation through secure shredding, encrypting, redacting, or quarantining of information. Sensitive Data Manager is ideally suited for enterprises.

Copyright and Creative Commons License Notice

“Identity Finder”, the Identity Finder logo, “AnyFind”,

and “Sensitive Data Manager” are trademarks of Identity Finder, LLC.

This report, and all associated material (including images and accompanying presentations) are copyrighted by Identity Finder, LLC.8_{Other than}

Identity Finder trademarks, all material herein is licensed under a Creative Commons Attribution 3.0 Unported License.9_{Identity Finder trademarks are}

licensed for attribution purposes only.

The purpose of this report is to enrich the public discussion and encourage debate. The authors hope that academics, technologists, policy makers, the public, and the media will reuse, republish, and remix the contents of this report with attribution to Identity Finder and a link to http://www.identityfinder.com.

8_{Identity Finder, LLC’s website is http://www.identityfinder.com} 9_{The Creative Commons Attribution 3.0 Unported License may be}

(10)

Appendix A: November 15, 2013 Letter from IRS

In response to Identity Finder's prior report on social security numbers in public 990 tax documents, Amy Stanton, Director of the Office of Privacy and Information Protection at the Internal Revenue Service, sent the following letter to Aaron Titus, Chief Privacy Officer and Counsel to Identity Finder.

(11)

(12)

Appendix B: Form 990s Exposing Scholarship Recipients' SSNs

The following images are redacted screen shots of actual Form 990s from organizations awarding scholarships. All of the information, including individuals’ names and socials security numbers are (unfortunately) part of the public record.

201 Scholarship Recipients

Detailed scholarship program report in 2006, including the names, full addresses, colleges, SSNs, graduation dates and scholarship Information for 201 scholarship recipients.

426 New York High School Seniors

In addition to winning a $1,000 scholarship, these 426 New York high school seniors also had their names, full addresses, SSNs, college, and grant information published in this Form 990.

(13)

496 New York College Scholarship Recipients

In 2004, these 496 college students each received several hundred dollars in scholarships, and the scholarship foundation published their names, SSNs, full addresses, college, and payment details in its Form 990.

239 West Virginia High School Students

In 2001, this foundation was kind enough to purchase $50 bonds on behalf of 239 West Virginia high school students. Unfortunately, they also published their names, SSNs, high schools, and payment details in its Form 990.

(14)

401 Oklahoma Alumni Association Beneficiaries

In 2000, this alumni association printed the names and SSNs of 401 scholarship recipients in its annual Form 990.

721 Idaho Foundation Scholarship Winners

In 2002, this college foundation awarded tens of thousands of dollars to Idaho students, and subsequently published their names and SSNs in its annual tax return.

(15)

Appendix C: Form 990s Exposing Community Foundation Grant Recipients' SSNs

The following images are redacted screen shots of actual Form 990s from community foundations. All of the information, including individuals’ names and socials security numbers are (unfortunately) part of the public record.

379 Job Trainees

Detailed Grant Report for a Jobs Re-Training Program in 2003, Including the Names, Colleges, SSNs, and Payment Information for 379 Job Trainees.

2004 Grant Report

Detailed Grant Report for a Community Foundation in 2004, Including the Names and SSNs for 138 Scholarship Recipients.

(16)

Appendix D: Form 990s Exposing Officers, Directors, Trustees, and Employees' SSNs

The following images are redacted screen shots of actual Form 990s from nonprofit organizations which published names, addresses, or SSNs for their officers, directors, trustees, or employees. All of the information, including individuals’ names and socials security numbers are (unfortunately) part of the public record.

Hundreds of Personal 1099s

This Texas organization attached hundreds of personal 1099 forms to its 2002 tax return, each of which included a social security number and personal address. 1099 forms are used to report both business and personal income. Where a 1099 is issued to an individual, it contains a social security number and should not be publicly exposed.

New Jersey Employees

In addition to supporting child development programs, this New Jersey organization also published the names, addresses, and SSNs of its employees in 2003.

(17)

Fort Wayne, Indiana Officers and Directors

A recreation organization in Indiana published the names, home addresses, and SSNs for its officers and directors in 2004.

Reinsurance Subsidiary Directors

(18)

Home Care Board Members

A Louisiana care facility published the names, addresses, and SSNs of its board and officers.

Board of Directors in North Carolina

A Greensboro, North Carolina foundation serving persons with mental disabilities attached a list of its board of directors to its 2003 Form 990. Unfortunately, the list also included home addresses, personal phone numbers, email addresses and SSNs.