Here we go again. Another massive cyber crime exposing millions of Americans to global identify theft, at a cost to taxpayers to now provide fraud monitoring to those victims.
This week’s target – South Carolina’s Department of Revenue database. The breach, reportedly perpetrated by an individual operating out of the Soviet Union, exposed the personal information, including names, addresses, social security numbers, debit card and credit card numbers, and earnings information, of over 3.5 million taxpayers. Anyone who has filed a tax return in South Carolina since 1998 purportedly has been exposed.
I was under the belief that taxing authorities maintained seven years of taxpayer information, which would have only exposed South Carolina filers from 2005 forward. That appears not to be the case. One could wonder why any taxing authority needs to maintain detailed data going back 15 years, especially since the IRS record retention schedule only requires taxpayers to maintain copies of filed tax returns for the prior 3 – 7 years.
Per Publication 552:
How Long To Keep Records
You must keep your records as long as they may be needed for the administration of any provision of the Internal Revenue Code. Generally, this means you must keep records that support items shown on your return until the period of limitations for that return runs out.
The period of limitations is the period of time in which you can amend your return to claim a credit or refund or the IRS can assess additional tax. Table 3 contains the periods of limitations that apply to income tax returns. Unless otherwise stated, the years refer to the period beginning after the return was filed. Returns filed before the due date are treated as being filed on the due date.
Table 3. Period of Limitations
| IF you… | THEN the period is… |
|
| 1 | Owe additional tax and (2), (3), and (4) do not apply to you | 3 years |
| 2 | Do not report income that you should and it is more than 25% of the gross income shown on your
return |
6 years |
| 3 | File a fraudulent return | No limit |
| 4 | Do not file a return | No limit |
| 5 | File a claim for credit or refund after you filed your return | The later of 3 years or 2 years after tax was paid. |
| 6 | File a claim for a loss from worthless securities | 7 years |
“Going Green”, “Cloud” computing, paperless, cellular banking, picture depositing checks… the latest trends in conducting business and banking. Each of these developments and “improvements” under today’s societal pressures of instant and constant access, convenience and connectivity are creating more and more exposure to global threats. It remains unclear whether any internal controls can be implemented to truly prevent breaches similar to South Carolina’s from occurring through these “improved” means of conducting business.
The question I ponder is this – wasn’t there less risk and fewer crimes of this nature when these “improved” systems were not available. Have we really gained anything through implementing these “improvements” in our daily lives? Cost savings are typically behind implementing these “improvements,” but is the true cost savings really known when daily global threats are hacking away to gain access.
Sadly I predict that these events will only continue and become even more commonplace as more and more “improvements” are developed, exposing information that historically was maintained within secured means to world-wide access.
Here are two links to the South Carolina breaches:
http://www.computerworld.com/s/article/9232965/South_Carolina_breach_exposes_3.6M_SSNs
http://www.computerworld.com/s/article/9233074/S.C._governor_s_post_breach_data_encryption_claims_are_off_base_analysts_say