The Internal Revenue Service (IRS) issued notification letters earlier this year to victims of a former IRS contractor, Charles Littlejohn, who illegally accessed and stole the tax return information of thousands of companies and individuals. Those notices raised questions among recipients as to the information Littlejohn may have disclosed. In mid-December, the IRS began issuing a second round of notification letters. Although the second notices offered slightly more detail as to what information was disclosed, confusion and questions remain for impacted taxpayers on the potential ramifications of the unauthorized disclosure and their rights as crime victims under federal law.
As we discussed in our prior LawFlash, the victim notification letters that the IRS mailed out in April (First Notices) outlined general information about the breach and summarized the taxpayers’ rights as victims, providing instructions on how to seek additional details. Ultimately, the IRS sent First Notices to more than 70,000 companies and individuals that the IRS determined had been impacted by Littlejohn’s criminal conduct. However, these First Notices contained no details regarding the data that Littlejohn had disclosed—for example, what specific documents, what specific information, or pertaining to what time period—which has caused frustration for many recipients.
In the First Notice, victims were advised to contact the IRS at a dedicated email (notification.7431@irs.gov) for more detailed information. However, due to the volume of inquiries and the complexity of verifying identities securely, the IRS’s responses were neither swift nor much more informative.
On May 10, 2024, the IRS issued a statement denouncing Littlejohn’s conduct and acknowledging the agency’s legal obligation to preserve and protect taxpayer information, posting it on the IRS website and sending it to victims who previously had reached out to the IRS via the dedicated email address.
Possibly in response to complaints about the IRS’s delay in sending out the First Notices—six months after Littlejohn had pled guilty in October 2023 and four months after he had been sentenced to five years’ incarceration in January 2024—the IRS stated that it had not received affected taxpayer data until February 2024. According to the statement, the IRS was working with the US Treasury Inspector General for Tax Administration (TIGTA) to process and review that data.
While the IRS did not know “the full scope of the specific information that Mr. Littlejohn unlawfully exposed,” the agency committed that it would provide further correspondence pursuant to Section 7431 of the Internal Revenue Code with the updates to its investigation. The IRS also noted that it was “continuing to contact any additional impacted taxpayers that [it] identifies” and that it would provide periodic updates as additional information becomes available. There was nothing in the statement regarding specifically what information Littlejohn had disclosed.
In a statement issued on June 25, 2024 in connection with the resolution of a taxpayer victim’s civil lawsuit against the IRS in the US District Court for the Southern District of Florida, the IRS apologized to the taxpayer and the “thousands of other Americans whose personal information was leaked.” The IRS also noted that it continues to work with TIGTA and other government agencies and independent third parties to assess its systems for potential vulnerabilities.
It was months later, and only in response to letters from certain victims demanding details about Littlejohn’s disclosure, that the IRS provided specifics to those particular victims about what information had been disclosed, including the specific tax form and years impacted.
In mid-December 2024, the IRS began issuing a second tranche of notification letters (Second Notice), which, while containing much of the same information, were formatted somewhat differently than the First Notices. Identified as “IRS Notice CP118,” the Second Notice states that the “Government’s analysis of the material received from [Littlejohn] indicates that the recipient’s information that was disclosed was narrow in scope and limited to information returns (e.g., Forms 1099, Schedule K-1, etc.) issued by the [recipient] to a taxpayer, including issuer/recipient Taxpayer Identification Numbers (Social Security Number (SSN) and Employer Identification Number (EIN)), name, address, and other information from the information returns,” and that the IRS is notifying all issuers and recipients of the information returns.
Individuals and entities receiving the Second Notice were not identified previously as victims and thus were not part of the 70,000 or more recipients of the First Notice. Rather, the IRS identified these victims while processing the stolen information, during which the IRS was able to more completely and accurately determine the full scope of the disclosure and pinpoint the businesses and individuals that were impacted.
As compared to tens of thousands that received the First Notice, the Second Notice eventually will go to hundreds of thousands of newly identified victims. It is unclear whether everyone received the Second Notice dated the same day (December 16, 2024) or whether there will be ongoing notifications in the coming weeks.
The Second Notice continues to advise recipients to direct questions for the IRS to notification.7431@irs.gov and/or to review the material posted on the IRS’s website (IRS.gov/DataDisclosure). Similarly, the Second Notice reiterates the web address for information from the US Department of Justice (DOJ) regarding the Crime Victims’ Rights Act (CVRA) and the status of the Littlejohn criminal case and a DOJ email address for related questions.
For those affected, the priority should be to ascertain precisely what was disclosed so as to be able to analyze potential next steps, including possible related obligations. Since the Second Notice does not contain that information, victims should consult their tax advisor about the best method for obtaining it. Victims also should continue to monitor communications from the IRS and other authorities for updates and guidance. Finally, victims should be aware of their specific rights under the CVRA and consider engaging with DOJ either directly or through counsel to invoke and satisfy those rights.
While it appears from the language of the Second Notice that the recipients had only a limited amount of their taxpayer information disclosed, such as a single Form 1099 they issued as a payor to a payee, and were not the target of Littlejohn’s activities, the recipients still would need to obtain further information from the IRS to confirm.
As was the case with the First Notice, the Second Notice may present possible identity theft issues for recipients, and recipients should act accordingly. Once a recipient determines what tax information Littlejohn stole and disclosed, to the extent it included personal information (e.g., Social Security Numbers), the recipient should evaluate the possibility of tax-related identity theft resulting from such disclosure and assess whether to take steps to protect against further exposure to tax identity theft.
Additionally, companies should consider potential notice obligations under applicable laws and contracts. This analysis, however, will depend substantially on what specific information was disclosed and the extent to which relevant individuals already have received notice of the issue directly from the IRS.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following: