Hackers obtained the tax returns and personal information of approximately 104,000 taxpayers in a recent cyberattack on the Internal Revenue Service (IRS).

The IRS attacks highlight a need for greater scrutiny of how the IRS protects taxpayer information, according to housing watchdog Ken Harney. Specifically, Harney takes to task the potential holes in the security screening of mortgage brokers and lenders who request tax records through the IRS’s Income Verification Express Service (IVES). [See the IRS Statement on the ‘Get Transcript’ Application]

Harney is onto something here. The IRS needs to retool some of its security procedures to keep pace with increased reliance on IRS digital information by others and the corresponding sophistication of cyberattacks.

While big hacks always make headlines, identity theft for brokers and agents doesn’t always involve a massive theft operation. Security is an issue for smaller operators as well as huge government agencies.

In California, real estate brokers and agents frequently have sensitive information in their client files. A broker running a property management company collects Social Security numbers, addresses and credit card data to run credit checks on potential tenants. In a sale transaction, real estate brokers, escrow officers and title companies collect the seller’s Social Security number for income tax information. [See first tuesday Form 301]

Informing colleagues and clients of the potential vulnerability is a start. However, employing brokers need to consider a screening policy to ensure their own agents properly manage personal information of clients.

Brokers need to lock up paper file storage and secure digital files with a series of encryptions or passwords. Any agent in contact with confidential documents needs to be instructed to get the documents to the appropriate colleague or provider, all part of broker oversight.

Brokers and agents who engage in mortgage loan origination (MLO) or mortgage loan brokerage (MLB) need to be aware of federally established “red flag” rules. These are situations which indicate a possible identity theft, such as discrepancies in client information, like:

• mismatched Social Security numbers and associated information;
• omitted information or incomplete application forms;
• suspect distances between the client’s location, place of employment and the mortgage property;
• multiple mortgages issued to the same client in a short period of time; and
• inconsistencies in the client’s mortgage application and tax return transcript. [For a comprehensive list of red flags for mortgage application fraud and identity theft, see Freddie Mac’s Fraud Prevention Resources.]

When a security breach occurs, brokers and agents are required by California law to issue notice of the breach to clients and report the occurrence to the appropriate law enforcement channels. The California Office of Privacy Protection provides a thorough guide to approaching data security and responding to a breach.

Editor’s note — A more in-depth discussion of federal Red Flags Rules will follow in the coming weeks. Stay tuned!

Re: “The IRS data breach may prove worrisome for those seeking a mortgage,” from The Washington Post