Donors to charities, staff at nonprofits, and scholarship recipients should be wary about sharing their Social Security numbers with tax-exempt organizations whose returns become part of the public record, says a new white paper.
Donors to charities, staff at nonprofits, and scholarship recipients should be wary about sharing their Social Security numbers (SSNs) with tax-exempt organizations whose returns become part of the public record, says a new study published by a data loss prevention company.
The New York-based company Identity Finder says a review of millions of IRS 990 forms contained more than 170,000 unique SSNs, putting individuals at increased risk for identity fraud.
Tax forms for charities and nonprofits are public record and 990 forms are marked “Open to Public Inspection.” And although the practice of including SSNs on these public tax documents is decreasing, Identity Finder found that between 2001 and 2006, 18 percent of all nonprofits included at least one SSN on a 990. Thousands of the SSNs belonged to high school and college scholarship recipients, board members, and employees. In 2001, 16 percent of 990s contained at least one SSN. By 2006, the percentage decreased to 6.8.
In all, Identity Finder found that 132,362 nonprofits published a total of 472,866 SSNs on tax returns – 171,005 were unique. The organizations included community foundations, free-food distribution programs, volunteer organizations, scholarship organizations, universities and colleges, and alumni associations. Some organizations published no identifying information at all, but others published SSNs along with names, addresses, and detailed transaction information.
Based on the U.S. Government Accountability Office definition of data breaches—an organization’s unauthorized or unintentional exposure, disclosure, or loss of sensitive personal information—76,799 organizations had a data breach on their 990 forms, according to the Identity Finder report. Identity Finder was mid-way into the study when the first breach notification law came into effect, so it’s not clear whether any of these exposures constitute data breaches under state or federal law, the report states.
In its study, Identity Finder did not contact any of the owners of exposed SSNs to see if they had been victims of identity theft in the last few years, but “there’s a lot of things that can happen when you have someone’s name, address, and Social Security number,” Identity Finder CEO Todd Feinman said by phone on Monday. “With Social Security numbers and the full name that are in these reports, someone that wanted to commit identity fraud could use that information to open up a credit card, open up mortgages, and claim tax return refunds.”
From 2001 to 2011, one unnamed West Coast community development nonprofit published the full names, addresses, SSNs, and payment information for 2,901 recipients, according Identity Finder’s report. Community development programs invest in a number of projects including childcare, sheltering victims of domestic violence, job training, and healthcare.
A recent bulletin from the National Gang Intelligence Center warned of prison gangs seeking tax information to file fraudulent tax returns . Individual gang members will initially file false returns using their own information, operations have expanded to include identity thief of people on the outside—with and without their consent.
Recommendations from Identity Finder are aimed toward nonprofits, their supporters, and the IRS, warning recipients of funding to check whether SSNs are published and calling for organizations to stop including SSNs on tax documents. It also suggests organizations warn those whose numbers have been published. Additionally, “the IRS should publish explicit guidance explaining that SSNs are not to be published on Form 990s,” the report says.
On its Web site, Identity Finder provides a tool to search nonprofits to see if their tax returns contain SSNs. Of the first 25 domestic violence-centered nonprofits listed on Guidestar.org, the online database of nonprofit data, only three contained two or more SSNs from 2001 to 2006.
When using the online tool, anything less than six results is most likely a tax preparer, Feinman said. “Seven or more means there’s a chance there was probably something else going on there.” The SSNs exposed the most were those of tax preparers and scholarship recipients.
photo by Victor1558/flickr