In a review of almost three million tax returns and other formsfiled by non-profits between 2001 and 2006, Identity Finder discovered 132,362 charities and non-profits filed 990s exposing a total of 472,866 Social Security numbers – 171,005 of which were unique.
About 18 percent of all non-profit tax returns included at least one Social Security number, at least 35 percent of the time, one of the SSNs on the tax documents was that of the accountant or other tax preparer, who identified themselves using the number.
"Unlike a credit card number, Social Security numbers cannot easily be revoked," according to a statement from Todd Feinman, CEO of Identity Finder. "Given the seriousness and ubiquity of identity fraud, tax preparers should avoid including SSNs on Form 990s."
One West-Coast charity published the names, addresses, SSNs and payment amounts for 2,901 people, the most complete breach in the list.
According to General Accountability Office definitions, the 990 forms for 76,799 organizations qualify as data breaches, though laws requiring organizations reveal data breaches, Security Management points out.
The magazine also points out the additional risks tax data breaches pose. The National Gang Intelligence Center, for example, warns that prison gangs have been requesting public tax information as a way to create fake tax returns that can be filed by accomplices on the outside, netting the gang a significant source of cash from tax returns.
Identity Finder recommended that donors leave their SSNs off documents whenever possible and ask non-profits or anyone else to justify their request for the number before providing it.
Non-profits shouldn't put SSNs of donors on their own tax documents and should check
Tax preparers, who should probably know better anyway, should identify themselves using Preparer Tax Identification Numbers (PTIN) rather than SSNs.
Unfortunately, the other recommendations have less chance of being honored. Among them is the suggestion the IRS and courts should only provide copies of IRS form 990s with the SSNs blacked out and that the IRS should publish updates that say explicitly SSNs are not required on form 990 and should not be included.
The vendor also put up a web tool that can tell you if any SSNs from your company are among those that could have fallen into the wrong hands.
It doesn't work for individuals, because it would require they type in their own SSNs, exposing them further.
To use the tool, type in your company's Employer ID Number and hit Enter.