WASHINGTON, D.C. - Today, U.S. Senator Martin Heinrich (D-N.M.), joined eight of his colleagues in a letter demanding further scrutiny of the Internal Revenue Service’s (IRS) decision to award Equifax a sole-source contract to verify taxpayer identities and help prevent tax fraud despite the company’s recent disclosure of a massive cybersecurity breach exposing the personal information of as many as 145.5 million Americans, including over 860,000 New Mexicans.
“By awarding this no-bid contract, the Internal Revenue Service (IRS) is paying Equifax $7.25 million in taxpayer money to protect the very same taxpayers from an identity theft risk that Equifax helped create,” wrote the Senators. “The decision to award this contract to protect the identities of taxpayers and the integrity of federal tax dollars in light of Equifax’s recent and severe breach of the public trust is highly concerning.”
In September, Equifax disclosed a cybersecurity breach that potentially exposed the sensitive personal information of more than 145 million consumers, including Social Security numbers, home addresses, and driver’s license numbers. Equifax had known about the breach for months, but did not publicly disclose it until September. In the interest of protecting taxpayers’ money, the Senators urged IRS Commissioner John Koskinen to explain why Equifax was awarded the sole-source contract in light of this cybersecurity breach.
The letter was led by U.S. Senator Gary Peters (D-MI), Ranking Member of the Subcommittee on Federal Spending Oversight and Emergency Management, and signed by U.S. Senators Martin Heinrich (D-NM), Kirsten Gillibrand (D-NY), Mazie Hirono (D-HI), Patrick Leahy (D-VT), Bob Menendez (D-NJ), Jeff Merkley (D-OR), Patty Murray (D-WA), and Jeanne Shaheen (D-NH).
A copy of the letter is available here and below.
October 5, 2017
The Honorable John Koskinen
Commissioner Internal Revenue Service
1111 Constitution Avenue, NW
Washington, DC 20224
Dear Mr. Koskinen:
On Thursday, September 7, the credit reporting agency Equifax announced that a cybersecurity breach potentially exposed the sensitive personal information of more than 145 million Americans. The exposed information included names, Social Security numbers, birth dates, and addresses. Equifax had known about the breach for months. For those months, 145 million Americans were left unaware that they were at greater risk for identity theft and fraud, including tax-related identity theft.
On Tuesday, ousted Equifax CEO Richard Smith testified before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection that “Equifax was entrusted with Americans’ private data and we let them down.” However, just days prior, the Internal Revenue Service awarded Equifax a $7.25 million sole-source contract to “verify taxpayer identity and to assist in ongoing identity verification and validations.” By awarding this no-bid contract, the Internal Revenue Service (IRS) is paying Equifax $7.25 million in taxpayer money to protect the very same taxpayers from an identity theft risk that Equifax helped create.
As members of the United States Senate, it is our duty to ensure prudent management of taxpayer money. The choice to award a sole-source contract to Equifax to perform any vital services requires close scrutiny. The decision to award this contract to protect the identities of taxpayers and the integrity of federal tax dollars in light of Equifax’s recent and severe breach of the public trust is highly concerning. Please answer the following questions as soon as possible and no later than October 20, 2017:
1. The Equifax contract award posted on September 30, 2017 to the Federal Business Opportunities database indicates that this no-bid contract is necessary to “cover the timeframe needed to resolve the protest” on another contract currently under negotiation. What is the timeframe for this sole-source contract and what is the scope of services covered under the contract award?
2. At least one other contract awarded under full and open competition to Equifax by the IRS for “identity verification” had an initial period of performance of one year and obligated far less in taxpayer funds. This specific award was most recently modified on August 25, 2017. How does this previous contract differ in scope and cost from the sole-source contract awarded to Equifax on September 29?
3. To what extent were the services of other companies, including the other two major credit reporting bureaus, considered during the competitive bidding process for the IRS identity verification services contract prior to the September 29 award of the temporary to Equifax? Upon resolution of Equifax’s protest filed with GAO on the competitive contract award, what will be the extent of the IRS’s financial and contractual obligations to Equifax with regard to identity verification services?
4. Was Equifax’s responsibility for creating an exposure to identity theft taken into consideration in the contract award process?
5. What metrics or oversight mechanisms are in place to measure Equifax’s ability to perform these identity verification services?
6. How much has the IRS spent on taxpayer identification services each year in fiscal years 2013–2017?
7. How much is the IRS projected to spend on taxpayer identification services in fiscal year 2018?
8. To what extent have federal workforce and budget reductions in recent years increased the IRS’s reliance on contractors to perform taxpayer identity verification services to reduce tax fraud?
We appreciate your attention to this matter and look forward to your prompt response.