Taxpayer First Act - Cybersecurity and Identity Protections

Public-private partnership to address refund fraud (Section 2001)

The Act formalizes the IRS' ongoing Security Summit efforts to work collaboratively with the public and private sectors to protect taxpayers from identity theft refund fraud.


Electronic Tax Administration Advisory Committee (Section 2002)

The Act formalizes the changes made to Electronic Tax Administration Advisory Committee's (ETAAC) charter: ETAAC will study and make recommendations to IRS about additional ways to prevent identity theft and refund fraud.


Information Sharing and Analysis Center (Section 2003)

The Act authorizes IRS to participate in the Information Sharing and Analysis Center (ISAC). The Act allows the IRS to disclose certain return information to ISAC participants if the information helps with:

  • detecting or preventing identity theft tax refund fraud;
  • validating a taxpayer's identity;
  • authenticating taxpayer returns, or
  • detecting or preventing cybersecurity threats to IRS.


Confidentiality safeguards for federal, state contractors (Section 2004)

In the future, the IRS will not be able to provide taxpayer information to any contractors or other agents of a federal, state or local agency, unless the contractor is able to protect the confidentiality of return information and they agree to conduct on-site compliance reviews every three years. The federal, state or local agency is required to submit a report of its findings to IRS and certify every year that their contractors and other agents are meeting the requirements to protect the confidentiality of tax return information.

Identity Protection Personal Identification Numbers (Section 2005)

The Act requires the Secretary to establish a program to issue an IP PIN to any U.S. resident who requests one. Additionally, the Act requires the Secretary to expand the issuance of IP PINs every year to people living in states that IRS determines are appropriate, as long as the number of states served by the program continues to increase.


Point of contact for identity theft victims (Section 2006)

The Act requires IRS to establish single-point-of contact procedures for taxpayers whose tax return processing has been delayed or negatively affected by tax-related identity theft. The contact will track the taxpayer's case to completion and coordinate with other IRS employees to resolve case issues as quickly as possible.


Notification of suspected identity theft (Section 2007)

Effective January 1, 2020, the Act requires IRS to notify a taxpayer:

  • If it finds any suspected unauthorized use of a taxpayer's identity, or the identity of any of the taxpayer's dependents,
  • If the IRS has initiated an investigation of the suspected identify theft and the status of the investigation,
  • Whether the investigation proved unauthorized use of the taxpayer's identity, and
  • Whether any action has been taken (such as a referral for prosecution).

Also, when an individual is charged with identity theft, IRS must notify the victim as soon as possible, giving them the ability to pursue civil action against the suspect.

In this case, the unauthorized use of someone's identity includes when it is used to obtain employment.


IRS management of stolen identity cases (Section 2008)

The Act requires that IRS, in consultation with the National Taxpayer Advocate (NTA), develop and implement publicly available caseworker guidelines that reduce the administrative burdens for victims of identity theft tax refund fraud (IDTTRF) as they work with IRS to sort out their tax issues. These guidelines must be implemented no later than July 2, 2020 and may include procedures to reduce the:

  • amount of time victims would wait to receive their tax refunds,
  • the number of IRS employees with whom victims would need to interact, and
  • the timeframe to resolve the issues related to the IDTTRF.


Improper disclosure by return preparers (Section 2009)

The Act increases the civil penalty for the unauthorized disclosure or use of information by tax return preparers. The former penalty was $250 and the new amount is$1,000. The penalty applies to cases in which the disclosure or use is made in connection with a crime relating to the misuse of another person's taxpayer identity ("taxpayer identity theft").

The Act also increases the calendar year limit from $10,000 to $50,000. The calendar year limit is applied separately with respect to disclosures or uses made in connection with taxpayer identity theft.

The Act also increases the criminal penalty for knowing or reckless conduct to $100,000 in the case of disclosures or uses in connection with taxpayer identity theft.


Limit on re-disclosures of consent-based disclosures (Section 2202)

Section 2202 of the Taxpayer First Act amended the provisions of IRC section 6103(c) by adding the following language: "Persons designated by the taxpayer under this subsection to receive return information shall not use the information for any purpose other than the express purpose for which consent was granted and shall not disclose return information to any other person without the express permission of, or request by, the taxpayer."

This provision limits the redisclosure and use of return information in the case of taxpayers who have consented to the disclosure of their return information by the Internal Revenue Service to a third party under IRC section 6103(c). Section 2202 of the Taxpayer First Act applies only to disclosures made by the Internal Revenue Service after December 28, 2019, and any subsequent redisclosures and uses of such information disclosed by the Internal Revenue Service after December 28, 2019.


Do you have feedback you’d like to share as we continue to implement the Taxpayer First Act? Please send it to

Privacy Notice: To ensure your privacy, the IRS strongly discourages you from sending sensitive personally identifiable information to us by email, such as your Social Security number or tax account information or bank account information. For assistance, please contact us by telephone, fax, or mail.