WASHINGTON, D.C. – Oregon’s Senator Jeff Merkley on Thursday joined eight of his Senate colleagues in demanding further scrutiny of the Internal Revenue Service’s decision to award Equifax a sole-source contract to verify taxpayer identities and help prevent tax fraud, despite the company’s recent and severe security breach that exposed the personal information of more than 145 million Americans.
“By awarding this no-bid contract, the Internal Revenue Service (IRS) is paying Equifax $7.25 million in taxpayer money to protect the very same taxpayers from an identity theft risk that Equifax helped create,” the senators wrote to IRS Commissioner John Koskinen. “The decision to award this contract to protect the identities of taxpayers and the integrity of federal tax dollars in light of Equifax’s recent and severe breach of the public trust is highly concerning.”
In September, Equifax, one of the nation’s three major credit reporting firms, announced that more than 145 million American consumers may have had their Social Security numbers and other sensitive information stolen in a massive hack of Equifax’s computer systems. Equifax had known about the breach for months, but did not publicly disclose it until September. In an op-ed published Sept. 15, Merkley called for immediate action to ensure consumers don’t have to pay the price for Equifax’s mistake.
In the interest of protecting taxpayers’ money, the senators urged the IRS commissioner to explain why Equifax was awarded the sole-source contract in light of this cybersecurity breach.
Joining Merkley on the letter were U.S. Senators Gary Peters (D-MI), Kirsten Gillibrand (D-NY), Martin Heinrich (D-NM), Mazie Hirono (D-HI), Patrick Leahy (D-VT), Bob Menendez (D-NJ), Patty Murray (D-WA), and Jeanne Shaheen (D-NH).
Full text of the letter can be found below:
October 5, 2017
The Honorable John Koskinen
Internal Revenue Service
1111 Constitution Avenue, NW
Washington, DC 20224
Dear Mr. Koskinen:
On Thursday, September 7, the credit reporting agency Equifax announced that a cybersecurity breach potentially exposed the sensitive personal information of more than 145 million Americans. The exposed information included names, Social Security numbers, birth dates, and addresses. Equifax had known about the breach for months. For those months, 145 million Americans were left unaware that they were at greater risk for identity theft and fraud, including tax-related identity theft.
On Tuesday, ousted Equifax CEO Richard Smith testified before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection that “Equifax was entrusted with Americans’ private data and we let them down.” However, just days prior, the Internal Revenue Service awarded Equifax a $7.25 million sole-source contract to “verify taxpayer identity and to assist in ongoing identity verification and validations.” By awarding this no-bid contract, the Internal Revenue Service (IRS) is paying Equifax $7.25 million in taxpayer money to protect the very same taxpayers from an identity theft risk that Equifax helped create.
As members of the United States Senate, it is our duty to ensure prudent management of taxpayer money. The choice to award a sole-source contract to Equifax to perform any vital services requires close scrutiny. The decision to award this contract to protect the identities of taxpayers and the integrity of federal tax dollars in light of Equifax’s recent and severe breach of the public trust is highly concerning. Please answer the following questions as soon as possible and no later than October 20, 2017:
1. The Equifax contract award posted on September 30, 2017 to the Federal Business Opportunities database indicates that this no-bid contract is necessary to “cover the timeframe needed to resolve the protest” on another contract currently under negotiation. What is the timeframe for this sole-source contract and what is the scope of services covered under the contract award?
2. At least one other contract awarded under full and open competition to Equifax by the IRS for “identity verification” had an initial period of performance of one year and obligated far less in taxpayer funds. This specific award was most recently modified on August 25, 2017. How does this previous contract differ in scope and cost from the sole-source contract awarded to Equifax on September 29?
3. To what extent were the services of other companies, including the other two major credit reporting bureaus, considered during the competitive bidding process for the IRS identity verification services contract prior to the September 29 award of the temporary to Equifax? Upon resolution of Equifax’s protest filed with GAO on the competitive contract award, what will be the extent of the IRS’s financial and contractual obligations to Equifax with regard to identity verification services?
4. Was Equifax’s responsibility for creating an exposure to identity theft taken into consideration in the contract award process?
5. What metrics or oversight mechanisms are in place to measure Equifax’s ability to perform these identity verification services?
6. How much has the IRS spent on taxpayer identification services each year in fiscal years 2013–2017?
7. How much is the IRS projected to spend on taxpayer identification services in fiscal year 2018?
8. To what extent have federal workforce and budget reductions in recent years increased the IRS’s reliance on contractors to perform taxpayer identity verification services to reduce tax fraud?
We appreciate your attention to this matter and look forward to your prompt response.