More and more, it seems, no good deed goes unpunished.
Take the revelation this week by Identity Finder that nearly a fifth of nonprofits between 2001 and 2006 published the social security numbers of donors, scholarship recipients, tax preparers, directors, employees and trustees on their tax returns, which are open to the public.
Identity Finder’s report analyzed sensitive information, such as SSNs, contained in nearly 3 million IRS Form 990 tax returns, which tax-exempt organizations file each year.
Social Security numbers are not required on the form, but Identity Finder found that 132,362 charitable groups published 472,866 SSNs—171,005 of them unique.
Between 2001 and 2006, more than 18% of all nonprofits or their tax preparers published at least one SSN on their public tax return. In all, 287,238 Form 990 returns contained at least one SSN.
Identity Finder noted in a statement that all Form 990s are “open to public inspection” and are regularly published by the IRS and multiple third parties.
It found that at least 35% of the total SSNs belonged to tax preparers who identified themselves by their SSN instead of preparer tax identification number.
“Organizations and tax preparers must understand the risks of including social security numbers on public documents, such as the IRS 990 form,” Todd Feinman, Identity Finder’s chief executive, said in the statement. “Unlike a credit card number, social security numbers cannot easily be revoked. Given the risks of identity theft, tax preparers should avoid including SSNs on 990 forms.”
In its report, Identity Finder issued guidance to individuals and charitable organizations:
- Nonprofits that have published SSNs should alert those affected that they may be at increased risk of identity fraud.
- Organizations should avoid placing personal information, especially SSNs, on public documents such as Form 990s and court documents.
- College foundations should determine whether exposure of student PII, or personally identifiable information, on tax returns violates provisions of the Family Educational Rights and Privacy Act of 1974.
- Donors should not provide their SSN to charities.
- Scholarship applicants should review the most recent Form 990 of any foundation prior to applying to verify that it does not publish SSNs.
- Individuals should always require any organization to justify a request for SSN.
- Tax preparers should supply their PTIN rather than their SSN on tax documents.
- Tax preparers should ensure that no PII is unnecessarily disclosed on IRS forms they approve.
- The IRS should publish explicit guidance explaining that SSNs are not to be published on Form 990s.
- The IRS and other stewards of past 990 filings should provide only redacted copies of the forms.
- The IRS, courts and private stewards of public documents should use data loss prevention and data discovery software to prevent the disclosure of PII on documents made public.