Menendez Joins Colleagues in Letters Demanding IRS Rescind Contract with Equifax and Provide Explanation for the Contract Award

Menendez Joins Colleagues in Letters Demanding IRS Rescind Contract with Equifax and Provide Explanation for the Contract Award


WASHINGTON, D.C. – U.S. Senator Bob Menendez (D – N.J.) joined U.S. Senators Gary Peters (D – Mich.) and Jon Tester (D – Mont.) in sending letters to the Internal Revenue Service (IRS) demanding an explanation for a decision to award a $7 million sole-source contract to Equifax, and urging the IRS to rescind the contract in light of the revelation that Equifax’s widespread cybersecurity breach exposed the personal financial information of over 145 million Americans.

“As members of the United States Senate, it is our duty to ensure prudent management of taxpayer money,” the Senators wrote in one letter to IRS Commissioner, John Koskinen. “The choice to award a sole-source contract to Equifax to perform any vital services requires close scrutiny. The decision to award this contract to protect the identities of taxpayers and the integrity of federal tax dollars in light of Equifax’s recent and severe breach of the public trust is highly concerning.”

The cybersecurity breach, which exposed consumer’s birth dates, addresses, and Social Security numbers began in Mach and lasted through the end of July when it was discovered by Equifax, one of the top credit reporting agencies. The hackers also stole credit card information from about 209,000 people. The lawmakers argued in their letters that the company should not receive any taxpayer money while there is an ongoing investigation into the breach.

“There is also an ongoing investigation into reports that certain executives may have committed insider-trading violations prior to the companies’ public disclosure of the incident,” the Senators wrote in a second letter to Mr. Koskinen. “It is inappropriate to commit to send this company American taxpayer dollars while this and other investigations and reviews continue.”

Menendez was joined in signing one letter by U.S. Senators Gary Peters (D – Mich.) Kirsten Gillibrand (D-N.Y.), Martin Heinrich (D-N.M.), Mazie Hirono (D-Hawaii), Patrick Leahy (D-Vt.), Jeff Merkley (D-Ore.), Patty Murray (D-Wash.), and Jeanne Shaheen (D-N.H.). Menendez was joined in signing the second letter by Senators Jon Tester (D-Mont.), Tim Scott (R-S.C.), Sherrod Brown (D-Ohio), Jack Reed (D-R.I.), Heidi Heitkamp (D-N.D.) and Chris Van Hollen (D-Md.)

The full text of the letters are below. 

 

October 5, 2017

The Honorable John Koskinen

Commissioner

Internal Revenue Service

1111 Constitution Avenue, NW

Washington, DC 20224

Dear Mr. Koskinen:

On Thursday, September 7, the credit reporting agency Equifax announced that a cybersecurity breach potentially exposed the sensitive personal information of more than 145 million Americans.  The exposed information included names, Social Security numbers, birth dates, and addresses.  Equifax had known about the breach for months.  For those months, 145 million Americans were left unaware that they were at greater risk for identity theft and fraud, including tax-related identity theft.

On Tuesday, ousted Equifax CEO Richard Smith testified before the House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection that “Equifax was entrusted with Americans’ private data and we let them down.”   However, just days prior, the Internal Revenue Service awarded Equifax a $7.25 million sole-source contract to “verify taxpayer identity and to assist in ongoing identity verification and validations.”   By awarding this no-bid contract, the Internal Revenue Service (IRS) is paying Equifax $7.25 million in taxpayer money to protect the very same taxpayers from an identity theft risk that Equifax helped create.

As members of the United States Senate, it is our duty to ensure prudent management of taxpayer money.  The choice to award a sole-source contract to Equifax to perform any vital services requires close scrutiny.  The decision to award this contract to protect the identities of taxpayers and the integrity of federal tax dollars in light of Equifax’s recent and severe breach of the public trust is highly concerning.  Please answer the following questions as soon as possible and no later than October 20, 2017:

  1. The Equifax contract award posted on September 30, 2017 to the Federal Business Opportunities database indicates that this no-bid contract is necessary to “cover the timeframe needed to resolve the protest” on another contract currently under negotiation.   What is the timeframe for this sole-source contract and what is the scope of services covered under the contract award?
  2. At least one other contract awarded under full and open competition to Equifax by the IRS for “identity verification” had an initial period of performance of one year and obligated far less in taxpayer funds. This specific award was most recently modified on August 25, 2017.   How does this previous contract differ in scope and cost from the sole-source contract awarded to Equifax on September 29?
  3. To what extent were the services of other companies, including the other two major credit reporting bureaus, considered during the competitive bidding process for the IRS identity verification services contract prior to the September 29 award of the temporary to Equifax? Upon resolution of Equifax’s protest filed with GAO on the competitive contract award, what will be the extent of the IRS’s financial and contractual obligations to Equifax with regard to identity verification services?
  4. Was Equifax’s responsibility for creating an exposure to identity theft taken into consideration in the contract award process?
  5. What metrics or oversight mechanisms are in place to measure Equifax’s ability to perform these identity verification services?
  6. How much has the IRS spent on taxpayer identification services each year in fiscal years 2013–2017?
  7. How much is the IRS projected to spend on taxpayer identification services in fiscal year 2018?
  8. To what extent have federal workforce and budget reductions in recent years increased the IRS’s reliance on contractors to perform taxpayer identity verification services to reduce tax fraud?

We appreciate your attention to this matter and look forward to your prompt response. 

 

October 4, 2017

 

The Honorable John Koskinen
Commissioner, Internal Revenue Service
Department of the Treasury
1111 Constitution Avenue, NW
Washington, DC 20224

Dear Commissioner Koskinen:

            As members of the Senate Banking Committee, we write today with great concern about a contract the Internal Revenue Service (IRS) awarded to Equifax Information Services LLC on September 29, 2017. This contract, award number – TIRNO17K00497 – was issued by the IRS to Equifax “to verify taxpayer identity and to assist in ongoing identity verification and validations needs of the Service.” It is our understanding that this contract was issued as a sole source order and that the IRS will pay Equifax $7,251,968 in taxpayer funds to provide these verification services. While we understand the IRS’s need to verify taxpayer identities to help support the IRS’s core mission and help it ensure that tax returns and refunds are properly administered, we strongly urge you to rescind this contract and look for other ways to verify taxpayers’ identities.

            Given the recent cyber-attack at Equifax, it is unfathomable how the IRS could knowingly issue a multi-million-dollar contract to a company that carelessly handled the personal information of more than 145 million Americans, putting their identities and personal financial wellbeing at risk. Nearly one-half of the entire population of our nation was impacted by the Equifax breach and we have no assurances that our constituents’ personal information is safe in their hands.

           After learning of the cyber-attack, Equifax executives waited days to notify law-enforcement of the hack and brazenly kept the breach from their primary regulators and the American public for nearly six weeks. There is also an ongoing investigation into reports that certain executives may have committed insider-trading violations prior to the companies’ public disclosure of the incident. It is inappropriate to commit to send this company American taxpayer dollars while this and other investigations and reviews continue.

            These actions prove that the IRS should immediately rescind this contract and look for ways to address its needs without putting taxpayers’ information at risk. The IRS’ contract award to Equifax shows clear disregard for the millions of Americans who had their personal information carelessly stolen from Equifax, and we hope you reconsider this matter. We appreciate you hearing our request. We look forward to hearing from you in a timely manner.