As I often say, the security of your private information that, in the wrong hands can make you a victim of identity theft, is only as strong as the security of the weakest entity that holds your information. Unfortunately, this was again proven to be correct when it was recently learned that the IRS made available for public viewing forms filed by charitable organizations known as 527s, named after Section 527 of the Internal Revenue code which grants them their tax exempt status. There are thousands of 527s such as the American Dental Association, which are organizations that are tax exempt, but donations to them are not tax-deductible. These forms listed contributors to the 527s by name and also included the Social Security numbers of tens of thousands of these contributors thereby putting them at great risk of identity theft. The IRS has removed these forms from its website, but it may be too late for many of the people whose personal information was posted for the world to see by the IRS. The fault for this serious breach is on both the IRS and the 527s themselves. The 527s are told by the IRS not to include Social Security numbers on the forms listing donors that are posted publicly, but some still continue to do so, putting their donors at serious risk of identity theft. However, the IRS is also at fault for not checking the forms before making them available online to anyone who wanted to see them. Data breaches are bad enough when they are caused by the invasive actions of identity thieves and hackers, but when they are caused by the sheer negligence of the holders of our data, it is inexcusable.
Specifically, if you make a donation to a 527, make sure that they do not provide your Social Security number on forms that will be made public. Generally, you should always ask any company or entity that holds your personal information about what they do to protect the security of your information and limit the places that hold such information to only those entities that truly need it. For instance, I was asked by a doctor for my Social Security number although he did not need it. I refused and offered him my drivers license number which he agreed to accept and which posed no risk of identity theft in the event of a data breach.