Senator sues Booz Allen over IRS data breach tied to contractor safeguards
Richard Lynn Scott v. Booz Allen Hamilton Inc. USDC the Middle District of Florida. No. 2:26-cv-00845.
Senator Richard Scott is seeking damages from an IRS contractor, alleging that the largest known tax data leak resulted from systemic failures in contractor safeguards rather than the actions of a single employee.
Filing
The filing alleges negligence, privacy violations, and vicarious liability on the part of Booz Allen, as well as intentional misconduct by the employee responsible for the disclosures.
Why It Matters
Shifts focus from individual misconduct to system failure
The complaint reframes the IRS data leak as a failure of contractor controls, not just a criminal act by a single employee.Contractor liability is now front and center
If successful, this theory expands firms' exposure to taxpayer data under §6103(n).Treasury’s contract termination becomes key evidence
The January 2026 termination of Booz Allen contracts is positioned as an official acknowledgment of inadequate safeguards.Signals scrutiny of the IRS outsourcing model
The case highlights structural risk in granting private contractors broad access to sensitive tax data.
Key Facts
Plaintiff: U.S. Senator Richard Scott.
Defendants: Booz Allen Hamilton and former employee Charles Littlejohn.
Timeframe of alleged misconduct: 2018–2021.
Scope: Hundreds of thousands of taxpayer records were accessed and disclosed.
Data recipients: Media organizations, including ProPublica and The New York Times.
Criminal case: Littlejohn pled guilty under § 7213 and received a 5-year sentence.
Government action: The Treasury terminated Booz Allen’s contracts on January 26, 2026, citing failures in safeguards.
Regulatory Framework
§6103 governs the confidentiality of tax returns and return information.
§6103(n) permits contractors to access taxpayer data under strict safeguards.
§7213 criminalizes unauthorized disclosure of tax return information.
Contractors are required to implement administrative, technical, and physical safeguards to maintain compliance.
Arguments
Taxpayer argued:
Booz Allen allegedly failed to implement adequate monitoring, audit controls, and access restrictions.
Insider misuse was foreseeable due to prior breaches and known industry risks.
The contractor’s failures allegedly enabled prolonged, large-scale data extraction.
The 2026 contract termination by the Treasury is cited as confirmation of inadequate safeguards.
Booz Allen is alleged to be both directly and vicariously liable for the employee’s conduct.
Government posture (implied from prior proceedings):
Criminal liability rested with the individual employee under §7213.
Previous enforcement efforts focused on unauthorized disclosure rather than contractor systems.
Legal Theory
Contractors with §6103(n) access owe a duty to safeguard taxpayer data.
Insider threats are well-known and require active monitoring controls.
Failure to detect repeated abnormal access suggests deficient safeguards.
The extended duration of the misconduct supports an inference of systemic failure.
The Treasury’s contract termination is presented as evidence of causation and breach of duty.
Employee access was enabled entirely through contractor systems.
Therefore, contractor negligence is alleged to have plausibly contributed to the breach.
Result
The complaint seeks compensatory and punitive damages from Booz Allen and the individual employee.
The Takeaway
This case will determine whether IRS contractors can be held financially responsible for failures in access controls, not just for employee misconduct.
If this theory prevails, any firm handling IRS data could face litigation, not merely compliance obligations.