In Program Manager Technical Advice 2015-19 the IRS indicated how the agency should deal with situations that arise when there is identity theft that occurs against a business.  

While identity theft at the individual level has gotten much attention in the press, there also exist situations where a third party attempts to hijack a business’s tax identity for nefarious purposes.  For instance, the hijack can be use to create fictitious W2s that can be used to make it more difficult for the IRS to detect individual tax return refund fraud or simply to claim fraudulent refunds for the “business” in question. 

The IRS identifies two common scenarios for business entity related identity theft as outlined below:

In the first scenario, the identity thief obtains the EIN of a legitimate business (the business victim). The legitimate business may be active or inactive. The identity thief uses the legitimate EIN to file fraudulent business returns, purportedly on behalf of the legitimate business. The business returns may either be an income tax return in an attempt to obtain a fraudulent refund, or employment tax or information returns (e.g., Forms 941 or W-2) used to support fraudulent individual income tax returns filed to generate fraudulent refunds.

In the second scenario, the identity thief uses the identity information of an individual (the individual victim) to obtain an EIN for a fictitious business by listing the individual victim as the responsible party on an EIN application.

The first question is whether the IRS has the authority to disregard these returns as a nullity and the National Office concludes yes.

Instructions to the Form SS-4, "Application for Employer Identification Number," define "responsible party," in pertinent part, as follows:

For entities with shares or interests traded on a public exchange, or which are registered with the Securities and Exchange Commission, "responsible party" is (a) the principal officer, if the business is a corporation, (b) a general partner, if a partnership, (c) the owner of an entity that is disregarded as separate from its owner...or (d) a grantor, owner, or trustor, if a trust.

For all other entities, "responsible party" is the person who has a level of control over, or entitlement to, the funds or assets in the entity that, as a practical matter, enables the individual, directly or indirectly, to control, manage, or direct the entity and the disposition of its funds and assets. The ability to fund the entity or the entitlement to the property of the entity alone, however, without any corresponding authority to control, manage, or direct the entity (such as in the case of a minor child beneficiary), does not cause the individual to be a responsible party. return alleges to be the return of a business, but the return is not actually filed by the business, so the return cannot be valid. As for the Beard test, the returns do not satisfy the fourth element-the requirement that the returns be signed by the taxpayer under penalties of perjury-even if they satisfy the other three elements. The returns cannot satisfy the Beard test because there cannot be a valid signature when the EIN is stolen. As such, these BMF returns are not truly returns and can be treated as nullities.

Most importantly the PMTA concludes that the IRS may disclose information about that return to the business whose identity was misused:

The Service may disclose information about a potentially fraudulent business or filing to the business that purportedly filed the return or to the individual who purportedly signed the return or who is listed as the "responsible party" for purposes of determining if the filing was authorized.

However, it is a bit more complicated.  

The ruling concludes that, under federal law, the information on the fraudulent return is “tax return information” for purposes on the restrictions on disclosures of information.  If a legitimate business has its identity compromised, the information would be tax return information of the business and could be disclosed to the business.  As well, it is tax return information of the identity thief. 

But it’s not tax return information of the “responsible party” so there is no absolute right for that person to get access to the information.  That’s because the information does not relate to that individual’s tax.

However, the ruling notes that the IRS does have a limited right to disclose otherwise restricted tax return information if it is “attempting to gather information that is otherwise not reasonably available in connection with a tax investigation…”

Thus the ruling concludes the IRS may release the information, noting:

In this case, the Service would be contacting the business and individual victims in order to ascertain whether the victim filed or authorized the suspect filings. The Service would only contact the business and individual victims when the Service has reason to believe, in a specific case, that the filing was done without the knowledge of the business or individual victim. Contacting the business that allegedly filed the suspect filings or the individual who is listed as the "responsible party" or who signed the suspect filing would be appropriate and helpful to determining whether or not the suspect filings were legitimate. Accordingly, the disclosures would be authorized by section 6103(k)(6), where the information is not otherwise regarded as the return information of the victim (business or individual).