This week, a federal judge handed down a five-year prison sentence to Charles Littlejohn for stealing and leaking the tax returns of thousands of American citizens, including former President Donald Trump.

“Let me be absolutely clear: What you did, in targeting the sitting president of the United States, was an attack on our constitutional democracy,” said Judge Ana C. Reyes, an appointee of President Biden.

Littlejohn pled guilty last year to the unauthorized disclosure of tax returns. As a contractor with the IRS, he abused his position to access and leak this highly sensitive information to multiple media outlets in a personal political crusade. Judge Reyes called Littlejohn’s crimes “the biggest heist in IRS history.”

Contrasting the scale and nature of Littlejohn’s crimes with the five-year sentence he received makes two things clear. First, the IRS wields tremendous power over American citizens through the personally sensitive tax information the agency collects. Second, privacy violations at the IRS are not taken as seriously as they should be.

In particular, Judge Reyes appeared perplexed by the Justice Department’s decision to charge Littlejohn with only one felony count.

“The fact that he did what he did and he’s facing one felony count, I have no words for,” Reyes said.

Rob a bank, and you might spend 20 years in prison. Hatch an elaborate scheme to rob the IRS and thousands of Americans of their personally sensitive data? Apparently, that’s only worth five.

Yet, while material wealth can often be recovered, privacy generally cannot. The government must provide a strong deterrent against privacy violations by holding wrongdoers accountable. Otherwise, activists on all sides will be incentivized to illegally access and weaponize taxpayer records for political ends.

Wealthy individuals like former President Trump are not the only ones who should be concerned. Many Americans seek to fulfil their civic duty by joining and contributing to groups that promote their values in government and society. IRS mischief with these groups’ donor lists can cast a powerful chill on free speech.

We’ve seen this story before. A decade ago, IRS officials admitted to subjecting conservative nonprofits and their donors to inappropriate questioning and delays in processing routine paperwork. That effort was intended to blunt the momentum of the fast-growing Tea Party movement, and by some measures, it succeeded.

The revelation of the IRS targeting scandal led to a rash of resignations, but lasting reform never came. That’s why People United for Privacy and others have pushed to end the annual reporting of nonprofits’ donor lists to the IRS. Under this plan, groups would still be required to collect and maintain donors’ information. The difference is the IRS would only access the data when necessary.

Simple but impactful reforms like these are urgent in an environment where massive privacy violations result in only modest punishments. The IRS and its trove of taxpayer data must never be weaponized for political purposes – regardless of the target. If current law is insufficient to hold such behavior accountable, it is time for Congress to take a deep look at the agency and insist on real privacy protections for American citizens.