With the recent news of a major hack against the credit report giant Equifax, it should be clear that the one rule that’s still valid in the tech field is, “it can happen to anybody.” And instead of dissecting the company’s response, we’re going to bring it down to a much more personal level.
What if it was your office that got hacked? Do you know what to do if there’s a theft of data from your system? How would you react?
Report Data Theft. Now.
Always report any breach or theft of data and do it as soon as the loss is confirmed. A swift response on your part can head off other problems later. The cybercriminals who break into your computer system will work quickly to convert their stolen data into bogus tax returns; we need to be quick to stop them.
First on your call list is the Internal Revenue Service. The IRS has created a reporting process for tax professionals who experience a breach or theft of data. You’ll first need to call the local IRS stakeholder liaison. This representative will relay information to other parts of the IRS that need to know, including the Return Integrity and Compliance Services, and the Criminal Investigation divisions.
The stakeholder liaison will need a list of the affected taxpayers, their names and their Social Security Numbers. Send the list in a CSV (Comma Separated Values) format. Excel users can merely select “Save As,” and pick CSV from the list of options. Save the file, but remember to encrypt it before sending it to the IRS.
It should be noted that operators on the IRS toll-free phone lines cannot accept third-party notification of tax-related identity theft. That’s why it’s important to work through the stakeholder liaison.
Other Calls to Make
- Federal Bureau of Investigation, the local office closest to your location.
- Secret Service, the local office (if directed).
- Local police – To file a police report on the data breach if required by insurance companies.
Some states require notification of data losses, so any office any office experiencing a hack or other theft of data should notify each state for which they prepare returns. Here’s who to contact:
- Any breach of personal information could impact the victim’s tax accounts with the states as well as the IRS. Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
- State Attorneys General for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches. This notification process may involve multiple offices.
In the wake of a breach, you may want to contact a security expert to find the cause and the scope of the theft. This can help insure the intrusion has been stopped and can help prevent a reoccurrence. Check with your insurance company; your policy may cover the cost of hiring your expert and other mitigation expenses.
Of course, notify affected clients, sending them an individual letter. But you may have to work with law enforcement on the timing. Some states require offering credit monitoring or identity theft protection to victims.
Don’t Take the Bait
For the last 10 weeks, the Security Summit, a joint partnership between the IRS, state tax agencies, and tax industry leaders, has issued a series of strategies aimed at preventing tax-related identity theft. This effort was called “Don’t Take the Bait,” as part of the Security Summit’s ongoing campaign to Protect Your Clients; Protect Yourself.
“The IRS, the states and the nation’s tax community continue to make progress in the battle against tax-related identity theft,” said IRS Commissioner John Koskinen.
“But we need the help of tax professionals across the country to help strengthen this effort. In addition to working to ensure the safety of their systems, practitioners should promptly report identity theft or data breaches to help protect their clients.”