The Internal Revenue Service and its partners on the Security Summit are reminding the nation’s tax professionals that having a written information security plan is more than just a good idea—it’s the law.
The Security Summit is made up of representatives from the IRS, state tax agencies and the income tax industry. As security threats continue to increase during the COVID-19 pandemic, Security Summit partners are also recommending practitioners create an emergency response plan to be used in the event of a data theft.
Contacting the IRS should be the first step in the plan in order to quickly protect tax pros and their clients.
This is the last in the Security Summit's Working Virtually series.
Making a plan for protecting data and reporting theft is the last in a five-part series called Working Virtually: Protecting Tax Data at Home and at Work. The special Security Summit series has spotlighted basic security steps for all manner of tax professionals, but is tailored for those working remotely or social distancing due to the COVID-19 outbreak.
"COVID-19 has changed the way many of us work, and more tax professionals are working from home. With these changes, there are new risks from cybercriminals. Our special Security Summit series was designed to give you critical information protect your clients and protect your business," said IRS Commissioner Chuck Rettig.
"We all have a role in protecting taxpayer data, and the tax professional community is a critical part of that effort," Rettig added. "It's more important than ever to take appropriate security precautions, protect remote work sites, use two-factor authentication and plan ahead for all possibilities."
Remember: FTC requires a written security plan.
Federal law administered by the Federal Trade Commission requires all “professional tax preparers” to create and maintain a written information security plan. Each document should be appropriate to the firm’s size and complexity.
The plan must also be appropriate to the nature and scope of the company’s activities as well as the sensitivity to the customer information it handles. For example, a plan for a sole tax practitioner would be much different than the plan for a global, multi-partner firm.
No matter what their circumstance, tax pros working from home must ensure client data is protected just as it would in an office setting.
What does the Safeguards Rule require?
The FTC requires each company, as part of its plan, must:
- designate one or more employees to coordinate its information security program;
- identify and assess the risks to customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks;
- design and implement a safeguards program and regularly monitor and test it;
- select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
- evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.
It should be noted that the FTC is currently taking a second look at the Safeguards Rule and is proposing new regulations. Tax pros should be alert to any changes in the rule and its effect on the tax preparation community.
IRS Publication 4557, Safeguarding Taxpayer Data, outlines critical security measures for all tax professionals. It also includes information on how to comply with the FTC Safeguards Rule and includes a checklist of items for a prospective security plan. Practitioners are asked to focus on key areas such as employee management and training; information systems; and detecting and managing system failures.
For those preparers who think they may just forego creating a security plan, the IRS may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.
Your plan should include a response to data theft.
Tax professionals who suffer a theft of their data should report the crime to the IRS immediately. Speed is critical, so that actions can be taken to protect taxpayers -- and the firm.
The Security Summit recommends practitioners create a response plan so that action can be taken quickly and contact information is readily available.
If a client or the firm are the victim of data theft, immediately:
- Report it to the local IRS Stakeholder Liaison. Stakeholder Liaisons will notify IRS Criminal Investigation and others within the agency. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients' names and will assist through the process.
- Email the Federation of Tax Administrators at firstname.lastname@example.org. Get information on how to report victim information to the states. Most states require that the state attorney general be notified of data breaches. This notification process may involve multiple offices.
Find more information at Data Theft Information for Tax Professionals.
Data thieves not only attempt to steal client data, but may also try to steal the tax professional’s identity as well, using their PTINs, EFINs and CAF numbers to file fraudulent returns or to steal even more information.
Thieves may even try to impersonate the tax pro to obtain tax transcripts or other tax records.
To stay informed, tax professionals should routinely check their IRS e-Services e-file Application to see a weekly count of tax returns filed with their Electronic Filing Identification Numbers. Excessive filings are a sign of data theft. The IRS recommends that e-file applications should also be kept up to date.
Circular 230 practitioners also can review weekly the number of tax returns filed using their Preparer Tax Identification Number or PTIN. Again, excessive filings are a sign of data theft.
Preparers with Centralized Authorization File, or CAF numbers, that enable third party access to tax information or representation should keep those records updated. Practitioners should notify the IRS when they no longer need third-party authorization for clients.
Need additional resources?
Tax pros can get help with security recommendations by consulting the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology.
In addition, Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. To stay informed, tax pros can stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media or visit Identity Theft Central at IRS.gov/identitytheft.
Want to learn more about Drake Software products?
Call 800.890.9500 or visit the product-features pages for Drake Tax, Drake Documents, Drake Accounting, and Drake Portals to learn more about Drake Software products. Check out the Buy or Renew page if you're ready to get started today.