The IRS issued a Fact Sheet (FS-2015-24) that discusses tax preparers and their obligations with regard to protecting their clients from data theft as well as generally securing taxpayer information.
The IRS recommends that preparers read Publication 4557, Safeguarding Taxpayer Data, for information on their responsibilities and obligations with regard to data they receive from taxpayers in their tax preparation services.
The publication indicates that tax preparers should have a security plan implementing the following:
- Top-notch security software that includes a firewall, anti-malware and anti-virus programs; make sure they are set to automatically update so that the software can stay current against the latest threats; and consider having firewalls for both hardware and software.
- An education program for all employees to ensure they understand the dangers of phishing emails and other threats to taxpayer data. Publication 4557 has several items related to employees such as halting their access to the preparer’s computer systems if they leave employment.
- Strong passwords that are changed periodically; consider having different levels of password protection. For example, have one password to access the computer system and a separate password to access tax software or client files. That way, if the computer system is breached, perhaps not all of the information will be exposed.
- Secure wireless connection. If Wi-Fi is used, protect taxpayer data by making sure it is password protected and encrypted email programs to exchange PII information with taxpayers.
The fact sheet adds that preparers should also:
- Back up taxpayer data frequently, perhaps on an external hard drive, and ensure that the hard-drive is kept in a secure location with limited access by others.
- Store any paper files in a secure location.
- Access IRS e-services weekly during the filing season and periodically throughout the year to see the number of returns filed using the preparer’s EFIN. If the number is excessive, contact the e-Help Desk for e-Services immediately.
Having provided helpful information, the sheet moves now to motivate the preparers by noting the “hot water” they could get into, noting that:
In the Gramm-Leach-Bliley Act, the “Safeguards Rule” requires individuals involved in providing financial products or tax preparation services to ensure the security and confidentiality of customer records and information.
Finally the Fact Sheet provides an FTC resource for businesses that experience a data theft, found at Information Compromise and the Risk of Identity Theft: Guidance for Your Business. The Fact Sheet provides the following summary of who to notify if a data breech occurs:
- Law Enforcement — If local police are not familiar with investigating information compromises, contact the local office of the FBI or the U.S. Secret Service. Also, contact local IRS Stakeholder Liaison so they can contact IRS Criminal Investigation.
- Affected Businesses — For example, alerting the major credit bureaus that a data theft involving Social Security Numbers has occurred and that clients will be advised to place fraud alerts on their accounts.
- Individual Clients — This is the hard part, but the earlier clients are notified, the faster they can take action to mitigate any damage. Also:
- Discuss the timing with law enforcement to avoid impeding the investigation;
- Designate a person responsible for releasing information. Communications is critical. The FTC has a model letter that can be used as a template to notify clients about the data theft.
- Describe in any notice to clients what is known about the compromise, including how it happened, what information was taken and what actions have been taken to remedy the situation.
- Consider additional steps such as offering free credit monitoring for clients.