The IRS has issued a warning to tax preparers regarding the risk posed to the preparers and their clients from data theft in News Release IR-2016-96 and Fact Sheet 2016-23. The notice follows on the IRS’ promise to get information out to tax preparers following the 2016 Security Summit as part of its Protect Your Clients; Protect Yourself campaign.
The news release directs preparers to the fact sheet and to the more detailed Publication 4557, Safeguarding Taxpayer Data, a 21 page PDF document.
The fact sheet notes that “[b]ecause of the sensitive client data held by tax professionals, cybercriminals increasingly are targeting the tax preparation community, using a variety of tactics from remote computer takeovers to phishing scams.”
Many of the scams today use Microsoft Office documents (most often Word files, though Excel files could also be used) and then get users to turn on the running of macro, often suggesting this must be done to read the document if it appears garbled. Not surprisingly, when the macro runs it will deliver its malware payload. In the case of tax preparers that payload may start searching the preparer’s system and network for taxpayer information or simply install a keystroke logger to record that information when the preparer keys it in.
In addition to suggesting that the tax profession read Publication 4557 for detailed guidance, the fact sheet contains the following “critical steps” a preparer’s firm should undertake:
- Assure that taxpayer data, including data left on hardware and media, is never left unsecured
- Securely dispose of taxpayer information
- Require strong passwords (numbers, symbols, upper & lowercase) on all computers and tax software programs
- Require periodic password changes every 60 – 90 days
- Store taxpayer data in secure systems and encrypt information when transmitting across networks
- Ensure that e-mail being sent or received, that contains taxpayer data, is encrypted and secure
- Make sure paper documents, computer disks, flash drives and other media are kept in a secure location and restrict access to authorized users only
- Use caution when allowing or granting remote access to internal networks containing sensitive data
- Terminate access to taxpayer information for anyone who is no longer employed by your business
- Create security requirements for your entire staff regarding computer information systems, paper records and use of taxpayer data
- Provide periodic training to update staff members on any changes and ensure compliance
- Protect your facilities from unauthorized access and potential dangers
- Create a plan on required steps to notify taxpayers should you be the victim of any data breach or theft
The fact sheet goes on to suggest the following “additional considerations” for preparers:
- Complete a risk assessment to identify risk and potential impacts of unauthorized access
- Write and follow an Information Security plan
- Consider performing background checks and screen individuals before granting access to taxpayer information
CPAs should carefully consider whether their systems meet the criteria discussed above and found in Publication 4557, as well as considering whether additional safeguards should be instituted in their firm.