IRS Updates Data Security Guidance for Tax Professionals

The IRS has again cautioned tax professional to take steps to protect taxpayer date in News Release IR-2018-147, Tax Security 101 – IRS, Security Summit partners launch new awareness campaign; Urge tax professionals to step up protections for client data.  The release cautions that “[d]ata thefts at tax practitioners’ offices continue to rise and result in fraudulent tax returns that can be especially difficult for the IRS and states to detect.”  As well, the IRS modifies its guidance to take into some of the latest thinking in the technology security world.

The news release reminds tax preparers that they are treated as financial entities under federal law subject to special security requirements:

The IRS reminds professional tax preparers that the Financial Services Modernization Act of 1999, also known as Gramm-Leach-Bliley Act, requires certain financial entities – including professional tax return preparers – to create and maintain a security plan for the protection of client data. The Federal Trade Commission administers this law and its “Safeguards Rule” regulations.

The IRS also announced they have revised Publication 4557, Safeguarding Taxpayer Data and released a new publication, Publication 5293, Data Security Resource Guide for Tax Professionals containing information on resources at for tax preparers.

The news release highlights the following basic security steps found in those publications:

  • Learn to recognize phishing emails, especially those pretending to be from the IRS, a tax software provider, cloud storage provider or state tax agencies. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax professional via email.
  • Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
  • Review internal controls for their business:
  • Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
  • Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
  • Encrypt all sensitive files/emails and use strong password protections.
  • Back up sensitive data to a safe and secure external source not connected fulltime to a network.
  • Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
  • Limit access to taxpayer data to individuals who need to know.
  • Check IRS e-Services account weekly for number of returns filed with EFIN.
  • Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
  • Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert and Social Media.

The release goes on to finger data stolen from tax professionals system in the following scam that received widespread press coverage at the beginning of the last tax season:

The importance of these basic steps was highlighted yet again this year when a sophisticated cybercriminal gang breached numerous practitioner offices by gaining remote control access of computers and stealing taxpayers’ 2016 tax information. The thieves used that information to file 2017 tax returns using all the taxpayer real data, including their bank accounts for direct deposit.

The thieves then called the taxpayers, trying to trick them into returning the fraudulent refunds. In some cases, the thieves had stolen so much information, they could access the clients’ bank accounts online and steal the fraudulent refunds. In many cases, the tax professionals never even knew their client data was stolen.

One interesting observation is that Publication 4557 no longer advises that passwords be changed regularly, and the same admonishment is missing from the news release.  The advice is also not contained in Publication 5293.  The National Institute of Science and Technology had removed that advice from its recommended practices, deciding that it often had the effect of reducing security by having people create simpler passwords since they had to keep remembering new ones and/or cycling through a small set of passwords they would swap among different sites.

This year’s guidance also adds the recommendation that users use a password manager to store passwords and protect that with a single strong, unique password.  Many technology professionals have suggested that these serve as the only practical way to assure that each logon to different sites for individuals are protected by strong and unique passwords.  It simply is not realistic to expect individuals to memorize complex, long, and unique passwords for the hundreds of sites many of us need access to in order to accomplish our jobs.