The Government Accountability Office (GAO) turned out to have excellent timing, releasing its report on the overall security of components of the commercial tax preparation systems in the week when Wolters Kluwer took down its online systems used by tax preparers due to a discovery of malware in their network. The report (IRS Needs to Improve Oversight of Third-Party Cybersecurity Practices, United States Government Accountability Office, GAO-19-340, May 2019) recommends generally that the IRS attempt to impose specific security rules on all participants (tax preparers, electronic return originators and software developers), but the IRS disagreed with the recommendation, primarily based on their view that they lack statutory authority to take the actions suggested.
Specifically, the GAO reported the following findings:
Paid Preparers. IRS has not developed minimum information security requirements for the systems used by paid preparers or Authorized e-file Providers. According to IRS’s Office of Chief Counsel, IRS does not have the explicit authority to regulate security for these systems. Instead, the Internal Revenue Code gives IRS broad authority to administer and supervise the internal revenue laws. The Department of the Treasury has previously requested additional authority to regulate the competency of all paid preparers; GAO has also suggested that Congress consider granting IRS this authority. Congress has not yet provided such authority. Neither the Department of the Treasury request nor the GAO suggestion included granting IRS authority to regulate the security of paid preparers’ systems. Having such authority would enable IRS to establish minimum requirements. Further, having explicit authority to establish security standards for Authorized e-file Providers’ systems may help IRS better ensure the protection of taxpayers’ information.
Tax Software Providers. As part of a public-private partnership between IRS and the tax preparation industry, 15 tax software providers voluntarily adhere to a set of about 140 information security controls developed using guidance from the National Institute of Standards and Technology (NIST). However, these controls are not required, and these providers represent only about one-third of all tax software providers. Additionally, IRS established six security, privacy, and business standards for providers of software that allows individuals to prepare their own tax returns (as opposed to software that paid preparers use). However, IRS has not substantially updated these standards since 2010, and they are, at least in part, outdated. For example, IRS cites an outdated encryption standard that NIST recommends not using due to its many known weaknesses.
The report makes the following eight recommendations to the IRS:
The Commissioner of Internal Revenue should develop a governance structure or other form of centralized leadership, such as a steering committee, to coordinate all aspects of IRS’s efforts to protect taxpayer information while at third-party providers. (Recommendation 1)
The Commissioner of Internal Revenue should modify the Authorized e-file Provider program’s requirements to explicitly state the required elements of an information security program as provided by the FTC Safeguards Rule. (Recommendation 2)
The Commissioner of Internal Revenue should require that all tax software providers that participate in the Authorized e-file Provider program follow the subset of NIST Special Publication 800-53 controls that were agreed upon by the Security Summit participants. (Recommendation 3)
The Commissioner of Internal Revenue should regularly review and update the security requirements that apply to tax software providers and other Authorized e-file Providers. (Recommendation 4)
The Commissioner of Internal Revenue should update IRS’s monitoring programs for electronic return originators to include techniques to monitor basic information security and cybersecurity issues. Further, IRS should make the appropriate revisions to internal guidance, job aids, and staff training, as necessary. (Recommendation 5)
The Commissioner of Internal Revenue should conduct a risk assessment to determine whether different monitoring approaches are appropriate for all of the provider types in the IRS’s Authorized e-file Provider program. If changes are needed, IRS should make appropriate revisions to the monitoring program, internal guidance, job aids, and staff training, as necessary. (Recommendation 6)
The Commissioner of Internal Revenue should standardize the incident reporting requirements for all types Authorized e-file Providers. (Recommendation 7)
The Commissioner of Internal Revenue should document intake, storage, and sharing of the security incident data across IRS offices. (Recommendation 8)
As has already been noted, the IRS disagreed with most of these recommendations, primarily based on the agency’s view that it lacks the authority to impose mandatory requirements on the affected third parties. In the agency’s response to the draft report, the IRS only agreed with recommendations 4, 7 and 8.
While the IRS’s position was that they lacked authority to impose additional conditions on e-file providers and software developers, the GAO argued that this was not the case since the IRS controls who can be part of the e-file program. As well, since this report was written and responded to before the malware incident involving Wolters Kluwer came to light, it remains to be seen if the IRS will now decide to accept the GAO’s position or, in the alternative, if Congress might move to give the IRS the authority the agency claims it lacks to impose such conditions.
As well, the GAO refers to FTC standards that do apply to all paid preparers and software providers, standards the GAO found many paid preparers were unaware of. The report notes:
The Gramm-Leach-Bliley Act provided FTC with the authority to require that financial institutions subject to its jurisdiction ensure the security and confidentiality of customer records and nonpublic personal information; protect against any anticipated threats or hazards to the security of such records; and protect against unauthorized access to or use of such records or information which could result in substantial harm or inconvenience to any customer. FTC, in turn, issued a regulation known as the “FTC Safeguards Rule.”
The FTC Safeguards Rule applies to financial institutions including third-party providers that help taxpayers file tax returns, such as paid preparers and providers of software that allows individuals to prepare their own tax returns. The FTC Safeguards Rule requires those institutions to develop, implement, and maintain a comprehensive written information security program. The program must contain administrative, technical, and physical safeguards that are appropriate to the provider’s size and complexity, the nature and scope of the provider’s activities, and the sensitivity of any customer information at issue.
The Safeguards Rule is found at 16 C.F.R. §314.3:
§ 314.3 Standards for safeguarding customer information.
(a)Information security program. You shall develop, implement, and maintain a comprehensive information security program that is written in one or more readily accessible parts and contains administrative, technical, and physical safeguards that are appropriate to your size and complexity, the nature and scope of your activities, and the sensitivity of any customer information at issue. Such safeguards shall include the elements set forth in § 314.4 and shall be reasonably designed to achieve the objectives of this part, as set forth in paragraph (b) of this section.
(b)Objectives. The objectives of section 501(b) of the Act, and of this part, are to:
(1) Insure the security and confidentiality of customer information;
(2) Protect against any anticipated threats or hazards to the security or integrity of such information; and
(3) Protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.
16 C.F.R. §314.4 provides the elements to be included in the system:
§ 314.4 Elements.
In order to develop, implement, and maintain your information security program, you shall:
(a) Designate an employee or employees to coordinate your information security program.
(b) Identify reasonably foreseeable internal and external risks to the security, confidentiality, and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, such a risk assessment should include consideration of risks in each relevant area of your operations, including:
(1) Employee training and management;
(2) Information systems, including network and software design, as well as information processing, storage, transmission and disposal; and
(3) Detecting, preventing and responding to attacks, intrusions, or other systems failures.
(c) Design and implement information safeguards to control the risks you identify through risk assessment, and regularly test or otherwise monitor the effectiveness of the safeguards’ key controls, systems, and procedures.
(d) Oversee service providers, by:
(1) Taking reasonable steps to select and retain service providers that are capable of maintaining appropriate safeguards for the customer information at issue; and
(2) Requiring your service providers by contract to implement and maintain such safeguards.
(e) Evaluate and adjust your information security program in light of the results of the testing and monitoring required by paragraph (c) of this section; any material changes to your operations or business arrangements; or any other circumstances that you know or have reason to know may have a material impact on your information security program.
As the GAO reports note, these standards apply even if they were not addressed by the IRS—the Federal Trade Commission independently was given authority to issue these regulations and have them apply to those in financial service industries, which include tax preparers. As well, the GAO notes that Revenue Procedure 2007-40 requires compliance with these rules as a condition of participating in the e-file program of the IRS.
Because of this, if a CPA firm has an “incident” the firm may be asked to produce the plan the firm is required to have under the FTC Safeguards Rule. As well, if an issue arises at a service provider used by the firm (and virtually every CPA firm who has moved beyond green pads and pencils will make use of multiple such organizations even if the firm initially believes they have remained out of the cloud), the firm may be asked to demonstrate that they performed the required oversight of the provider.
 IRS Needs to Improve Oversight of Third-Party Cybersecurity Practices, United States Government Accountability Office, GAO-19-340, May 2019, preface- GAO Highlights (PDF pages 3-4)
 Ibid, pp. 39-40
 Ibid, p. 14