The IRS has sent an email to tax professionals discussing what to do if the professional becomes aware of a data breach.
The email begins by reminding tax professionals that the IRS had sent out an email in March (which I suspect many overlooked due to coming in the middle of a generally very trying filing season) about the need to develop a data security plan. But the email continues that even with such a plan in place, a data breach can still occur.
IRS email then outlines the agencies that should be notified of the breach as soon as the professional becomes aware of the breach:
If you experience a data breach, here’s how to report your data loss:
Contact the IRS and law enforcement:
Report client data thefts to your local IRS Stakeholder Liaison. The liaison will notify IRS Criminal Investigation and others within the agency on your behalf. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
Federal Bureau of Investigations (FBI), your local office (if directed by IRS)
Secret Service, your local office (if directed by IRS)
Local police to file a report on the data breach
Contact the states in which you prepare returns:
A breach of personal information could affect the victim’s tax accounts with the states. You should email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on reporting victim information to the states.
Also, you may need to contact the State Attorney General for each state where you prepare tax returns. Most states require that the attorney general be notified of data breaches.
Security expert - to determine the cause and scope of the breach, stop the breach and prevent future breaches.
Insurance company - to report the breach and determine if your policy covers data breach mitigation expenses.
Contact clients and other services:
Clients - Send a letter to all victims to inform them of the breach however, work with law enforcement on timing.
Federal Trade Commission - Can help businesses victimized by data thefts, including providing resources on notifying clients that a data loss has occurred.
Credit/ID theft protection agency - Some states require offering credit monitoring/ID theft protection to victims of ID theft.
Credit bureaus - To notify them of a data compromise since clients may seek their services.
The email is correct in warning that any organization can be subject to a data breach, since a single mistake can open up systems to takeover or expose confidential tax information.
In Verizon’s 2018 Data Breach Investigations Report, 11th Edition the report noted that for professional, technical and scientific services noted that, in this industry group, “detection and containment times are dismal.”
The most significant action varieties detected in the security incidents investigated in this report were, in order of number times seen:
Use of stolen credentials (this could be due to reuse of credentials for multiple accounts)
Misdelivery (sending the information to the wrong client)
Privilege abuse (an account had access to data the user had no reason to have access to)
Pretexting (contact via phone or other means to obtain information to allow attacker to impersonate an employee)
Misconfiguration (as firms move information to the web, too often data moved to the cloud is put into databases where no or default account login credentials are used)
 “Data Breach! Contact the IRS!,” IRS Return Preparer Office, electronic mail dated June 24, 2019
 2018 Data Breach Investigations Report, 11th Edition, Verizon, p. 38, https://enterprise.verizon.com/resources/reports/DBIR_2018_Report.pdf accessed June 25, accessed June 25, 2019