Let’s talk about your data security plan.
News Flash! Tax Professional Thinks He Sees His Shadow, but it’s the IRS…
Don’t be Punxsutawney Phil when it comes to potential identity theft. As a tax professional, you are required to have a data security plan.
Now, before you run back down into your burrow because you operate as a sole practitioner and believe these rules only apply to the ‘big boys,’ be aware that the IRS casts its shadow over you as well.
Remember the box you had to check when renewing your PTIN? It didn’t ask how large a firm you’re with, it just asked you to confirm you have a data security plan in place as a prerequisite for PTIN renewal.
The fact of the matter is that your office and records are a goldmine of data, especially for the ever-evolving gang of cyber thieves out there.
Tax professionals need to be aware of their obligation to protect client data and to cooperate with any IRS investigation related to data theft.
Members of the IRS Electronic Tax Administration Advisory Committee (ETAAC) noted recently that they believe “far fewer than half of tax professionals are aware of their responsibilities under the FTC Safeguards rule and that even fewer professionals have implemented required security practices.”
The Financial Services Modernization Act of 1999, (Gramm-Leach-Bliley (GLB) Act), gives the Federal Trade Commission authority to set rules and regulations regarding the safeguarding of information for all types of businesses, including tax return preparers.
According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation.
According to the FTC, each company, as part of its plan, must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
The FTC says the requirements are designed to be flexible (but not ignored) so that companies can implement safeguards appropriate to their own circumstances. The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operations.
Publication 4557, Safeguarding Taxpayer Data, details critical security measures all tax professionals should enact. The publication also includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan.
IRS Publication 3112 — IRS e-File Application and Participation, states: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers. Providers must be diligent in recognizing fraud and abuse, reporting it to the IRS, and preventing it when possible. Providers must also cooperate with the IRS’s investigations by making available to the IRS upon request information and documents related to returns with potential fraud or abuse.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov.
Also, tax professionals should stay connected to the IRS through:
Social Media (follow this link to the IRS Social Media website)
Potential Penalties beyond an FTC investigation:
IRC Section 7216 — This provision imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses information furnished to them in connection with the preparation of an income tax return.
IRC Section 6713 — This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.
Rev. Proc. 2007–40 — This procedure requires authorized IRS e-file providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007–40. These violations are subject to penalties or sanctions specified in the Revenue Procedure.
Also, while this writing may have you thinking about software and file protection, let’s not forget about staffing that you’re considering. While we want to believe our staff is an integral part of a trusted team, I suggest you approach new hires with a wary eye. If you’re not going to give that new front desk person access to your financial files, shouldn’t you also consider limiting their access to client data? Perhaps part of that data security plan should also address policies and procedures as to employees removing files or records from the office (especially remote workers), sharing of information, e-mail policies and disclosures over social media such as Facebook or Twitter.
Ok, so I’ve given you this advice a little bit early. Now maybe take a candle with you (to write out your security plan) as you return to your burrow and grab a bit more rest before clients drag you back out!
by Tom O’Saben, EA
Originally published at https://taxschool.illinois.edu.