We all know that tax preparer firms are under attack from felonious hackers. A security breach can destroy your professional reputation with affected clients and businesses, and possibly your livelihood. If you handle taxpayer information, you may be subject to the Gramm-Leach-Bliley Act and the Federal Trade Commission’s (FTC’s) Safeguards Rules, which require that you assess the risks to taxpayer information in your office and have a plan of appropriate protections of that information. Texas also mandates under penalty of law that businesses secure personal data and activate a plan if that data is compromised.
The crime wave will only get worse, so you need to be ready by ensuring the safety of confidential data. (Some of the following recommendations may overlap.)
Create a security plan:
- Review IRS Publication 4557, Safeguarding Taxpayer Data, that provides seven checklists of security control measures that you can put in place, https://www.irs.gov/pub/irs-pdf/p4557.pdf.
- Use top-notch software and network security or work with an IT professional who specializes in security (includes CISSP, CISA and CISM certifications).
- Review your firm’s insurance policy for identity theft or cyber-breach protection coverage.
- Pay special attention to any remote access programs that your firm uses.
- Regularly track the number of returns filed under your EFIN and PTIN accounts, https://www.eitc.irs.gov/Tax-Preparer-Toolkit/Protect-Yourself.
- Ensure that the firm has a current and good backup of all data.
- Review the firm’s risk management procedures, http://www.aicpa.org/interestareas/informationtechnology/resources/privacy/pages/default.aspx.
- Be aware that the human element, the unintentional internal breach, is equally as dangerous:
- Create and use strong passwords.
- Use only secure Wi-Fi.
- Encrypt electronically stored taxpayer data and emails containing personal identifying information.
- Be vigilant in implementing your firm’s data destruction policy.
- Develop specific policies and procedures for handling proprietary or sensitive information.
- Have a firm-wide computer policy to ensure that all employees are up-to-date on acceptable use of technology.
- Conduct regular employee training on the firm’s data, security and computer policies, including awareness of phishing scams, password-stealing malware and other cybercrimes.
- Audit your employees’ security access controls.
- Have procedures in place for unauthorized or malicious use of proprietary data.
Create a breach action plan for data theft:
- Perform a security scan of all firm laptops and your network if an unusual number of the firm’s clients are notified by the IRS of a suspicious tax return.
- Have a procedure in place to quickly restore backup data if a breach occurs.
- IRS asks that you contact your local IRS Stakeholder Liaison if you experience a data compromise, https://www.irs.gov/businesses/small-businesses-self-employed/stakeholder-liaison-local-contacts-1.
- Texas State Board Rules of Professional Conduct, Rule 501.75—Confidential Client Information was updated in 2017 to require that “immediately upon becoming aware of the loss of, or loss of control over, the confidentiality of those records notify the client affected in writing of the date and time of the loss if known.”
- If applicable, notify the Texas comptroller’s office and possibly the Texas attorney general’s office, https://www.texasattorneygeneral.gov/cpd/protecting-consumers-personal-data.
- Review the FTC’s Business Center to assist businesses with data losses, https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business.
- Notify your legal counsel.
- Notify your insurance carrier.
- Notify law enforcement and obtain a copy of the policy report, https://www.texasattorneygeneral.gov/identitytheft/report-id-theft-crime.
- Review procedures for complying with Texas’ state law, “Notification Required Following Breach of Security of Computerized Data,” section 521.053 of the Texas Business and Commerce Code, http://codes.findlaw.com/tx/business-and-commerce-code/bus-com-sect-521-053.html.
- Designate a point person in your firm for releasing information to clients, the media, etc.
- Notify affected clients and businesses of the nature of the compromise, the type of information taken, the likelihood of misuse and the potential damage if the information is misused. (The FTC has a model letter at https://www.ftc.gov/tips-advice/business-center/guidance/data-breach-response-guide-business.)
- Notify the credit bureaus to put fraud alerts on your credit records.
- Consider offering at least one year of credit monitoring and credit restoration, if applicable. (This may be available through your insurance carrier.)
- Have a list of how your clients should proceed (can include this in the breach letter):
- File an identity theft report with law enforcement and obtain a copy of the policy report, https://www.texasattorneygeneral.gov/identitytheft/report-id-theft-crime.
- Contact the IRS at https://www.identitytheft.gov/. At this time, only confirmed victims qualify for IP PINs.
- Report any breach to the Social Security Administration.
- Notify credit bureaus.
- Report any potential credit card breaches to the providers. Place a security freeze if high risk of theft.
- Notify the bank, if applicable.
As a tax professional, you take your responsibility to your clients seriously – you should take their data seriously, as well.