By Kathy Ploch, CPA-Houston
Before we get too buried in the 2023 tax returns, this is a reminder about data security and our responsibilities as practitioners to have a written information security plan (WISP) in place. I am sure many of you may have noticed when you renewed your PTIN that it asked for you to attest you had this written plan in place.
There are several provisions in Circular 230 that state what a practitioner’s obligation is when dealing with data security and confidential client information. It lists the penalties, both civil (IRC Section 6713) and criminal (IRC Section 7216), for unauthorized disclosure of taxpayer information. Also, legislation enacted in 1999 in the Gramm-Leach-Bliley Act gave the Federal Trade Commission (FTC) authority to prescribe regulations establishing requirements of data protection for professional tax return preparers.
In Section 314.2(h)(2)(viii) of the Safeguards Rule in the Act, accountants and other firms in the business of completing income tax returns must implement safeguards, including a WISP, to protect the security, confidentiality and integrity of the information. In 2015, the IRS created a public-private partnership called the Security Summit that works to protect confidential taxpayer information. The Security Summit prepares resources and awareness campaigns to make planning easier.
Failure to maintain a WISP to fortify financial data may not only put clients at risk for identity theft and fraud, but it also exposes a practitioner to liability for violating the Safeguards Rule. The FTC can obtain penalties against a company that acted unfairly or deceptively through their Penalty Offense Authority (Section 5(m)(1)(B) of the FTC Act 15, U.S.C. Section 45(m)(1)(B)). If a company receives this notice and still engages in prohibited practices, it can face civil penalties of up to $50,120 per violation. This maximum penalty is adjusted for inflation every January.
Listed below are various resources to assist you in complying with the WISP rules. Remember this plan should be reviewed annually for any updates needed. The IRS also recommends that you contact your IRS Stakeholder Liaison and the FTC if you incur a data breach.
AICPA members, there are several resources and a template (Tax Section): Gramm-Leach-Bliley Act (GLBA) and the FTC Safeguards Rule