The Rules of Thumb blog from MoneyThumb does our best to keep our readers educated and informed about issues that are important to them. Today we would like to make sure that all of our tax professionals who are readers of our blog understand the importance of security measures, especially now that so many of you are working from home.
Even though the COVID-19 pandemic has changed the tax preparation landscape, tax professionals are still required by federal law to have a written information security plan, even when working from home. Amid continuing security threats during COVID-19, the IRS, state tax administrators, and the nation’s tax industry recommend practitioners create an emergency response plan should they experience a data theft. Contacting the IRS is step one in the plan to quickly protect tax professionals and their clients.
“COVID-19 has changed the way many of us work, and more tax professionals are working from home. With these changes, there are new risks from cybercriminals. Our special Security Summit series was designed to give you critical information to protect your clients and protect your business,” said IRS Commissioner Chuck Rettig.
“We all have a role in protecting taxpayer data, and the tax professional community is a critical part of that effort,” Rettig added. “It’s more important than ever to take appropriate security precautions, protect remote work sites, use two-factor authentication, and plan ahead for all possibilities.”
Tax Pros: Create a Security Plan to meet FTC requirement
Federal law administered by the Federal Trade Commission requires all “professional tax preparers” to create and maintain a written information security plan that is appropriate to the firm’s size and complexity.
In addition, the FTC-required information security plan must be appropriate to the nature and scope of the company’s activities and the sensitivity of the customer information it handles. A plan for a sole tax practitioner would differ from a multi-partner, global firm.
Tax professionals working from home must ensure that client data is protected just as it would in an office setting.
According to the FTC, each company, as part of its plan, must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
The FTC currently is re-evaluating the Safeguards Rule and has proposed new regulations. Be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.
IRS Publication 4557, Safeguarding Taxpayer Data (PDF), details critical security measures that all tax professionals should enact. The publication also includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan. Tax professionals are asked to focus on key areas such as employee management and training; information systems; and detecting and managing system failures.
The IRS also may treat a violation of the FTC Safeguards Rule as a violation of the IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.
Create a Data Theft Response Plan; Report Data Thefts to the IRS
Tax professionals who experience a data theft should report the crime to the IRS immediately so that actions can be taken to protect taxpayers – and the firm. The Security Summit partners recommend practitioners create a response plan so that actions can be taken quickly, and contact information is readily available. If a client of the firm is the victim of data theft, immediately:
- Report it to the local IRS Stakeholder Liaison. Stakeholder Liaisons will notify IRS Criminal Investigation and others within the agency. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist through the process.
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org. Get information on how to report victim information to the states. Most states require that the state attorney general be notified of data breaches. This notification process may involve multiple offices.
Find more information at Data Theft Information for Tax Professionals.
In addition to trying to steal client data, thieves may try to steal a tax practitioner’s identity as well, using their PTINs, EFINs and CAF numbers to file fraudulent returns or steal even more information. Thieves may even try to impersonate the tax practitioner to obtain tax transcripts or other tax records.
Practitioners should routinely check their IRS e-Services E-File Application to see a weekly count of tax returns filed with their Electronic Filing Identification Numbers or EFIN. Excessive filings are a sign of data theft. E-File applications also should be kept up to date.
Circular 230 practitioners also can review weekly the number of tax returns filed using their Preparer Tax Identification Number or PTIN. Again, excessive filings are a sign of data theft.
Preparers with Centralized Authorization File, or CAF numbers, that enable third party access to tax information or representation should keep those records updated. Practitioners should notify the IRS when they no longer need third-party authorization for clients.