IRS and Security Summit Partners Remind Tax Professionals to Create Written Information Security Plan to Protect Clients
By Alejandra Castro
The IRS, state tax agencies and the nation's tax industry today reminded all "professional tax preparers" that they are required by federal law to create a written information security plan to protect their clients' data.
The reminder came as the IRS and its Security Summit partners urged tax professionals to take some time this summer to review their data security protections. To help them in this complex task, the Summit created a “Tax-Security-United” Checklist as a starting point.
“Protecting taxpayer data isn't just good business practice, it's the law for tax professionals,” said IRS Commissioner Chuck Rettig. “Creating a written information security plan and implementing it is critical to protecting your customers and your business.”
Creating a data security plan is the second item on the “Tax-Security-United” Checklist. The first step for tax professionals was implementing the "Six Security Steps" to protect computers and emails.
Although the Security Summit — a partnership between the IRS, states and the private sector tax community — makes progress against tax-related identity theft, cybercriminals continue to evolve, and data breaches in professional offices of taxes remain a major threat. Thieves use data stolen from tax professionals to create fraudulent returns that may be more difficult for IRS and Summit partners to detect.
Create a data security plan under federal law
Security Summit partners noted that many in the professional tax community do not realize that they are required by federal law to have a data security plan.
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley (GLB) Act, gives the Federal Trade Commission (FTC) the authority to establish data protection regulations for various entities, including professional tax return preparers. Under the FTC's Safeguard Rule, tax return preparers must create and enact security plans to protect customer data. Failure to do so may result in an FTC investigation. The IRS may also treat a violation of the FTC Safeguard Rule as a violation of IRS Tax Administrative Procedure 2007-40, which sets forth the rules for tax professionals who participate as IRS Authorized e-file Providers.
The information security plan required by the FTC must be appropriate to the size and complexity of the business, the nature and scope of its activities, and the sensitivity of the customer information it handles. According to the FTC, each company, as part of its plan, must:
- Designate one or more employees to coordinate your information security program
- Identify and assess the risks to customer information in each relevant area of the company's operation and assess the effectiveness of current protections to control these risks;
- Design and implement a security program and regularly monitor and test it;
- Select service providers that can maintain appropriate protections, ensure that their contract requires them to maintain protections, and oversee their handling of customer information; Y
- Evaluate and adjust the program based on relevant circumstances, including changes in business or company operations, or the results of security testing and monitoring.
The FTC says the requirements are designed to be flexible so that companies can implement protections appropriate to their own circumstances. The Protection Rule requires companies to assess and address risks to customer information in all areas of their operations.
Please note: The FTC is reevaluating the Protection Rule and has proposed new regulations. Be alert to any changes to the Protection Rule and its effect on the tax preparation community.
La IRS Publication 4557, Protection of Taxpayer Data (in English), details the critical security measures that all tax professionals should enact. The publication also includes information on how to comply with the FTC's Safeguard Rule, including a checklist of elements for a forward-looking data security plan. Tax professionals are being asked to focus on key areas such as employee management and training; information systems; and detection and management of system faults.
Additional data protection provisions may apply
The IRS and certain sections of the Internal Revenue Code (IRC) also focus on the protection of taxpayer information and the requirements of tax professionals. These are some examples:
- IRS Publication 3112 – IRS e-File Application and Participation, states: Protecting IRS e-File from fraud and abuse is the shared responsibility of the IRS and Authorized e-file Providers. Providers must be diligent in recognizing fraud and abuse, reporting them to the IRS, and avoiding them when possible. Providers must also cooperate with IRS investigations by making available to the IRS, upon request, information and documents related to suspected fraud or abuse tax returns.
- IRC Section 7216 – This provision imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns, who knowingly or recklessly makes unauthorized disclosures or uses of information provided to them in connection with preparing an income tax return.
- IRC Section 6713 – This provision imposes monetary penalties for unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or rendering services in connection with the preparation of tax returns.
- IRS Income Procedure 2007-40 – These legal guidelines require IRS authorized e-File providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLB Act and the implementing rules and regulations promulgated by the FTC, as well as violations of the nondisclosure rules contained in sections 6713 and 7216 of the IRC or the regulations promulgated under that act, they are considered violations of the Revenue Procedure 2007-40, and are subject to the fines or penalties specified in the Revenue Procedure.
Many state laws govern or relate to the confidentiality and security of financial data, including taxpayer data. They expand rights and remedies to consumers by requiring individuals and businesses that offer financial services to protect nonpublic personal information. For more information about the state laws your business must follow, see State Laws and Regulations.
Where to report data theft with the IRS, states
To notify the IRS in the event of a data breach, contact your Local stakeholder liaison (In English).
In some states, data breaches must be reported to multiple authorities. Email the Federation of Tax Administrators at [email protected] for information on how to report victim information to states.
Additional IRS Resources:
Tax professionals can also get help with the security recommendations by reviewing the recently revised Publication 4557, Protecting Taxpayer Data (in English) and and the Small Business Security Information: The Basics, from the National Institute of Standards and Technology, available in English.
La Publication 5293, Data Security Resource Guide for Tax Professionals, compiles data breach information available on IRS.gov. In addition, tax professionals must stay connected to the IRS through subscriptions to e-News for tax professionals and social media.
During this special Security Summit series, the checklist highlights these key areas for tax professionals: