IRS, Security Summit partners remind practitioners that all ‘professional tax preparers’ must create a written data security plan to protect clients
WASHINGTON — The IRS, state tax agencies and the nation’s tax industry today reminded all “professional tax preparers” that federal law requires them to create a written information security plan to protect their clients’ data.
The reminder came as the IRS and its Security Summit partners urged tax professionals to take time this summer to review their data security protections. To help them in this complex area, the Summit created a special “Taxes-Security-Together” Checklist as a starting point.
“Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers,” said IRS Commissioner Chuck Rettig. “Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business.”
Creating a data security plan is the second item on the “Taxes-Security-Together” Checklist. The first step for tax professionals involved deploying the “Security Six” basic steps to protect computers and email.
Although the Security Summit -- a partnership between the IRS, states and the private-sector tax community -- is making major progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices remain a major threat. Thieves use stolen data from tax practitioners to create fraudulent returns that can be harder for the IRS and Summit partners to detect.
Create a data security plan under federal law
The Security Summit partners noted that many in the tax professional community do not realize they are required under federal law to have a data security plan.
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley (GLB) Act, gives the Federal Trade Commission authority to set information safeguard regulations for various entities, including professional tax return preparers. According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation. The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.
The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. According to the FTC, each company, as part of its plan, must:
The FTC says the requirements are designed to be flexible so that companies can implement safeguards appropriate to their own circumstances. The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operations.
Please note: The FTC currently is re-evaluating the Safeguards Rule and has proposed new regulations. Be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.
IRS Publication 4557, Safeguarding Taxpayer Data, details critical security measures that all tax professionals should enact. The publication also includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan. Tax professionals are asked to focus on key areas such as employee management and training; information systems; and detecting and managing system failures.
Additional data protection provisions may apply
The IRS and certain Internal Revenue Code (IRC) sections also focus on protection of taxpayer information and requirements of tax professionals. Here are a few examples:
Many state laws govern or relate to the privacy and security of financial data, which includes taxpayer data. They extend rights and remedies to consumers by requiring individuals and businesses that offer financial services to safeguard nonpublic personal information. For more information on state laws that businesses must follow, consult state laws and regulations.
Where to report data theft for the IRS, states To notify the IRS in case of data theft, contact the appropriate local IRS Stakeholder Liaison.
In some states, data thefts must be reported to various authorities. Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.
The Taxes-Security-Together Checklist
During this special Security Summit series, the checklist highlights these key areas for tax professionals: · Deploy “Security Six” basic safeguards