Leaders from the IRS, state tax commissioners, and the tax industry met in June to recap a year of progress made by the IRS Security Summit group. While the IRS and the states are stopping more suspicious tax returns than before, criminals are redoubling their efforts to steal personal data to file fraudulent federal and state income tax returns—increasingly, from tax return preparers, said IRS Commissioner John Koskinen.
CPAs have not only an ethical but also a legal responsibility to safeguard any information obtained or used to prepare a tax return. Sec. 7216 imposes criminal and monetary penalties on tax preparers who knowingly or recklessly disclose return-related information. The Gramm-Leach-Bliley Act and Federal Trade Commission (FTC) financial privacy and safeguards rules impose additional requirements. Most states have enacted security breach notification laws that impose security and privacy standards across a wide variety of industries. Data protection encompasses all aspects of tax preparation: physical security, storage and transmission of data, and staff behavior. How do CPAs begin to protect themselves and their clients from cyberattacks?
PROTECT YOUR FIRM
The IRS provides a comprehensive road map to reducing risk in IRS Publication 4557, Safeguarding Taxpayer Data. This 20-page brochure furnishes seven checklists that cover operations, physical environment, computer systems, and employees to help preparers create a security plan for their office and operations.
According to the IRS, preparers should create an electronic security strategy that includes:
- Top-notch security software that includes a firewall and anti-malware and anti-virus programs. The software should be set to automatically update against the latest threats. Preparers should consider having firewalls for both hardware and software.
- A communication policy and education program to ensure all employees understand the dangers of phishing emails (one reportedly masquerades as a tax software update) and other threats to taxpayer data. The policy should cover email usage and internet browsing, phone and laptop use, and personal storage.
- Strong passwords that are changed periodically. Consider having different levels of password protection, such as separate passwords to access the computer system and tax software or client files. That way, if the computer system is breached, perhaps not all of the information will be exposed.
- A secure wireless connection. Make sure Wi-Fi is password protected, and use encrypted email to exchange personally identifiable information with taxpayers.
- "Deep scans" to fully scour all computer drives and files for any malware or viruses. These bugs can hide in places that a "quick scan" does not search.
- A portal or email system to exchange data with clients safely. Sending data safely to a client is only half of the equation. Clients need a way to deliver information safely to you as well.
- A data loss prevention system. Software is available that blocks unauthorized transmission, copying, or downloading of confidential data.
- Physical security to complement the electronic security system. Review where you store clients' data while the tax return is being prepared and delivered. Are the file cabinets, shelves, and server rooms secure?
While targeted less often by identity thieves than taxpayers' Social Security numbers, preparer tax identification numbers (PTINs) may also be used by criminals and should be protected. CPAs and other enrolled preparers who prepare at least 50 forms in the Form 1040 series annually may check the IRS's count of returns associated with their PTIN against their own records by logging into their PTIN account at irs.gov/ptin.
EDUCATE YOUR CLIENTS
Safeguarding against data breaches includes educating clients about the risks they face. According to the IRS, over 90% of all returns are prepared using tax preparation software, and over 80% are filed electronically. Much of the data used to prepare the return is stored or sent via a client's computer. Despite publicity about numerous data breaches, many clients remain unaware of the threat of identity theft. They email tax returns or send banking information without considering the risk. Some schemes are very subtle or rely on a fear of the IRS to extract data or payments. CPAs should impress upon their clients the potential dangers. A good resource for this purpose is IRS Publication 4524, Taxes. Security. Together., which recommends steps clients can take to safeguard their own information. Tax preparers may also want to alert clients to IRS security videos (available at youtube.com that provide additional hints and tips for good data and identity protection habits.
DEVELOP A DATA BREACH RESPONSE PLAN
Data breaches at small accounting firms have increased, and it is important to have a response plan in place, including a step-by-step guide to comply with state and federal laws and inform affected clients. The FTC outlines best practices for businesses that experience data theft. Its main guidance is available on the webpage "Information Compromise and the Risk of Identity Theft: Guidance for Your Business" at ftc.gov. A fast response is critical, as some data security laws require firms to warn affected clients of the risk of identity theft and fraud within a short time. The IRS regularly updates its guidance to preparers should they suffer a data theft. Preparers should contact the IRS Stakeholder Liaison for their state for up-to-date instructions (a contact list is available at irs.gov.
Consider adding cyber liability insurance to help you respond to a data breach (see the AICPA Insights article, "Cyber Liability Insurance for CPA Firms," available at blog.aicpa.org.
Koskinen warns that "cybercriminals are continuing to evolve, using new technologies, ruses, and scams" (IRS News Release IR-2016-96). The IRS issued dozens of news releases in 2015 and 2016 reporting new scams, phishing ruses, and identity theft prosecutions. To stay abreast of the most recent schemes, register for e-news for tax professionals (available at irs.gov, or follow the IRS Twitter and Facebook social media feeds for tax professionals. The IRS also communicates with tax preparers about ways to combat data theft through its Security Summit homepage, available at irs.gov.
Dayna E. Roane is a practitioner with Perry & Roane PC in Niwot, Colo.
To comment on this article or to suggest an idea for another article, contact Paul Bonner, senior editor, at firstname.lastname@example.org or 919-402-4434.