The IRS and its Security Summit partners urge all professional tax preparers to review their data security protections and document them in writing. In fact, CPAs and other paid tax return preparers are required by law to have in place a written information security plan to protect client data. The Gramm-Leach-Bliley (GLB) Act of 1999, P.L. 106-102, gives the Federal Trade Commission (FTC) authority to regulate information safeguard protocols for various types of businesses that are "significantly engaged" in providing financial products or services, which include professional tax preparers.
This "safeguards rule" requires companies to develop a written information security plan describing the company's policies and procedures for protecting customer information. The plan must be appropriate to the company's size, activities, and complexity and to the sensitivity of the customer information it collects and uses. The client records and information that CPA tax practitioners routinely collect and store is, of course, among those clients' most sensitive personal and business data. Tax preparation firms' plans must:
- Designate one or more employees to coordinate the firm's information security program;
- Identify and assess the risks to customer information in each relevant area of the firm's operation and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program and regularly monitor and test it;
- If a firm uses outside service providers that handle or have contact with client information, ensure that those providers can also maintain appropriate safeguards; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.
The FTC notes that companies must consider unique risks arising from their business practices, including when their employees access or process customer information from outside the company's primary business locations or outside its computer networks. With the growing prevalence among tax firms of allowing return preparers to work on client tax returns remotely from home or other locations via a virtual private network connection or shared use of web access, tax firms offering this option should make sure their safeguards program and written security plan reflect this mode of operation.
For more details and tips on policies and practices for use and protection of servers and computers, systems access, employee training, records retention and disposal, systems maintenance and monitoring, and how to handle a data breach, see the FTC's webpage "Financial Institutions and Customer Information: Complying With the Safeguards Rule" at ftc.gov.
Another source of practical guidance for tax preparer firms is the recently updated IRS Publication 4557, Safeguarding Taxpayer Data. The IRS and its Security Summit partners also note that the written data security plan is only one point of several information security steps for tax practitioners, outlined in their "Taxes-Security-Together" checklist. Besides creating the plan, the checklist items are:
- Deploy "Security Six" basic safeguards (available at irs.gov);
- Educate yourself on phishing scams;
- Recognize the signs of client data theft; and
- Create a data theft recovery plan.
Part of a recovery plan should be to call the IRS immediately by contacting your local IRS Stakeholder Liaison (contact information available at irs.gov). It is critical for tax practitioners to immediately disclose to the IRS any potential theft of taxpayer data. Data thefts may also be required to be reported to states' and other jurisdictions' tax authorities. The Federation of Tax Administrators website at taxadmin.org can provide details.
Civil liability under state laws may also attach to data theft arising from inadequate safeguards. A common recommendation from tax professionals who have experienced data thefts is for all tax professionals to review their professional insurance policy to ensure the business is protected should a data theft occur.
Other relevant statutes, guidance, and resources include:
- IRS Publication 3112, IRS e-file Application and Participation: Explains that authorized e-file providers share responsibility with the IRS for safeguarding e-file data. Providers must be diligent in recognizing fraud and abuse and cooperate in IRS investigations.
- Sec. 7216: Imposes criminal penalties on any person in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly discloses information furnished for, or in connection with, the preparation of any return or uses tax information for any purpose other than preparing or assisting in preparing any return.
- Sec. 6713: Imposes monetary penalties on any person in the business of preparing or providing services in connection with the preparation of tax returns who discloses information furnished for, or in connection with, the preparation of any return or uses tax information for any purpose other than preparing or assisting in preparing any return.
- Rev. Proc. 2007-40: Provides that authorized e-file providers are subject to sanctions for violations of the GLB Act and Secs. 6713 and 7216.
- IRS Publication 5293, Data Security Resource Guide for Tax Professionals: A guide intended to provide a basic understanding of minimal steps to protect client data.
- AICPA resources: See "Professional Liability Spotlight: Cyber Liability: Managing Evolving Exposures," JofA, Jan. 2019, with links to the AICPA's cybersecurity risk management reporting framework and the AICPA Private Companies Practice Section cybersecurity toolkit.
Sebastian B. Murolo, CPA, MBA, CMB, is an associate professor at Queensborough Community College CUNY in Bayside, N.Y.
To comment on this article or to suggest an idea for another article, contact Paul Bonner, a JofA senior editor, at Paul.Bonner@aicpa-cima.com or 919-402-4434.