Tax and accounting professionals have a new resource for implementing or improving their written information security plan, which is required under federal law.
The IRS in a news release Tuesday released a 29-page guide, Creating a Written Information Security Plan for Your Tax and Accounting Practice, which describes the requirements. The guide also includes procedures and details for creating and implementing a written information security plan, recommendations for the plan's contents and scope, and a template for one.
The guide was created by the Security Summit, a collaboration of public agencies — the IRS and state taxing authorities — with the private sector, including tax software providers and tax professionals.
A written information security plan is required under the safeguards rule of the U.S. Federal Trade Commission (FTC), implementing provisions of the Gramm-Leach-Bliley Act, P.L. 106-102. The 1999 law requires financial institutions, which for its purposes include tax and accounting firms, to protect customer data.
A written information security plan is intended to ensure the security and confidentiality of all client personally identifiable information (PII) received or retained by a firm, protect it from threats or hazards, and prevent unauthorized access to it that could create a substantial risk of identity theft or fraudulent or harmful use. It should cover administrative, technical, and physical safeguards of PII.
The guide also describes suggested attachments to a written information security plan, including procedures for notification of a data security breach, a record retention policy, an inventory of all physical and electronic storage of PII, and rules for firm members' behavior and conduct in safeguarding PII.
However, "A security plan should be appropriate to the company's size, scope of activities, complexity, and the sensitivity of the customer data it handles," the guide states. "There is no one-size-fits-all [plan]."
The guide also suggests that tax professionals consult technical experts to advise them on security matters.
Other IRS resources include Publication 4557, Safeguarding Taxpayer Data. The IRS and Security Summit's weekly series this summer of "Protect Your Clients: Protect Yourself" tips provides more background and considerations for protection of records and data by tax professionals.
Tax preparers will encounter a checkbox when they obtain or renew their preparer tax identification number (PTIN), requiring them to affirm their awareness that they must have a data security plan and provide data and system security protections for all taxpayer information.
In addition, the AICPA's Tax Section has developed an information security plan template for Tax Section members to download and customize to comply with the FTC's safeguards rule.
— To comment on this article or to suggest an idea for another article, contact Paul Bonner at Paul.Bonner@aicpa-cima.com.