Every tax professional in the US is a potential target for well-funded and technologically sophisticated cybercriminals who aim to steal your clients’ data. Often their goal is to steal data to steal your EFINs or CAF numbers and impersonate their victims and to file fraudulent tax returns. Cybercriminals use several avenues, including email, fax and phone to trick unsuspecting individuals and firms into giving up computer passwords, e-Services passwords and to take remote control of your computer systems and entire network.
Protecting client data is not just a responsibility, it is the law
Federal Trade Commission (FTC) regulations require professional tax preparing firms and individuals to create and implement security plans to protect all client data. Review to the IRS sources for details and security recommendations and more details:
- Publication 4557, Safeguarding Taxpayer Data (PDF)
- Publication 5293, Data Theft Resource Guide for Tax Professionals (PDF)
According to the Gramm-Leach-Bliley Act (GLBA) of 1999, P.L. 106-102 safeguards rule, tax preparers must implement security plans to protect client data. Failure to do so may result in a Federal Trade Commission (FTC) investigation. While the GLBA has been in place for quite some time, many financial professionals have been unaware they are required to develop a written information security plan that describes how their firm is prepared to protect clients’ private, sensitive, personal information.
Per IRS Tax Tip 2019-119, this begins with creating a data security plan to protect sensitive data in their offices and on their computers. Each plan should be tailored for each specific office and should consider the company’s size, the nature of its activities, and the sensitivity of its client information. This plan should:
- Include the names of all information security program managers;
- Identify all risks to customer information;
- Evaluate risks and current safety measures;
- Design a program to protect data;
- Put the data protection program in place; and
- Regularly monitor and test the program.
Additional data security responsibilities
In addition to the GLBA safeguards rule, tax practitioners should keep in mind other client data security responsibilities.
- Sec. 7216 is a criminal provision that prohibits preparers from knowingly or recklessly disclosing or using tax return information. See the AICPA Tax Section’s Section 7216 Guidance and Resources webpage at www.aicpa.org to aid with compliance.
- Treasury Department Circular No. 230, Regulations Governing Practice Before the IRS (31 C.F.R. Part 10), requires practitioners to exercise due diligence in preparing returns or other documents related to a federal tax matter. A violation could subject a practitioner to sanctions, including censure, suspension, or disbarment from practice before the IRS.
- The AICPA Code of Professional Conduct addresses member responsibilities to the public, their clients, and colleagues, including responsibilities to keep client information confidential and secure.
- In accordance with best business practices, including practices contained in the Privacy Management Framework (available at aicpa.org/IMTA), a firm should publish its privacy statement on its website.
- Depending on a practitioner’s focus areas, he or she may need to adhere to other privacy requirements. For example, there are specific requirements for health-related information, available at hhs.gov/hipaa/index.html.
As the IRS has noted, combating today’s cybercriminals requires everyone to work together. Practitioners play a significant role in data security and should continue to assess, improve, and document their processes to keep client data safe.
FOR PROFESSIONAL MANAGED IT AND SECURITY SERVICES CALL NOW: (855) 551-7760
Protect your financial service firm from cyberthreats
For tax practitioners, that security plan should include knowing if their information technology (IT) provider understands and can implement the necessary cybersecurity measures to protect them and their clients. By outsourcing your information technology needs to a professional Managed IT Services company, you get more than just tech support. Take advantage of our Virtual CIO Services, Managed Security Services, Computer Network Systems integration and support, compliance services, and IT Consulting.