IRS Security Standards: Safeguarding your client information

To help firms protect their clients from the increasing threat of identify theft and fraud, the IRS recently enacted new security standards for protecting client data. As a result, IRS publication 4557, Safeguarding Taxpayer Data presents a comprehensive view of best practices for firms to follow.

To begin with, the IRS recommends a number of safeguards for firms to put in place. These include setting policies related to administrative activities in addition to facilities security and personnel security. They also include information systems and computer systems security policies that may affect the the software you use.

Information systems security protects the data in your system. However, a large portion of data breaches happen not because the system was vulnerable to hacking but because software users were careless with passwords. So that’s where computer systems security comes in. As a result of these new IRS security standards, your software needs to make additional effort to validate your users’ identities.

How do the new IRS security standards affect your software? Here’s an overview:

  • Unique Username. First, each user must have their own unique username. Staff should not share IDs.
  • Strong Password. In addition to a unique username, each user should have a strong password that contains a combination of upper-case letters, lower-case letters, numbers and special characters. Passwords should be at least 8 characters long.
  • Password Expiration. While strong passwords are a good start, users should also change their passwords regularly. The IRS recommends changing passwords every 60-90 days.
  • Inactivity Time Out. To ensure that only authorized users are accessing the system, users who are inactive for more than 30 minutes should be logged out of the system.
  • 24-hour Re-authentication. If the system is active for more than 24 hours (due to a batch process, lengthy export process, etc), users should re-enter their passwords at least once every 24 hours.
  • Bot Detection. Lastly, systems should recognize and prevent unauthorized access by web bots and/or hackers.

Additional Information about IRS Security Standards

In conclusion, for more information, the following links are some excellent resources from the IRS describing this situation and steps to take.


Wolters Kluwer TAA

All stories by: Wolters Kluwer TAA

Leave a Reply

Your email address will not be published.