Cybersecurity: Best practices and the value of staying informed
In today’s age of ever-increasing digital interconnectivity, cybersecurity has become a topic of great interest throughout various industries. More than ever, tax preparers will need to stay educated and informed on measures that they can take to prevent fraud and security breaches.
Shannon Bond, our VP & Segment Leader for the Preparer Market and contributing member of the IRS Security Summit shares insights on how to safeguard your clients’ information and stay informed on best practices when it comes to dealing with data breaches and identity fraud.
WATCH THE FULL FIRESIDE CHAT HERE.
What’s the risk?
Every tax professional in the US – whether a member of a major accounting firm or an owner of a one-person tax office – is a potential target for highly sophisticated, well-funded and technologically adapt cybercriminals around the world.
Their objective: to steal your clients’ data so they can file fraudulent tax returns that better impersonate their victims and are harder to detect.
Their tactics: using email, phone or other means to trick you into giving up computer password, e-Services passwords, to steal your EFINs or CAF numbers or even to take remote control of your entire computer system.
Beyond these tactics, there are some other scams that are more widely recognized such as phone calls from someone pretending to be from the IRS and threatening to garnish wages, put liens on homes, or freeze accounts. Then there are ransomware attacks in which hackers compromise all computers on a local network and demand money in return for access.
Protecting client data is the law
FTC regulations require professional tax preparers to create and enact security plans to protect client data.
The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. As part of its implementation of the GLB Act, the Federal Trade Commission (FTC) issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.
The definition of “financial institution” includes many businesses that may not normally describe themselves that way. In fact, the Rule applies to all businesses, regardless of size, that are “significantly engaged” in providing financial products or services. This includes, for example, check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, professional tax preparers, and courier services.
According to the FTC, the required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles.
What you need to do
- Create a data security plan using IRS Publication 4557: Safeguarding Taxpayer Data, a Guide for your Business, found here.
- Follow the Federal Trade Commission’s Safeguards Rule
- Review the basic security steps shared by the IRS Security Summit in their “Taxes-Security-Together” Checklist
Have you experienced a data breach? Report it quickly
In the case of a data breach at your organization, be sure to contact the IRS and law enforcement as quickly as possible. This will ensure that the fallout is minimized and that the appropriate actions are taken. If you suspect a data breach has occurred at your organization, reach out to the following organizations as needed:
- IRS, report client data theft to your local stakeholder liaison
- Local police – to file a police report on the data breach
- FBI, your local office (if directed)
- Secret Service, your local office (if directed)
You will also want to contact states in which you prepare state returns:
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states
- State Attorney Generals for each state in which you prepare returns. Most states require that the attorney general be notified of data breaches
Once that’s been done, be sure to contact experts to find out more about what steps you can take to help mitigate any negative outcomes. It is recommended to ask:
- Security experts to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring
- Your insurance company to report the breach and to check if your insurance policy covers data breach mitigation expenses
For a complete checklist, see Data Theft Information for Tax Professionals