The IRS reminds professional tax preparers that the Financial Services Modernization Act of 1999, also known as Gramm-Leach-Bliley Act, requires certain financial entities – including professional tax return preparers – to create and maintain a security plan for the protection of client data. The Federal Trade Commission administers this law and its “Safeguards Rule” regulations.
- Learn to recognize phishing emails, especially those pretending to be from the IRS, a tax software provider, cloud storage provider or state tax agencies. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax professional via email.
- Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
- Review internal controls for their business:
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
- Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
- Encrypt all sensitive files/emails and use strong password protections.
- Back up sensitive data to a safe and secure external source not connected fulltime to a network.
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
- Limit access to taxpayer data to individuals who need to know.
- Check IRS e-Services account weekly for number of returns filed with EFIN.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert and Social Media.
The importance of these basic steps was highlighted yet again this year when a sophisticated cybercriminal gang breached numerous practitioner offices by gaining remote control access of computers and stealing taxpayers’ 2016 tax information.
The thieves used that information to file 2017 tax returns using all the taxpayer real data, including their bank accounts for direct deposit.
The thieves then called the taxpayers, trying to trick them into returning the fraudulent refunds. In some cases, the thieves had stolen so much information, they could access the clients’ bank accounts online and steal the fraudulent refunds. In many cases, the tax professionals never even knew their client data was stolen.
By taking the steps outlined here and in Publication 4557, tax professionals can help prevent the common tactics used by cybercriminals. But even with the strongest security measures, the key to good security is an individual trained and alert to potential risks and threats.
July 10th marks the start of the 2018 IRS Nationwide Tax Forums. Data security will be featured prominently at all five Tax Forums, including a workshop by cyber experts.
Comments powered by CComment