What tax practitioners need to know about cybersecurity
Amy Welch, APR, CAE, IntrapriseTechKnowlogies LLC | October 2021 Footnote
Editor's note: Updated September 30, 2021
Last year, there were nearly 90,000 reports of tax identity theft, according to the Federal Trade Commission. In fact, in June, an IRS agent admitted to stealing someone’s identity. It appears anyone can be a criminal!
At the 2017 IRS Security Summit, the agency reported a 40% decline in taxpayer reports of identity theft from 2016 and a 32% decline in returns with confirmed ID theft. While the declines appear to indicate we’re improving our security protocols, the threat is still very real, especially for tax preparers.
It’s also important to note that protecting taxpayer data is the law. According to the FTC Safeguards Rule: “Tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation.” Additionally, any “failures that lead to an unauthorized disclosure may subject you to penalties under sections 7216 and/or 6713 of the Internal Revenue Code (I.R.C.).”
IRS recommendations for tax practitioners
There are seven security and privacy recommendations listed in IRS Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business:
- Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider, a new or existing client or cloud storage provider. Never open an embedded link or any attachment from a suspicious email.
- Create a written information security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security — The Fundamentals (NISTIR 7621r1), by the National Institute of Standards and Technology.
- Review internal controls.
- Install anti-malware/antivirus security software and keep software set to automatically update.
- Use strong passwords of eight or more characters, use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and use a password manager program.
- Encrypt all sensitive files/emails, especially those with the taxpayer’s personally identifiable information.
- Back up sensitive data to a safe and secure external source not connected full time to a network.
- Make a final review of return information — especially direct deposit information — prior to e-filing.
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
- Limit access to taxpayer data to individuals who need to know.
- Check e-file applications and PTIN accounts weekly for total returns filed using EFINs and PTINs and deactivate unused EFINs.
- Withdraw from any outstanding authorizations (e.g., power of attorney/tax information) for taxpayers who no longer are clients.
- Report any suspected data theft or data loss immediately to the appropriate IRS stakeholder liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and social media.
- Educate clients about the availability of the Identity Protection PIN for taxpayers.
- Review the FTC’s security tips at Cybersecurity for Small Business and Protecting Personal Information: A Guide for Business.
These recommendations help protect against incidents, but they are not foolproof. Cybercriminals continue to be the primary cause of data breaches and, no matter how sophisticated we get, thieves are always looking to build better mousetraps. However, most attacks are preventable with proper employee awareness and training, competent IT staff or service providers, and properly designed business processes.
Leading practices for practitioners
According to Daniel Moore, CPA, a tax firm owner and presenter on IRS cybersecurity issues, and Donny Shimamoto, CPA, CITP, CGMA, an expert in cybersecurity risk management for accounting firms, practitioners should include the following checklist in their information security program:
— It’s very important to write and follow a written information security plan (WISP) that addresses every item identified in the risk assessment and defines safeguards you want, as well as the ones you expect affiliates and service providers to follow. Ask service providers to give you a copy of their WISP on safeguarding information. Identify a responsible person to review and approve the WISP as well as someone to monitor, revise and test the protocols periodically. Keep a copy of your self-assessment and make sure it is available for any potential reviews.
— Next, examine your facilities security checklist. Create a procedures policy to prevent unauthorized access and unauthorized processes. Protect all places where taxpayer information is located from unauthorized access and potential danger. This includes locking doors to file rooms and computer rooms. Additionally, consider potential threats other than unauthorized access, like natural disasters and civil unrest. You will also need to provide secure disposal of taxpayer information, such as shredders, burn boxes or temporary file areas until the files can be securely disposed.
Backup and recovery
— Make sure you back up taxpayer data files regularly and store that information at a secure location. Create written contingency plans to perform critical processing in the event your business is disrupted. For this, you’ll want to protect both electronic and paper taxpayer information systems. Identify staff who will recover and restore the system after disruption and periodically test your plan. Maintain hardware and software as needed and keep maintenance records.
— During the interview process, explain all expected rules and protocols to potential hires. When possible, perform background checks on employees who will come into contact with taxpayer information. Any employee who will have access to taxpayer information should sign nondisclosure agreements on the use of confidential taxpayer information. Train all employees on access, nondisclosure and safeguards of taxpayer information and grant access to taxpayer information only on a need-to-know basis. For any employee who leaves the firm, conduct an exit interview to ensure the employee returns property that normally allows access to taxpayer information, like laptops and keys.
— After you identify which employees are authorized to access electronic taxpayer information systems, assign each a unique identifier or username. Encrypt taxpayer information when attached to an email or when transmitting across networks. An even better solution is to use client portals. Lock out system users after three consecutive failed access attempts. Review system logs to monitor for unauthorized access and regularly update your firewall, intrusion detection, antispyware, antivirus software and security patches.
— Store computer disks, removable media, tapes, CDs, flash drives, audio and video recordings of conversations and meetings with taxpayers in a secure cabinet or container. Secure the rooms that contain the storage units and restrict access to authorized personnel only. Shred or burn paper documents before discarding them and securely wipe or destroy hard drives.
Certifying information systems for use
— On a periodic basis, have an independent consultant or business with relevant security expertise audit your policies and systems. Have a report generated from the audit that certifies your business follows best practices, highlights any deficiencies found and ask for recommendations for remediating those deficiencies.
What to do when you experience a data breach
“Having a comprehensive incident response plan and a competent response team is key to minimizing the impact and remediation costs when you have a data breach,” Shimamoto said.
According to the IRS: “(taxpayers) should immediately report client data theft to their local stakeholder liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.”
Also, contact your local police and FBI and Secret Service offices.
A data breach could also affect a victim’s tax accounts with his or her state, so you should also email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report the breach to the applicable state(s). Additionally, most states require that the attorney general be notified of data breaches.
Of course, you’ll also need to inform your clients. Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. Clients should complete IRS Form 14039, Identity Theft Affidavit, only if they receive a notice/letter from the IRS or their e-filed return is rejected because of a duplicate Social Security number. Your clients may also want to notify credit reporting agencies.
Notify your insurance company to report the breach and see if your insurance policy covers data breach mitigation expenses. Cyberliability insurance can help with responding to and remediating a breach and can also offset the costs associated with a breach. However, use caution when evaluating coverages and comparing prices. Learn more from the National Association of Insurance Commissioners (NAIC.org).
Next, have your incident response team ready. Internally, you need your lead executive, privacy officer, legal counsel, CFO or controller, HR and IT. Externally focused team members will include your public relations or crisis management team, customer communications, customer support and external legal counsel in the event of litigation.
Your incident response checklist should include:
- Record the date and time.
- Alert and activate all appropriate staff.
- Secure the premises.
- Stop additional data loss.
- Interview those involved.
- Document everything.
- Review protocols.
- Assess priorities and risks.
- Bring in your forensics firm.
- Notify law enforcement.
Managing your cyber risks is key
While leaders and security experts continue to evolve protective measures to lessen the threat of tax identity theft, tax preparers must take precautions to shield themselves and their clients, not only because it’s the right thing to do, but it’s also the law. Firms can employ added procedures that will help insulate their business even further. This is one case where an old adage really holds true: An ounce of prevention is worth a pound of cure.
Amy Welch, APR, CAE, is a principal consultant with IntrapriseTechKnowlogies LLC. She has more than 20 years of experience in public relations and more than 17 years working with CPAs. You may reach her at firstname.lastname@example.org or 405-838-1307. This article was originally published by CPA Trendlines at
More practical tech tips at TAX21
The MNCPA Tax Conference is more than tax topics! Learn about actionable technology tactics at sessions on cybersecurity, hybrid work and more.
21CF-TAXX: MNCPA Tax Conference (TAX21) (Virtual)
Nov. 8-10 | 8 a.m.–5 p.m. | 24 CPE | 4 Ethics
Visit www.mncpa.org/TaxConference for conference details and to register today.