The IRS chose the last day of National Tax Security Awareness Week to focus on why it’s important for a tax office to develop an office security plan.
Throughout the week, the IRS has described online shopping scams, phishing scams, and business identity theft scams that threaten taxpayers and paid tax return preparers alike. But the tax industry isn’t just one fish caught in fraudsters’ nets; tax professionals are a prime target for identity thieves because they handle a lot of financial data. To underscore that point, the IRS pointed out that they receive “five to seven reports per week from tax firms that they have experienced a data theft.” Not only are tax pros frequently targeted by scams, but those scams are often successful.
Remember, successfully breaching a tax office database can provide personally identifiable information (PII) for thousands of taxpayers, and—aside from making it easier for criminals to apply for bank loans and credit cards—that data can be used to file fraudulent tax returns. If cybercriminals have access to a tax office’s tax preparation software, it’s much more likely that those bogus returns will appear legitimate to the IRS.
Aside from the risk posed to a tax professional’s business and clients from cybercriminals, there’s another really important reason to develop an office security plan: the Federal Trade Commission’s Safeguards Rule.
As the IRS points out, “the Gramm-Leach-Bliley Act of 1999 requires all financial institutions, which is also defines as professional tax preparers, to create and maintain information security plans.” The FTC, it notes, is the agency charged with overseeing these rules, placing a legal requirement for developing a written security plan squarely on paid tax return preparers’ shoulders.
Unfortunately, those who have never created a written security plan may not know how to approach this type of project. The IRS notes that experts in the Security Summit recommend tax professionals consult a cybersecurity expert, but listed the following “basic security steps” to jump start the process:
- Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider or cloud storage provider. Never open a link or any attachment from a suspicious email. Remember: The IRS never initiates initial contact with a tax pro via email.
- Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
- Review internal controls:
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
- Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
- Encrypt all sensitive files/emails and use strong password protections.
- Back up sensitive data to a safe and secure external source not connected fulltime to a network.
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
- Limit access to taxpayer data to individuals who need to know.
- Check IRS e-Services account weekly for number of returns filed with EFIN.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
- Stay connected to the IRS through subscriptions to e-News for Tax Professionals, Quick Alert, and Social Media.
Tax professionals looking for other resources can visit the Downloads page on the Taxing Subjects blog, where they’ll find the Drake Software Tax Office Security Plan: a series of sample worksheets that are free to download.
The final National Tax Security Awareness Week press release also included a series of bullet points instructing readers on how to spot data theft and report data loss. If you want to continue reading about information related to data security, visit IRS.gov and follow @IRStaxsecurity on Twitter.
Source: IRS Newswire