After the Hack
What Should You Do if Your Office Data is Hacked?
Over the past months, we’ve shared a lot of information with you about how best to defend your office from a data breach or some other security incident. But what happens if the unthinkable happens. You know – someone gains access to your personal, professional or client data; someone who stole it. Then what?
The Internal Revenue Service has a definite game plan for tax pros who experience a data breach. Recovery starts at the federal level.
- Internal Revenue Service - Report client data theft to your local IRS Stakeholder Liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
- Federal Bureau of Investigation – Contact your local office (check your phone book).
- Secret Service – Contact your local office (if directed).
- Local police – File a police report on the data breach.
Next, alert the state tax agencies and the Attorney General’s office of each state in which you do taxes. Most states require the Attorney General be notified of data breaches involving taxes.
When it comes to contacting clients, the IRS says there are a number of options – and help from other agencies that can make the task a little easier.
- Federal Trade Commission offers tips and templates for businesses that suffer data compromise, including suggested language for informing clients.
- Clients – Send an individual letter to victims to inform them of the breach but work with law enforcement on timing. Remember that you may need to contact former clients if their prior year data was still in your system.
- Your web site/client portal provider(s) – It’s possible that your firm and client passwords may have been compromised and need to be reset.
- Credit/ID theft protection agency - Certain states require offering credit monitoring/ID theft protection to victims of ID theft.
- Credit bureaus – Notify them if there is a compromise of data. Clients may seek their services.
If you think your EFIN was stolen, or your credentials for either your EFIN or your software were stolen, call Drake Software Support at (828) 524-8020. Our Support team can help by temporarily barring access to the compromised account, reviewing account access, and reviewing the returns submitted through the account. (REMINDER: When reporting a data breach, no actions can be taken on any account unless the account owner makes the call to Support.)
There are a couple more stops to think about when recovering from a data breach. One is to call your insurance company to see if they cover the costs of breach mitigation. You may also want to enlist the services of a data security specialist to find out exactly what was accessed – and how best to make sure it doesn’t happen again.
The IRS reminds tax preparers that the folks manning their toll-free phone banks can’t accept third-party notification of a tax-related identity theft. Clients should file Form 14039, Identity Theft Affidavit, but only if their e-filed return is rejected as a duplicate – or if they are directed to file one.