Under the authorization of the Gramm-Leach-Bliley Act (1999), the Federal Trade Commission created the “Safeguards Rule.” The Safeguards Rule requires businesses offering financial services or products, including professional tax preparers, to secure and maintain the confidentiality of their customers’ information. Although the Safeguards Rule has been in effect since 2003, until fairly recently there has been minimal awareness about and compliance with the Rule by smaller tax preparers -- notwithstanding the FTC’s extensive guidance. (See the FTC’s guidance here.)
IRS Security Summit & Guidance
Alarmed by the escalating criminal activity which exploits taxpayer information, in March 2015 the IRS established the Security Summit, consisting of IRS officials, state tax agencies and private sector tax industry representatives. The key objective of the Summit is to assist tax preparers in combating the misappropriation of taxpayer information and complying with the FTC Safeguards Rule. In June 2018, the IRS Electronic Tax Administration Advisory Committee (ETAAC) noted that “far fewer than half of tax professionals are aware of their responsibilities under the FTC Safeguards Rule and that even fewer professionals…have implemented required security practices.”
Accordingly, the IRS and the FTC have taken a heightened interest in compliance with and enforcement of the Safeguards Rule. In 2018 the IRS published a number of documents to help tax preparers comply with the Rule. (See Safeguarding Taxpayer Data. This publication is particularly helpful and contains valuable checklists. See Protect Your Clients; Protect Yourself. Also see U.S. Department of Commerce, National Institute of Standards & Technology’s Small Business Information Security.)
IRS Concerns Result in More Guidance
In July 2019, still concerned about a lack of compliance with the Safeguards Rule, the IRS and the Summit urged tax preparers to — during their slower season — assess their security policies and review security steps to ensure adequate measures are in place to fully protect sensitive taxpayer information. In conjunction with its efforts to promote compliance, the IRS published further guidance known as “Taxes-Security-Together.”
These recommendations are broken down into five steps. Each are summarized below, and the links to the IRS publications are in the headings. Each step is designed for tax preparers to improve their compliance with the Safeguards Rule, but these steps can also help CPA firms manage many of their cyber liability risks.
Step 1 – Deploy the “Security Six”
- Install anti-virus software utilizing automatic scans and manual scans during high threat periods.
- Utilize hardware and software firewalls.
- Require two factor authentication (e.g. password and security code sent via text message).
- Contract for external backup software and retrieval services.
- Ensure hard/solid state drive encryption.
- Implement a virtual private network.
Step 2 - Create a data security plan complying with the Safeguards Rule
- Designate one or more employees to coordinate the firm’s information security program;
- Identify and assess the risks to client information in each relevant area of the firm’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
- Design and implement a safeguards program and regularly monitor and test it.
- Select service providers that can maintain appropriate safeguards; making sure the provider contract requires them to maintain safeguards and oversee their handling of client information.
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
Step 3 - Educate yourself on phishing emails
- More than 90% of all data thefts start with a phishing email.
- Educated employees are the key to avoiding phishing scams, and office systems are only as safe as the least informed employee.
- Use separate personal and business email accounts; protect email accounts with strong passwords and two-factor authentication if available.
- Install an anti-phishing tool bar to help identify known phishing sites. Anti-phishing tools may be included in security software products.
- Use security software to help protect systems from malware and scan emails for viruses.
- Never open or download attachments from unknown senders, including potential clients; make contact first by phone, for example.
- Send only password-protected and encrypted documents if files must be shared with clients via email.
- Do not respond to suspicious or unknown emails.
Step 4 - Recognize the signs of client data theft
- Client e-filed returns begin to be rejected by the IRS or state tax agencies because returns with their Social Security numbers were already filed.
- Clients who have not filed tax returns begin to receive taxpayer authentication letters from the IRS to confirm their identity for a submitted tax return.
- Clients who have not filed tax returns receive refunds.
- Clients receive tax transcripts that they did not request.
- Clients who created an IRS Online Services account receive an IRS notice that their account was accessed or IRS emails stating their account has been disabled. (Note: The IRS does not email taxpayers.)
- Clients unexpectedly receive an IRS notice that an IRS online account was created in their names.
- The number of returns filed with the tax professional’s Electronic Filing Identification Number (EFIN) exceeds the number of clients.
- Tax preparer or clients receive responses to emails that the tax preparer did not send.
- Network computers are running slower than normal.
- Computer cursors moving or changing numbers without touching the keyboard.
- Network computers locking out firm employees/contractors.
Step 5 - Create a data theft recovery plan
- Contact the IRS and law enforcement. Report client data theft to local IRS Stakeholder Liaisons, who will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical.
- Contact states in which the tax professional prepares state returns. Any breach of personal information could have an effect on the victim’s tax accounts with the state revenue agencies as well as the IRS.
- Contact security experts. Security experts can help determine the cause and scope of the breach as well as stop the breach and prevent further breaches from occurring.
- Contact insurance carrier. Check if the insurance policy covers data breach mitigation expenses.
- Contact clients. At a minimum, send an individual letter to all victims to inform them of the breach. Advise them regarding potential impact of the breach, as well as the correction action the firm plans to take.
- Comply with state regulations. Each state has its regulations regarding data breaches (e.g. notification, impact/scope analysis, remediation, etc.). While similar, there are state-by-state variations that tax preparers need to understand and follow.
There is no doubt that the IRS has become very serious about compliance with the Safeguards Rule – as it should be. The sophistication of cybercriminals and the escalation of cyberattacks has reached crisis proportion; a tax preparer’s electronically stored client information is a perfect target for cybercriminals. Not only is compliance with the Safeguards Rule a legal requirement for tax preparers, it really is a business imperative.
Clients should be able to trust that their tax preparers have taken the proper steps to secure their information and comply with the data security laws. Consider including a statement in your engagement letters confirming that your firm’s information security measures conform with the Safeguards Rule — assuming they do, of course. It is likely to raise clients’ comfort level. In addition, in the event of a data breach, compliance with the Safeguards Rule will be a very important defense to a client’s allegation that the tax preparer was negligent in protecting the client’s data. In fact, failure to comply with the Rule will likely put the tax preparer in the position of proving it was not negligent, rather than having that burden rest with the client. Further, if tax preparers have cyber insurance — which they should — neglecting to conform to the Safeguards Rule may well be the basis for the insurance carrier to deny a claim, as compliance with applicable laws is usually a prerequisite for coverage.
While not all tax preparers are accounting firms, nearly all accounting firms prepare tax returns, and on that basis CPA firms should be implementing the Safeguards Rule. Firms that provide client accounting services or wealth advisory services are particularly vulnerable to cyberattacks, as they typically maintain and have access to client financial records and accounts. In other words, nearly all accounting firms are subject to the Safeguards Rule, and compliance is universally in order.
This article references and links to multiple sources of help on meeting the requirements of the Safeguards Rule. There is a wealth of additional and detailed resources available from the IRS, FTC, consultants and data security service providers. Now is the time to embrace Taxes-Security-Together.
About the Author. R. Peter Fontaine is the managing partner of NewGate Law, which provides legal and risk management services exclusively to the accounting industry. NewGate Law is a Risk Management Partner of CPA Mutual. Peter can be reached at (312) 626-2791 or at email@example.com. Or visit website the NewGate Law website – newgatelaw.com.