IRS Provides Data Security Guidance to Tax Professionals
The following notice was recently sent by the IRS to all PTIN holders:
The filing season is over, and you finally have a breather from preparing tax returns. However, your responsibility as a tax preparer doesn’t end on April 15. Data thieves are attempting to compromise your systems and steal your client data year-round. In March we sent you a message on the importance of a data security plan, including tips on hiring a cyber security professional to customize a security plan to protect your clients and protect yourself. Unfortunately, the best laid plans sometimes can’t prevent a data breach. Cybercriminals use sophisticated and ever-evolving techniques to gain access to your systems.
You’ve hired a cyber security professional and implemented a data security plan, but you still have a data breach. What do you do now? What are your next steps? Time is of the essence after a security incident. Immediately after you’ve identified a data breach, you want to begin the process of mitigating its impact. If you experience a data breach, here’s how to report your data loss:
- Contact the IRS and law enforcement:
- Report client data thefts to your local IRS Stakeholder Liaison. The liaison will notify IRS Criminal Investigation and others within the agency on your behalf. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
- Federal Bureau of Investigations (FBI), your local office (if directed by IRS)
- Secret Service, your local office (if directed by IRS)
- Local police to file a report on the data breach
- Contact the states in which you prepare returns:
- A breach of personal information could affect the victim’s tax accounts with the states. You should email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on reporting victim information to the states.
- Also, you may need to contact the State Attorney General for each state where you prepare tax returns. Most states require that the attorney general be notified of data breaches.
- Contact experts:
- Security expert - to determine the cause and scope of the breach, stop the breach and prevent future breaches.
- Insurance company - to report the breach and determine if your policy covers data breach mitigation expenses.
- Contact clients and other services:
- Clients – Send a letter to all victims to inform them of the breach however, work with law enforcement on timing.
- Federal Trade Commission – Can help businesses victimized by data thefts, including providing resources on notifying clients that a data loss has occurred.
- Credit/ID theft protection agency – Some states require offering credit monitoring/ID theft protection to victims of ID theft.
- Credit bureaus – To notify them of a data compromise since clients may seek their services.
Remain vigilant against cybercriminals by making data security a daily priority and hopefully you won’t find yourself in the situation of needing to make these contacts. But if you do, the faster you notify the necessary agencies, the better.