checklist

cybersecurity for tax professionals

welch

checklist: the 24 steps to prevent and, if necessary, respond to breaches.

by amy welch

last year, there were nearly 90,000 reports of tax identity theft, according to the federal trade commission.

in fact, in june, an irs agent admitted to stealing someone’s identity. law360.com reported special agent bryan cho, 49, pled guilty to aggravated identity theft and wire fraud in a brooklyn district court. it appears anyone can be a criminal!

join donny shimamoto, cpa, citp, cgma, for “hybrid work: holistic approach to customer, employee & cybersecurity risks,” aug. 26, 3:30 pm et. register here | learn more

it’s also important to note that protecting taxpayer data is the law. according to the ftc safeguards rule, “tax return preparers must create and enact security plans to protect client data. failure to do so may result in an ftc investigation.” additionally, any “failures that lead to an unauthorized disclosure may subject you to penalties under sections 7216 and/or 6713 of the internal revenue code.

irs recommendations for tax practitioners

there are seven security and privacy recommendations listed in irs publication 4557, safeguarding taxpayer data: a guide for your business:

1 – learn to recognize phishing emails, especially those pretending to be from the irs, e-services, a tax software provider, a new or existing client, or a cloud storage provider. never open an embedded link or any attachment from a suspicious email.

2 – create a written information security plan using irs publication 4557, safeguarding taxpayer data, and small business information security – the fundamentals (nistir 7621r1), by the national institute of standards and technology.

3 – review internal controls.

    • install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets, and phones) and keep software set to automatically update.
    • use strong passwords of eight or more characters, use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and use a password manager program.
    • encrypt all sensitive files/emails, especially those with the taxpayer’s personally identifiable information, and use strong password protections.
    • back up sensitive data to a safe and secure external source not connected full-time to a network.
    • make a final review of return information—especially direct deposit information—prior to e-filing.
    • wipe clean or destroy old computer hard drives and printers that contain sensitive data.
    • limit access to taxpayer data to individuals who need to know.
    • check e-file applications and ptin accounts weekly for total returns filed using efins and ptins, and deactivate unused efins.
    • withdraw from any outstanding authorizations (power of attorney/tax information) for taxpayers who no longer are clients.

4 – report any suspected data theft or data loss immediately to the appropriate irs stakeholder liaison.

5 – stay connected to the irs through subscriptions to e-news for tax professionals, quickalerts, and social media.

6 – educate clients about the availability of the identity protection pin for taxpayers.

7 – review the ftc’s security tips at cybersecurity for small business and protecting personal information: a guide for business.

these recommendations will help protect against incidents, but they are not foolproof. cybercriminals continue to be the primary cause of data breaches, and, no matter how sophisticated we get, thieves are always looking to build better mousetraps. however, most attacks are preventable with proper employee awareness and training, competent it staff or service providers, and properly designed business processes.

leading practices for practitioners

according to daniel moore, cpa, a tax firm owner and presenter on irs cybersecurity issues, and donny shimamoto, cpa, citp, cgma, an expert in cybersecurity risk management for accounting firms, practitioners should include the following checklist in their information security program:

  1. administrative: it’s very important to write and follow a written information security plan (wisp) that addresses every item identified in the risk assessment and defines safeguards you want, as well as the ones you expect affiliates and service providers to follow. ask service providers to give you a copy of their wisp on safeguarding information. identify a responsible person to review and approve the wisp as well as someone to monitor, revise, and test the protocols periodically. keep a copy of your self-assessment and make sure it is available for any potential reviews.
  2. facilities: next, examine your facility’s security checklist. create a procedures policy to prevent unauthorized access and unauthorized processes. protect all places where taxpayer information is located from unauthorized access and potential danger. this includes locking doors to file rooms and computer rooms. additionally, consider potential threats other than unauthorized access, like natural disasters and civic unrest. you will also need to provide secure disposal of taxpayer information, such as shredders, burn boxes or temporary file areas until the files can be securely disposed of.
  3. personnel: during the interview process, explain all expected rules and protocols to potential hires. when possible, perform background checks on employees who will come into contact with taxpayer information. any employee who will have access to taxpayer information should sign nondisclosure agreements on the use of confidential taxpayer information. train all employees on access, nondisclosure, and safeguards of taxpayer information and grant access to taxpayer information only on a need-to-know basis determined by the employee’s role within the firm and the services that the employee provides. you’ll also want to disable access to information for the staff who no longer need that information. for any employee who leaves the firm, conduct an exit interview to ensure the employee returns property that normally allows access to taxpayer information, like laptops and keys.
  4. backup & recovery: make sure you back up taxpayer data files regularly and store that information at a secure location. create written contingency plans to perform critical processing in the event your business is disrupted. for this, you’ll want to protect both electronic and paper taxpayer information systems. identify staff who will recover and restore the system after disruption and periodically test your plan. maintain hardware and software as needed and keep maintenance records.
  5. computer system: after you identify which employees are authorized to access electronic taxpayer information systems, assign each a unique identifier or username. verify each user’s identity and disable usernames after a determined time of inactivity. implement password management procedures that require strong passwords and require periodic password changes. an added security measure is to use multi-factor authentication, like texting a code to someone’s mobile phone and disable and remove inactive user accounts. encrypt taxpayer information when attached to an email or when transmitting across networks. an even better solution is to use client portals. lockout system users after three consecutive failed access attempts. review system logs to monitor for unauthorized access and regularly update your firewall, intrusion detection, anti-spyware, anti-virus software, and security patches.
  6. media: store computer disks, removable media, tapes, cds, flash drives, audio and video recordings of conversations and meetings with taxpayers, and paper documents in a secure cabinet or container and secure the rooms that contain the storage units by making them accessible only with keys or other locking mechanisms. restrict access to authorized personnel only and, where appropriate, employ an automated mechanism to ensure only authorized access occurs. shred or burn paper documents before discarding them and securely wipe or destroy hard drives.
  7. certifying information systems for use: on a periodic basis, have an independent consultant or business with relevant security expertise audit your policies and systems. evaluate the firm’s security plans, controls, and any other safeguards implemented in your business against best practices. have a report generated from the audit that certifies your business follows best practices. ensure the report highlights any deficiencies found and ask for recommendations for remediating those deficiencies. retain a copy of the audit report to ensure it is available for any potential reviews and be prepared to show how you mitigated risks.

what to do when you experience a data breach

“having a comprehensive incident response plan and a competent response team is key to minimizing the impact and remediation costs when you have a data breach, said shimamoto.

according to the irs, tax preparers “should immediately report client data theft to their local stakeholder liaison. liaisons will notify irs criminal investigation and others within the agency on your behalf. speed is critical. if reported quickly, the irs can take steps to block fraudulent returns in your clients’ names.”

additionally, contact the federal bureau of investigation (your local office) and the  secret service,(your local office, if directed), and your local police.

a data breach could also affect a victim’s tax accounts with his or her state, so you should also email the federation of tax administrators at statealert@taxadmin.org to get information on how to report the information to the applicable state(s). additionally, most states require that the attorney general be notified of data breaches.

of course, you’ll also need to inform your clients. send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. clients should complete irs form 14039, identity theft affidavit, only if they receive a notice/letter from the irs or their e-filed return is rejected because of a duplicate social security number. your clients may also want to notify credit reporting agencies.

notify your insurance company to report the breach and see if your insurance policy covers data breach mitigation expenses. cyber-liability insurance can help with responding and remediating a breach and can also offset the costs associated with a breach. however, use caution when evaluating coverages and comparing prices. coverage may include liability for security and privacy breaches; costs associated with a breach (such as consumer notification, customer support, and cost of providing credit monitoring services); costs associated with restoring, updating, or replacing business assets stored electronically; costs associated with third party litigation and damages; business interruption and extra expenses; liability associated with libel, slander, and reputational damages; and expenses related to cyber-extortion or cyber-terrorism.  learn more from the national association of insurance commissioners.

next, have your incident response team ready. internally, you need your lead executive, privacy officer, legal counsel, cfo or controller, hr, and it. externally focused team members will include your public relations or crisis management team, customer communications, customer support, and external legal counsel in the event of litigation.

your incident response checklist will include the following:

  1. record the date and time.
  2. alert and activate all appropriate staff.
  3. secure the premises.
  4. stop additional data loss.
  5. interview those involved.
  6. document everything.
  7. review protocols.
  8. assess priorities and risks.
  9. bring in your forensics firm.
  10. notify law enforcement.

a good incident response plan includes both technical and business procedures. review the incident response plan annually and talk through it with all parties involved. be sure and update it if your it environment or for key staffing changes.

managing your cyber risks is key

while leaders and security experts continue to evolve protective measures to lessen the threat of tax identity theft, tax preparers must take precautions to shield themselves and their clients, not only because it’s the right thing to do, but it’s also the law. firms can employ added procedures that will help insulate their business even further. this is one case where an old adage really holds true: an ounce of prevention is worth a pound of cure.

amy welch, apr, cae, is a principal consultant with intraprisetechknowlogies llc. she has more than 20 years of public relations experience. for 17 years, amy served as the vice president of communications for the oklahoma society of cpas, where she was the managing editor of the magazine and served as staff liaison to multiple committees over the years, including accounting careers, financial literacy, public relations, liaisons with educational institutions, educational foundation, past chairmen’s council and more. she has also worked for newspapers, tv stations, radio stations, and the public affairs office at a military base.  

amy volunteers for the oklahoma jump$tart coalition, junior achievement, ywca-okc, and the oklahoma council on economic education. she’s won awards from the oklahoma society of association executives for excellence in innovation and excellence in community development and service and was on the team that won the first zenith award from the oklahoma city chapter of the public relations society of america for first place in campaigns.

a lifelong learner, amy is currently studying to earn the certified fund raising executive (cfre) certification. she’s also undergoing crisis and trauma training to assist victims of domestic and sexual assault.