IRS Releases Part 4 and 5 of a Five-Part Security Summit Tips for Tax Professionals during COVID-19

This article wraps up the last of the Security Summit’s five-part series called Working Virtually: Protecting Tax Data at Home and at Work. As a refresher, the Security Summit is made up of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials. The impetus for releasing this five-part series was to equip tax practitioners with specific strategies to assess and secure their home and office data, due to the fact that many tax professionals are not working from home. This article explains the fourth and fifth tips that the Security Summit issued. The fourth tip reminds tax practitioners to be alert of and avoid phishing scams. The fifth tip reminds tax professionals that federal law requires them to have a written information security plan. The Security Summit further recommends that practitioners create an emergency response plan if they experience a data theft.

Tip 4: Avoiding Phishing Scams
What should tax practitioners be on the lookout for to spot potential phishing scams? First, phishing emails can have an urgent message. For example, cybercriminals can send an email impersonating human resources or an administrator asking for the recipient to update their password or other personal information by clicking on a link. The link will then take the individual to a fake site that feigns the appearance of a trusted source requesting them to insert personal information. Or, the email could contain an attachment for the recipient to click on that instead downloads malware on their computer. Now cybercriminals are capitalizing on COVID-19 fears by presenting themselves as providers of face masks or personally protective equipment in short supply. Tax professionals should beware of emails from criminals posing as potential clients. Tax practitioners should thus stay vigilant in scanning all emails and urge on the side of caution rather than clicking on any email attachment or any link in an email. When in doubt, taxpayers and tax preparers can forward suspicious emails posing as the IRS to [email protected].

Lastly, because phishing scams are commonplace, and often successful, the Security Summit urges tax professionals to educate all office personnel about the dangers and risks of opening suspicious emails – especially during the COVID-19 period.

Tip 5: Make a Plan for Protecting Data and Reporting Theft
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley ACT, requires that tax professionals have a written security plan in place to safeguard their client’s tax data. This federal law is administered and enforced by the Federal Trade Commission (“FTC”). The FTC underscores that a tax preparer’s security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. Therefore, a security plan for a solo tax practitioner would differ from a global firm’s security plan. On the other hand, the FTC does have requirements that apply to all tax companies, irrespective of their size and complexity.

Each tax institution must:
● Designate one or more employees to coordinate its information security program;

● Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate its effectiveness of the current safeguards for controlling these risks;

● Design and implement a safeguards program, and regularly monitor and test it;

● Select service providers that can maintain appropriate safeguards, making sure the contract requires them to maintain safeguards, and oversee their handling of customer information; and

● Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Failure to have a data security plan may result in an FTC investigation. The IRS may also treat a violation of the FTC safeguards rule as a violation of the IRS Revenue Procedure 2007-40 which stipulates the rules for tax professionals participating as an Authorized IRS e-file Provider.

On July 10, 2019, the IRS created this youtube video to reiterate that all tax preparers must have a written security plan. The video also reiterates the basic requirements for how tax preparers can safeguard taxpayer data. And, as an additional tool, you can revisit the “Taxes-Security-Together” Checklist the Security Summit rolled out during the 2019 summer as a starting point for analyzing office data security. You can also look at IRS Publication 4557, Safeguarding Taxpayer Data (PDF), which details critical security measures that all tax professionals should enact. Finally, the Security Summit noted that the FTC is currently re-evaluating the Safeguards Rule and has proposed new regulations. Therefore, tax preparers should be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.

Creating a Data Theft Response Plan; Report Data Thefts to the IRS
The Security Summit also recommends that all tax practitioners create a response plan so that they have steps in place should they experience a data theft. If a client or the tax firm are the victim of data theft, the Security Summit states that they should immediately:

● Report it to the local IRS Stakeholder Liaison. Stakeholder Liaisons will notify IRS Criminal Investigation and others within the agency. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist through the process.

● Email the Federation of Tax Administrators at [email protected]. Get information on how to report victim information to the states. Most states require that the state attorney general be notified of data breaches. This notification process may involve multiple offices.

Cyber attackers could also steal a tax practitioner’s identity too. Tax practitioners should
regularly check their IRS e-Services e-File Application to see a weekly count of tax returns filed with their Electronic Filing Identification Number (“EFIN”). Excessive filings are a sign of data theft. E-file applications should also be kept up to date. Circular 230 practitioners also can review weekly the number of tax returns filed using their Preparer Tax Identification Number (“PTIN”). Excessive filings are also a sign of data theft.

As always, tax professionals should take advantage of the additional resources the IRS provides related to security recommendations and questions in Publication 4557 Safeguarding Taxpayer Data (PDF), as well as the National Institute of Standards and Technology (NIST’s) Small Business Information Security: The Fundamentals (PDF).