Security Breach: Is Your Practice the Next Target?by
With identity theft being the fastest-growing crime in America and cybercriminals specifically targeting tax professionals, chances are your practice could be the next target of a security breach.
According to the IRS, cybercriminals worldwide are actively targeting tax professionals in an effort to steal taxpayer information that would allow them to file fraudulent tax returns for refunds. One notable scheme as identified by the IRS, which ultimately resulted in the launch of the “Protect Your Clients; Protect Yourself” campaign, is the “remote takeover scheme.” This scheme involves the cybercriminals actually taking control of the tax professional’s computer to e-file fraudulent tax returns and direct the refunds to the criminals’ own account.
In addition to the remote takeover scheme, many email phishing schemes targeting tax professionals continue to be on the rise.
There are a growing number of laws and regulations that cover the privacy and security of taxpayer information. The IRS defines taxpayer information as any information furnished in any form or manner (e.g., on paper, verbally, electronically, in person, or over the telephone) by or on behalf of a taxpayer for preparation of his or her return. It includes, but is not limited to, a taxpayer’s name, address, identification number, income, receipts, deductions, exemptions, and tax liability.
The Federal Trade Commission (FTC) Safeguards Rule provides that companies defined under law as financial institutions are required to develop a written information security plan to safeguard taxpayer information. According to the rule, financial institutions include professional tax preparers and service providers who are significantly engaged in providing financial products or services. Companies covered by the Safeguards Rule are also responsible for taking steps to ensure that their affiliates and service providers safeguard taxpayer information in their care.
Should your business experience a security breach – whether by cybercriminals, theft, or accident – response time is critical. If reported quickly, steps can be taken immediately to put measures in place to mitigate the impact and the risks of the security breach on affected parties, including the business itself.
The FTC and the IRS require businesses and tax professionals take the following steps in the event of a security breach:
1. Notify law enforcement. Contact the FTC and your local police department immediately to report the security breach and the potential risk for identity theft. If the local police department is not familiar with handling security breaches involving stolen data, the local FBI office or the US Secret Service field office should be contacted.
2. Notify the IRS. Contact the IRS Stakeholder Liaison local office that services the area where the breach occurred.
3. Notify states in which you prepare tax returns. Contact the state department of revenue and the state attorney general’s office for each state in which you prepare returns.
4. Notify three major credit bureaus. Contact Equifax, Experian, or TransUnion to notify them of the compromise and that your clients may seek their services.
5. Notify your clients. Send a letter notifying the affected clients of the breach according to federal and state-specific requirements. Note: Each state’s requirements are different depending on the number of affected parties.
With cybercriminals becoming more and more sophisticated in their schemes to steal your clients’ information, your practice could be the next target. Knowing what to do and acting quickly will help mitigate the potential impact on your clients and your practice.