How Tax Pros Can Protect Clients From Cyberattacksby
The Internal Revenue Services’ Inspector General was just quoted as saying that data security was their leading challenge. It’s not surprising.
Data breaches have unfortunately become the norm. Large entities might have more measures in place or the resources to recover from a breach, but for many businesses, a cyber-attack is the end of their customers’ trust and the costs to clean up from such a disaster make it nearly impossible to recover.
For tax professionals and their firms who hold data that cyber-criminals are eager to get their hands on, a data breach and its ripple effect would be devastating. Those who hold taxpayer information - from Social Security numbers to addresses and precious financial information - hold some of the most sensitive information.
In response to attacks on tax professionals, and recognizing the gravity of the situation if a tax professional or firm were to be breached, the IRS has banded together with state tax agencies and tax industry groups all over the country to rally behind one core mission: securing taxpayer information against data theft.
The agency created “Security Summit” which works with experts including the IRS, state tax agencies and the tax community, as well as software developers and payroll and tax financial product processors, to help promote the importance of organizations remaining cyber-vigilant if they in any way are in possession of taxpayer information.
One of the products of the Security Summit partners is a series of “Taxes Security Together Checklist” that have been released by the agency. The checklists give tax professionals five core action items to take into account when handling taxpayer data:
• Deploy the “Security Six” measures, including activating anti-virus software, using a firewall, opting for two-factor authentication for additional protection, using backup software or services, using drive encryption, and creating and securing Virtual Private Networks
• Create a data security plan
• Educate yourself – and staff - and be alert to key email scams
• Recognize the signs of client data theft
• Create a data theft recovery plan
According to the agency, cyber-criminals continue to evolve in order to find more sophisticated means of attacking organizations that hold taxpayer information. In its recent notice, Publication 4557, “Safeguarding Taxpayer Data: A Guide for Your Business,” the IRS reiterates that data theft at the offices of tax professionals continues to rise, and reiterates that protecting taxpayer data is the law.
The Federal Trade Commission (FTC), under federal law, has the ability to outline data safeguard regulations for professional tax return preparers. As of now, the FTC Safeguards Rule requires that tax return preparers both create and implement security plans in order to protect its clients’ data or face a potential FTC investigation.
The FTC requires that these plans be appropriate for the firm’s “size and complexity,” and recommends that companies appoint one or more of its employees to handle the coordination of its information security program. In its Safeguarding Taxpayer Data guide, the agency also outlines several important action items for tax professionals to consider when starting their journey of cyber-safety.
For example, the IRS recommends taking basic security steps such as learning how to recognize phishing emails or reviewing internal controls such as security software or passwords that might need strengthening. The guide also recommends backing up sensitive data and destroying old hardware that might contain sensitive data.
Tax-related identity theft remains one of the agency’s top cybersecurity concerns, and can involve a cyber-criminal stealing a taxpayer’s Social Security number (SSN). This is the taxpayer information that cyber-criminals are ultimately after. In the event that the perpetrator of a cyber-attack breaches a tax professionals’ network and obtains taxpayer information, such as a SSN, the opportunities are endless for the criminal to hold the data ransom, engage in identity theft, use the information to file fraudulent tax returns or worse.
This lends itself to a separate action item outlined in the Safeguarding Taxpayer Data guide, which recommends that tax professionals “protect stored client data.” In order to protect stored client data, the IRS recommends performing a risk assessment and inventory of all company devices where client tax data might be stored, backing up encrypted copies of client data to external hard drives and using drive encryption to lock files and all devices.
Cybersecurity and the planning involved can be an often-overwhelming task for many of our nation’s small and medium sized businesses. The creation of a company’s cybersecurity tools, or even a response plan in the event of a possible breach, can take time and manpower that sometimes a company just doesn’t have. According to the IRS, businesses should strongly consider reaching out to third-party security professionals in order to ensure that their clients’ data is adequately protected.
Regardless of how tax professionals approach their cybersecurity measures, the risk is clear: become cyber-vigilant or remain vulnerable and leave the fate of your business and your client’s data to chance.
Kathy Petronchak, alliantgroup is Director of IRS Practice & Procedure and former IRS Commissioner of Small Business/Self-Employed Division. She brings 34 years of experience in directing IRS compliance activities and providing tax controversy services; her career includes service...