hands typing computer code

Why Tax Preparers Need Better Data Security

Sep 10th 2018
Share this content

Here’s a legal update for tax preparers: If you haven’t established security practices to protect your clients’ data, that failure could result in an investigation by the Federal Trade Commission (FTC).

What’s more, the IRS can treat a violation of the FTC Safeguards Rule. That procedure sets rules for tax professionals who participate as authorized IRS e-file providers.

The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley (GLB) Act, gives the FTC the authority to set information safeguard regulations for various entities, including professional tax preparers.

In the first link above, the definition of “financial institution” includes businesses that may not typically describe themselves that way. Indeed, the safeguards rule applies to all businesses, no matter their size, that are “significantly engaged” in providing financial products or services.

That includes check-cashing businesses, payday lenders, mortgage brokers, nonbank lenders, personal property or real estate appraisers, courier services, credit-reporting agencies, and ATM operators that get information about the customers of other financial institutions, and tax preparers.

Besides developing their own precautions, companies covered by the safeguards rule are responsible for taking steps to ensure that their affiliates and service providers safeguard customer information in their care. Further, members of the IRS Electronic Tax Administration Advisory Committee (ETAAC) in June noted that they believe “far fewer than half of tax professionals are aware of their responsibilities under the FTC Safeguards rule and that even fewer professionals …have implemented required security practices.”

The information security plan required by the FTC must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. That means, according to the FTC, that each company must:

• Designate one or more employees to coordinate its information security program

• Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks

• Design and implement a safeguards program and regularly monitor and test it

• Select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information

• Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring

The FTC says the requirements are designed to be flexible so that companies can implement safeguards appropriate to their own circumstances. The safeguards rule requires companies to assess and address the risks to customer information in all areas of their operations.

The IRS notes that the safeguards rule requires companies to assess risks to client data in three key areas: employee management and training, information systems, and detecting and managing system failures.

For example, the FTC recommends in its disposal rule the following four strategies to protect client data:

• Designate or hire a records retention manager to supervise the disposal of records that contain customer information. If that involves an outside company, due diligence done before should check for references or require that the company be certified by a recognized industry group.

• Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed.

• Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.

• Monitor the websites of software vendors and read relevant industry publications for news about emerging threats and available defenses.

Replies (3)

Please login or register to join the discussion.

CT Bookkeeper
By balancedbooksbyjoe
Sep 19th 2018 06:14 EDT

Thanks for sharing this Terry, security is only going to get more and more important as time goes on and financial advisers need to take note. I wonder if the IRS would ever go as far as the GDPR updates in Europe?

Thanks (0)
By Shaffer159
Sep 25th 2018 07:45 EDT

How to Describe in any notice to clients?
How it happened, what information was taken and what actions have been taken to remedy the situation.

Thanks (1)
By James O'Brien
Dec 18th 2018 11:12 EST

How will compliance with the GLB Act be impacted when quantum computers render most forms of the encryption in use today useless?

Thanks (0)