Most CPAs are aware they have a fiduciary responsibility to protect the client information they have been entrusted with, but many do not realize that it is a legal requirement. According to IRS Publication 4557 Safeguarding Taxpayer Data, “protecting taxpayer data is the law.”
On the latest Form W-12 the PTIN application and renewal, you must confirm that “As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information.” So, what do you need to do to ensure you comply?
A recent IRS Security Summit specifically addressed that question and developed several recommendations and resources to help CPAs secure their tax information. It was recommended that firms adopt the following five criteria.
Whether it’s a large firm or a sole practitioner, the IRS expects all to be aware of six baseline security requirements with solutions that are appropriate to their level of practice.
A written document should outline the implementation of the “Security Six” and ongoing training of firm personnel.
Hackers use fake emails or malicious website downloads to inject malware such as ransomware and keyboard loggers (which capture your keystrokes, including login credentials) into your system. The shape of this threat is continuously evolving, so firms should provide ongoing phishing awareness training and bring in a third party to conduct tests that will identify incursions.
The IRS also recommends mandatory training to identify signs that the firm’s network or a client’s data has been compromised. Comparing the number of returns your firm has filed electronically with what’s on the IRS site can identify whether a hacker has gotten access. Similarly, notifications that returns have been filed or transcript requests received when the tax preparer or client is unaware is another example of intrusion.
The IRS also suggests that firms prepare for the worst by having a written data theft recovery plan. It should establish that the firm will immediately notify the IRS if a preparer suspects that taxpayer data has been compromised. This plan should include contacting your professional liability carrier to determine the steps necessary to document and report the breach, as well as other necessary technical and procedural requirements.
In addition to the overall requirements listed above, the IRS has developed several resources and guidelines to help tax preparers understand these responsibilities. Along with Publication 4557, they include:
With virtually all tax information stored in computer networks, communicated over the Internet, and being accessed remotely, it has never been more important for tax preparers to be aware of and implement the requirements to properly secure their networks. Remember: It’s the law!
This article was originally published for AICPA. Copying or distribution without the publisher’s permission is prohibited.
Recommended for you
Subscribe to Our Blog
Join our mailing list and get all of the latest news delivered straight to your inbox.