As a tax practitioner, you have a legal obligation to protect your client’s information. That means taking all the necessary measures to make sure that the information you’re given is safe from cybercriminals. The IRS recently sent out information on how to do so through their Don’t Take the Bait campaign, a 1o part series that provides security tips to tax preparers.
“More and more, we see the data held by tax professionals being targeted by national and international criminal syndicates that are highly sophisticated, well-funded and technologically adept. No tax practitioner today can afford to ignore cybersecurity threats or overlook putting in place strong safeguards.” – IRS Commissioner John Koskinen.
Your Legal Obligations 
If you handle taxpayer information, you may be subject to the Gramm-Leach Bliley Act (GLB Act) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. That means you must take the following steps to protect taxpayer information.
- Take responsibility or assign an individual or individuals to be responsible for safeguards.
- Assess the risks to taxpayer information in your office, including your operations, physical environment, computer systems and employees, if applicable. Make a list of all the locations where you keep taxpayer information (computers, filing cabinets, bags, and boxes taxpayers may bring you).
- Write a plan of how you will safeguard taxpayer information. Put appropriate safeguards in place.
- Use only service providers who have policies in place to also maintain an adequate level of information protection defined by the Safeguards Rule.
- Monitor, evaluate and adjust your security program as your business or circumstances change.
For more information, check out IRS Publication: Safeguarding Your Taxpayer Data.
IRS Tips
The IRS recommends reading up on Publication 4557 and NIST’s Small Business Information Security. Here are their tips for protecting clients and businesses from cybersecurity threats.
Identify:
- Identify and control who has access to business information
- Conduct background checks
- Require individual user computer accounts for each employee
- Create policies and procedures for information security
Protect:
- Limit employee access to data and information
- Install Surge Protectors and Uninterruptible Power Supplies (UPS)
- Patch operating systems and applications
- Install and activate software and hardware firewalls on business networks
- Secure wireless access point and networks
- Set up web and email filters
- Use encryption for sensitive business information
- Dispose of old computers and media safely
- Train employees
Detect:
- Install and update anti-virus, spyware and other malware programs
- Maintain and monitor logs
Respond:
- Develop a plan for disasters and information security incidents
Recover:
- Make full backups of important business data/information
- Make incremental backups of important business data/information
- Consider cyber insurance
- Make improvements to processes, procedures and technologies
Now is a great time to look over your protocols before tax season. Protecting taxpayer information should be top of mind as cybersecurity threats continue to increase. In addition to protecting client information, you should also make sure you’re covered in the event of a data breach.
More great reads:
Protect Yourself and Clients From Cybercrime