As you rush to prepare for the 2020 tax filing season, build in some time to review your plan for securing your clients’ data — and put it in writing.
It’s the law
Under federal law, you must comply with data safeguard rules set by the Federal Trade Commission (FTC). The FTC’s authority stems from the Financial Services Modernization Act of 1999 (aka Gramm-Leach-Bliley Act), which authorized the FTC to set information safeguard requirements for “financial institutions,” which it defines broadly to include professional tax preparers.
The FTC Safeguards Rule requires tax preparers to implement and maintain a comprehensive written data security plan. As part of the plan, a preparer must:
- Designate one or more employees to coordinate an information security program.
- Identify and assess risks to client data, and evaluate the effectiveness of current safeguards for controlling these risks.
- Design and implement a safeguards program, which is regularly monitored and tested.
- Select service providers that also have appropriate safeguards, and contractually require them to maintain those safeguards.
- Evaluate and adjust the safeguards program to reflect changes in business or operations, or the results of security testing and monitoring.
The FTC says the Safeguard Rules are designed to be flexible. Tax professionals should implement safeguards appropriate to their own circumstances.
Safeguards rule checklist
A comprehensive data security plan requires an in-depth review of your current office procedures. According to the FTC, the required information security plan must be appropriate to the size and complexity of your business, the nature and scope of your business activities, and the sensitivity of the client information it handles. Here’s a checklist of operational areas to review and potential action steps.
Employee management and training
- Check references or do background checks before hiring employees who will have access to taxpayer data.
- Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling taxpayer data.
- Limit access to taxpayer data to employees who have a need to know.
- Train employees to take basic steps to maintain the security of taxpayer data, including locking rooms and file cabinets where records are kept; not sharing or posting passwords in work areas; encrypting client data when it is transmitted electronically; and reporting suspicious attempts to obtain client data.
- Impose disciplinary measures for security policy violations.
- Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names, and taking other appropriate measures.
- Store physical records in a room or cabinet that is locked when unattended.
- Keep computers or servers containing client data in physically secure areas.
- Require employees to use strong passwords to access client data and to change them regularly.
- Avoid storing sensitive client data on a computer with an internet connection if possible.
- Maintain secure backup records and store archived data offline in a physically secure area.
- Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored.
- Take steps to ensure the secure transmission of customer information.
- Dispose of client information in a secure way — shred papers containing customer information so that the information cannot be read or reconstructed, and destroy or erase data when disposing of computers and electronic media.
Systems and software
- Use anti-virus and anti-spyware software that updates automatically.
- Maintain up-to-date firewalls, particularly if you use a broadband internet connection or allow employees to connect to your network from home or other off-site locations.
- Keep logs of activity on your network and monitor them for signs of unauthorized access to client data.
- Take steps to preserve the security, confidentiality, and integrity of client data in the event of a breach.
Reporting a data breach
Tax practitioners should report data losses or thefts immediately to the IRS so that appropriate precautions can be made to protect clients from fraudulent returns being filed in their names. A breach should be reported to the IRS Stakeholder Liaison for your area.
All states currently have breach notification laws requiring reporting to the state and to individuals affected by a data breach. You can contact states in which you prepare state returns and email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states. In addition, tax practitioners should contact federal, state, and local law enforcement as appropriate to report a breach.
Editor’s note: Access the Intuit® Tax Pro Center’s library of articles related to fraud and security.