Know when and how to report taxpayer information security breaches


For TaxSlayer Pro tax preparers, access to taxpayers’ personal information such as Social Security numbers and income statements makes it crucial to know the appropriate methods for reporting security breaches. Every step should be taken to safeguard information and protect customers from identity theft. In the unfortunate event that personal information falls into the wrong hands, the IRS and Federal Trade Commission provide guidance for reporting security incidents.

Below, TaxSlayer Pro breaks down commonly-used terms for security incidents and FTC recommendations for reporting breaches.

  • An information security incident is an event or threat that can result in an unauthorized disclosure, misuse, modification or destruction of taxpayer information.
  • Report security incidents when you believe the confidentiality, integrity or availability of taxpayer data has been affected. Also, consider whether it affects the taxpayer’s ability to prepare or file a return.
  • There are several different types of incidents. The IRS defines incidents as the following:
    • Theft is the unauthorized removal of computers or electronic or paper files of data and records.
    • A loss or accident is the accidental misplacement or loss of computers or electronic or paper data and records.
    • Unauthorized access occurs when a person or computer gains logical or physical access without permission to a network, system, application, data or other resource.
    • Unauthorized disclosure or usage occurs when a person violates disclosure or use policies such as IRC sections 6713 and 7216
    • A computer system or network attack occurs when a virus, worm, Trojan horse or other code-based malicious entity infects a host and causes a problem such as disclosure of sensitive data or denial of services.
  • Employees, contractors or other individuals who detect a possible information security incident should immediately inform the business’ designated individual for handling customer information security.
  • If it’s believed the incident compromises personal identity or financial information, the FTC recommends the following:
    • Call the local police department immediately if it could result in harm to a person or business. It may be necessary to contact the FBI, U.S. Secret Service or U.S. Postal Inspection Service.
    • Notify businesses such as banks or credit issuers that maintain account information that has been stolen from you. You may consult a credit bureau for additional information or if you are recommending people request fraud alerts.
    • Notify affected individuals as early as possible with information about the compromise, some possible steps to take, contact information for law enforcement working the case and current information about identity theft.
    • The FTC provides a sample notification letter for individuals and more information about each of the above recommendations here