Did you know that the IRS expects you to have a written information security plan for your tax prep business? Federal law requires all tax preparers to create and update a written plan year after year. If you don’t have one yet, now is the time to act before tax season starts.
Information security plan
An information security plan is written documentation of your office’s plan to protect client personal information and sensitive company data in the event of a security breach. The goal of the plan is to protect against a data breach and help you quickly deal with any data theft as quickly as possible.
The plan must be appropriate for your tax office’s size and must include protecting your client’s sensitive personal data since you handle personal identification information (PII).
How to write an information security plan
Please note whether you will be working remotely or from your regular office setting to put together an information security plan. Your safety regulations must be equal, no matter where you are working from.
According to the Federal Trade Commission, your plan must include the following:
- At least 1 employee designated to run the security program
- A plan to identify and assess the risks to client information and evaluate how the current safeguards are controlling these risks
- A safeguards program that is regularly tested and monitored
- Select service providers that can help you maintain appropriate safeguards
- A plan to evaluate and adjust the program in the case that your office changes or needs improvement based on recent testing
For more information, read this article on safeguarding taxpayer data.
Emergency data theft plan
The IRS also recommends that tax preparers put together an emergency response plan in the event of data theft. Tax preparers work with sensitive personal information. If this information is compromised, it can result in their client’s identities being stolen.
How to create an emergency data theft plan
Make sure you have a list of your clients readily available, then do the following.
If you suspect you are the victim of data theft, report the incident to your local IRS Stakeholder Liaison first. The IRS will help you take the appropriate actions to protect you and your clients, like notifying the IRS Criminal Investigation and blocking fraudulent returns from being filed in your client’s name.
After you notify the IRS, send an email to the Federation of Tax Administrators. Finally, include information in your plan on how to report victim information to your state. Most states require you to notify the state attorney general. You may have to contact multiple offices, so having this information in your plan will help speed up the process. For more information, visit Data Theft Information for Tax Professionals.
Do I need these plans even if I work remotely now?
Yes, you do need these plans, especially if you work remotely. Just because you work from home doesn’t mean that your data is safe. IRS Commissioner Chuck Rettig said, “COVID-19 has changed the way many of us work, and more tax professionals are working from home. With these changes, there are new risks from cybercriminals… It’s more important than ever to take appropriate security precautions, protect remote work sites, use two-factor authentication, and plan for all possibilities.”
What kinds of data do cybercriminals target?
Cybercriminals will likely target personal client data, but they might also try to steal your identity, including your PTIN, EFIN, or CAF numbers. This will allow them to file fraudulent returns or steal even more people’s sensitive tax info.
How do I know if my information is being used to file fraudulent tax returns?
You can check your IRS e-Services E-file Application to see how many returns have been filed with your EFIN that week. If you see a vast number of returns, you may be dealing with data theft. Keep an accurate record of your e-filed returns so you can check them against e-Services at least weekly.
You can also see how many tax returns have been filed with your PTIN if you are a circular 230 practitioner. Look for excessively large numbers of e-files as a sign of data theft.