How to Write Tax Business Security Plans

Did you know the IRS expects you to have a written information security plan for your tax prep business? Federal law requires all tax preparers to create and update a written plan year after year. We outline the steps for creating information security and emergency data theft plans here.   

Information security plan 

An information security plan is written documentation of your office’s plan to protect clients’ personal information and sensitive company data in case of a security breach. The plan aims to protect against data breaches and help you quickly deal with data theft as promptly as possible.   

The plan must be appropriate for your tax office’s size and include protecting your client’s sensitive personal data since you handle personal identification information (PII).    

How to write an information security plan  

Please note whether you will work remotely or from your regular office setting, you must create an information security plan. In addition, your safety regulations must be equal, regardless of where you work.    

According to the Federal Trade Commission, your plan must include the following:    

  • At least one employee is designated to run the security program.    
  • A plan to identify and assess the risks to client information and evaluate how the current safeguards are controlling these risks   
  • A safeguards program that is regularly tested and monitored   
  • Select service providers that can help you maintain appropriate safeguards.   
  • A plan to evaluate and adjust the program if your office changes or needs improvement based on recent testing. 

For more information, read this article on safeguarding taxpayer data.    

Emergency data theft plan  

The IRS also recommends tax preparers outline an emergency response plan for data theft. Tax preparers work with sensitive personal information. If this information is compromised, it can result in their client’s identities being stolen.     

How to create an emergency data theft plan  

Make sure you have a list of your clients readily available, then do the following:    

  1. If you suspect you are the victim of data theft, report the incident to your local IRS Stakeholder Liaison first. The IRS will help you take the appropriate actions to protect you and your clients, like notifying the IRS Criminal Investigation and blocking fraudulent returns from being filed in your client’s name.
  2. After you notify the IRS, send an email to the Federation of Tax Administrators.  
  3. Finally, include information in your plan on how to report victim information to your state. Most states require you to notify the state attorney general. You may have to contact multiple offices, so having this information in your plan will help speed up the process. For more information, visit Data Theft Information for Tax Professionals.    

Do I need these plans even if I work remotely now?  

Yes, you do need these plans, especially if you work remotely. Working from home doesn’t mean that your data is safe from cybercriminals.  

What kinds of data do cybercriminals target?  

Cybercriminals will likely target personal client data, but they might also try to steal your identity and business information, including your PTIN, EFIN, or CAF numbers. Obtaining your business information will allow them to file fraudulent returns or steal even more people’s sensitive tax information.  

How do I know if my information is being used to file fraudulent tax returns?  

You can check your IRS e-Services E-file Application to see how many returns have been filed with your EFIN that week. If you see a vast number of returns, you may be dealing with data theft. Keep an accurate record of your e-filed returns so you can check them against e-Services at least weekly.     

You can also see how many tax returns have been filed with your PTIN if you are a circular 230 practitioner. Look for excessively large numbers of e-files as a sign of data theft.