Skip to content

A Matter of Taxpayer Safety: How the IRS is Stepping Up to Show the Importance of Cyber-Vigilance

We’ve seen the situation play out countless times. A company falls victim to a cyber-attack and eventually is crippled by the amount it costs to recover.

Prominent in this pool of victims are tax professionals and their organizations, who hold data that cyber-criminals are eager to get their hands on: taxpayer information. From Social Security numbers to addresses and precious financial information, tax professionals hold some of the most sensitive information about taxpayers.

In response to attacks on tax professionals, and recognizing the gravity of the situation if a tax professional or firm were to be breached, the Internal Revenue Service has banded together with state tax agencies and tax industry groups all over the country to rally behind one core mission: securing taxpayer information against data theft.

The agency created “Security Summit” works with experts including software developers as well as payroll and tax financial product processors to help promote the importance of organizations remaining cyber-vigilant if they in any way are in possession of taxpayer information.

One of the products of the Security Summit partners is a series of “Taxes Security Together Checklist” that have been released by the agency. The checklists gives tax professionals five core action items to take into account when handling taxpayer data:

  • Deploy the “Security Six” measures, including activating anti-virus software, using a firewall, opting for two-factor authentication for additional protection, using backup software or services, using Drive encryption, and creating and securing Virtual Private Networks
  • Create a data security plan
  • Educate yourself and be alert to key email scams
  • Recognize the signs of client data theft
  • Create a data theft recovery plan

According to the agency, cyber-criminals continue to evolve in order to find more sophisticated means of attacking organizations that hold taxpayer information. In its recent notice, Publication 4557, “Safeguarding Taxpayer Data: A Guide For Your Business,” the IRS reiterates that data theft at the offices of tax professionals continues to rise, and reiterates that protecting taxpayer data is the law.

The Federal Trade Commission (FTC), under federal law, has the ability to outline data safeguard regulations for professional tax return preparers. As of now, the FTC Safeguards Rule requires that tax return preparers both create and implement security plans in order to protect its clients’ data or face a potential FTC investigation.

The FTC requires that these plans be appropriate for the business’s “size and complexity,” and recommends that companies appoint one or more of its employees to handle the coordination of its information security program.

In its Safeguarding Taxpayer Data guide, the agency also outlines several important action items for tax professionals to consider when starting their journey of cyber-safety.

For example, the IRS recommends taking basic security steps such as learning how to recognize phishing emails or reviewing internal controls such as security software or passwords that might need strengthening. The guide also recommends backing up sensitive data and destroying old hardware that might contain sensitive data.

Tax-related identity theft remains one of the agency’s top cybersecurity concerns, and can involve a cyber-criminal stealing a taxpayer’s Social Security number (SSN). This is the taxpayer information that cyber-criminals ultimately are after. In the event that the perpetrator of a cyber-attack breaches a tax professionals’ network and obtains taxpayer information, such as a SSN, the opportunities are endless for the criminal to hold the data ransom, engage in identity theft, use the information to file fraudulent tax returns or worse.

This lends itself to a separate action item outlined in the Safeguarding Taxpayer Data guide, which recommends that tax professionals “protect stored client data.” In order to protect stored client data, the IRS recommends performing a risk assessment and inventory of all company devices where client tax data might be stored, backing up encrypted copies of client data to external hard drives and using drive encryption to lock files and all devices.

Cybersecurity and the planning involved can be an often-overwhelming task for many of our nation’s small and medium sized businesses. The creation of a company’s cybersecurity tools, or even a response plan in the event of a possible breach, can take time and manpower that sometimes a company just doesn’t have. According to the IRS, businesses should strongly consider reaching out to third-party security professionals in order to ensure that their clients’ data is adequately protected.

Regardless of how tax professionals approach their cybersecurity measures, the risk is clear: become cyber-vigilant or remain vulnerable and leave the fate of your business and your client’s data to chance.