Tax Professionals Warned by IRS to Create Data Security Plans

The Internal Revenue Service (IRS) issued a joint news release with the US tax industry and state tax agencies to remind professional tax preparers that they are required by federal law to have a data security plan.

A data security plan should allow tax professionals to have appropriate safeguards in place to protect the sensitive taxpayer information they work with on a daily basis from data theft attacks.

Data security plans required by the law

"Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers," said IRS Commissioner Chuck Rettig. "Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business."

Failure to comply with the Federal Trade Commission (FTC) Safeguards Rule based on the Financial Services Modernization Act of 1999 may result in the professional tax return preparers being the subject of an FTC investigation.

"The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider," says the IRS news release.

While FTC's information security plan requirements are designed to be flexible and to be adjusted to the company size and the sensitivity of the data, the Publication 4557 - Safeguarding Taxpayer Data [PDF] issued by the IRS comes with a detailed list of highly critical security measures all tax pros are expected to follow.

Starting point data security plan checklist

Today's warning comes on the heels of IRS' Security Summit during which the Department of the Treasury agency urged tax pros to review their data security measures, with a Taxes-Security-Together checklist having been published by the IRS to act as a starting point.

According to the IRS data security plan checklist for tax professionals:

  • Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. 
  • The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large. 
  • Tax professionals are asked to focus on key risk areas such as employee management and training; information systems; and detecting and managing system failures.

"The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data," added the IRS Commissioner.

"But a major risk remains, regardless of whether you are the sole tax practitioner in your office or part of a multi-partner accounting firm. To help with this, we assembled a security checklist to assist the tax community. We hope tax professionals will use our checklist as a starting point to do everything necessary to protect their client’s data."

Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA) also provides a 'Safeguarding Your Data' publication as part of the National Cyber Awareness System.

According to a U.S. Government Accountability Office (GAO) audit published last week, the IRS itself did not enact several security controls recommended over the years, exposing taxpayer and financial reporting data to "inappropriate and undetected use, modification, or disclosure."

GAO analyzed IRS systems during the fiscal year 2018 and concluded that 127 recommendations remained to be addressed by the agency, with most of them from past evaluations. 

GAO concludes the report stating that the IRS managed to improve its overall security stance overall but the newly found security flaws impact the efficiency of previously adopted standards and protections.

Tax and IRS themed attacks

Today's warning could help both taxpayers and tax professionals to defend against attacks designed to steal sensitive info such as campaigns are targeting the tax season with realistic phishing emails containing malicious attachments.

Tax pros were also targeted by a malspam campaign distributing emails pretending to come from the Internal Revenue Service in 2018, used by threat actors to infect their targets with a Rapid Ransomware variant.

Back in 2017, the IRS issued a warning regarding a phishing attack posing as official IRS communications that try to lure victims to access a link or download a file as part of a scheme designed to infected them with ransomware.

Attackers also use phone scams as observed in 2016 to pose as the Internal Revenue Service and to ask the targets to extinguish outstanding debts of thousands of dollars via gift card payments.

Related Articles:

Microsoft-Owned GitHub Blocks Devs in US Sanctioned Countries

New York Passes Law to Update Data Breach Notification Requirements

US Govt Rolls Out New DNS Security Measures for .gov Domains

Most 2020 Presidential Campaign Not Using Proper Email Security

U.S. Coast Guard Issues Safety Alert Following Cyber Incident