Last time we talked about the IRS requirements for a data security plan was during PTIN renewal. Here’s a great question that I get asked all the time by accountants: Does my tax software already take care of my security and compliance requirements from the IRS etc.?
The answer is simple: NO.
The IRS requires a written security plan that complies With FTC standards. According to the FTC you must base your plan on an assessment of your environment’s unique risks: The assessment and the plan must address administrative, physical, and technical safeguards covering the following three areas of your firm:
- Employee Management and Training
- Information Systems Security (computers, software, etc.)
- Detecting and Managing System Failures and Threats
There are additional specifics to these points as well.
In addition, last year, the IRS has given guidance on how to comply with this. The guide also directs you to other technical manuals you should use in making your plan. However, already it should be evident that merely using tax software to file your client taxes doesn’t take care of this.
Here are some practical examples:
- Your tax program may protect the information stored online in the cloud using encryption and other means. It will also require a user to provide a password. To login etc., However, is this the only place where you have ‘nonpublic client information’? Every firm knows that their sensitive client information is EVERYWHERE, whether they are an extensive practice or a single practitioner. It’s in your emails, spreadsheets, whatever cloud (Microsoft, Google, etc.) you use to store them, your folders, servers, backups, thumb drives, portals, etc. Many of these services can be accessed from anywhere, whether by you or by the bad guys.
- Additionally, your tax programs may require a password. However, what if a computer got stolen and all the programs are already ‘signed in’? Even if they always need signing in, once a bad guy has access to the computer (even if the computer has a password), there are so many ways they can get around these safeguards. Safeguards and IRS recommendations address these circumstances, but they need to be put in place through guidance to your IT support.
It’s essential that your firm addresses all of these in your risk assessment and when you develop your written security plan for your security and compliance. As needed, consult with experts like Securex, who have experience assessing risks and making plans for accountants, who understand the process and can significantly alleviate your burden of figuring out what you need and how to guide your team to put it into place.
Notice and Disclaimer: The information provided by Securex LLC is for educational purposes only. Securex LLC is not a law firm nor lawyers, nor attorneys and is not providing attorney services or legal advice in any of the information or services that it provides. Securex LLC disclaims any-and-all potential liability on its part arising pursuant to the information it provides and pursuant to any use, misuse, or inability to use the information it provides.