Federal law administered by the Federal Trade Commission requires all “professional tax preparers” to create and maintain a written security plan that is appropriate to the firm’s size and complexity.
In addition, the FTC-required information security plan must be appropriate to the nature and scope of the company’s activities and the sensitivity of the customer information it handles. A plan for a sole tax practitioner would differ from a multi-partner, global firm.
Tax professionals working from home must ensure that client data is protected just as it would in an office setting.
According to the FTC, each company, as part of its plan, must:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
In addition to having a plan in place to protect taxpayer date, the Security Summit partners recommend practitioners create a response plan that includes:
- Reporting a ”data breach” to the local IRS Stakeholder Liaison
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org in order to report the breach to the states attorney general. Most states require this by law.
The IRS has compiled a list of key resources regarding Data Theft Information for Tax Professionals which includes contact info for the IRS, FBI, Secret Service, State Attorneys General, the FTC and Credit Bureaus.
Information is from IRS Bulletin: IR-2020-184