If you are a federal tax return preparer then you are no stranger to renewing your preparer tax identification number (PTIN) during the mid-October to December 31st enrollment period. It’s a relatively simple process especially now with online reenrollment, but this year the IRS added something new to the application process:
This data security responsibilities statement will now be seen on both the online application as well the paper option and if you haven’t been following along with the recent publications from the Security Summit and the IRS it might catch you a bit off guard.
This data security responsibility was added in response to the recent uptick in cyberattacks and more mainstream media coverage of the topic (think City of Baltimore and Marriott's breach), but it has caused some confusion as to what it requires from tax preparers. We are going to break down this new addition to the PTIN application in three parts:
- Tax preparers' legal obligations regarding data security
- Written Security Plan
- FTC Safeguards Rule Compliance
So, what exactly is this ‘legal obligation’ that all tax return preparers must be aware of?
The Gramm-Leach-Bliley Act requires every financial institution to protect sensitive data. Essentially it requires that a company develop a WRITTEN data security plan that they continually review and update to account for variable change and improve security over time. This data security plan must also be in compliance with the FTC’s Safeguards Rule which lays out more specific guidelines to adhere to. Translation:
By checking the security box, a tax preparer is acknowledging their legal responsibility to meet these requirements and could be subject to investigation and fines from the FTC should they not.
This checkbox is essentially an added layer of accountability to push financial institutions to be better when it comes to securing their data and this should really come as no surprise. The Security Summit, an IRS coalition between state and private tax officials, was founded back in 2015 and has been publishing campaigns like Protect Your Clients; Protect Yourself: Tax Security 101 and Tax Security 2.0 to raise cyber security awareness among tax professionals and prepare institutions for what’s to come.
Creating a Security Plan
Now if this is your first time putting together a data security plan don’t worry, it’s not as bad as it seems. Initially pulling the info together and getting it down on paper can take time, but once you have your plan fleshed out it’s just a matter of implementation and revision over time!
A security plan is essentially broken down into three categories:
The first step in building your plan is choosing a security officer who will be responsible for creating and maintaining the security plan. The security officer will be responsible for educating the rest of the staff as well as staying up to date on the latest cyber threats. Staff awareness and continued education is crucial as human error accounts for the majority of security breaches today .
Educating your employees is a must but you also should be taking basic security measures to protect your network and facility. This involves conducting a network assessment internally to identify vulnerabilities and then implementing software and policies to close these gaps. This should include:
- Security software – Corporate-grade anti-virus, spam blockers, firewall, encryption
- Password Policy – Try telling a client a hacker stole their financial data because you were "smart" enough to have companyname2019 or lastname2019 as your password…
- Securing Wireless Networks – admin controls and access policies
- Protect Stored Client Data – encryption, backups, destroy all document containing devices
In the event of a breach you are required to report the incident to the IRS, local police, and possibly the FBI depending on the scope of the breach. You are also required to contact State Attorney Generals for each state you practice in.
No one wants to suffer a data breach, but the reality is that they happen (often), and if you aren’t ready panic could ensue. This is why it is vital that you have an incidence response plan built into your overall security plan. Your incidence response plan should include roles for business-critical employees and tasks for them to follow immediately after the breach is discovered. These tasks should include mitigating potential damages, securing the network, and investigating how the breach occurred.
Complying with the Safeguards Rule
As I mentioned earlier you will also want to be familiar with the FTC Safeguards Rule because your written plan must comply with this rule. This rule essentially lays out the different areas your written plan needs to cover but for the most part it falls in line with what should be included in every data security plan: assigning a team member to create and coordinate the security plan, assess your network and fix issues, implement safeguards, train employees, and review periodically to make adjustments.
If you want to make sure you’re doing your due diligence, check out THIS guide the IRS published which includes a full checklist on the Safeguards Rule to help tax preparers be in compliance.
Data protection is not new and tax preparers have been legally obligated to have a written plan for years, but now the IRS and FTC are taking steps to ensure the law is followed. If you haven’t put your plan on paper this practice will help you tighten up your security, comply with the law, and at the end of the day it’s just good business.