The Internal Revenue Service (IRS) has issued a news release reminding professional tax preparers that they are required by law to have a written data security plan.

Data theft at tax professionals’ offices remain a major threat for government business owners and their clients. Thieves use stolen data from tax practitioners to create fraudulent returns that can be harder for the IRS and security partners to detect. 

To combat the evolution of data theft, The Security Summit – a partnership between the IRS, states and the private-sector tax community – has created a guide for security guide for tax professionals to reduce tax-related identity theft.

Here’s what you need to know about the Summit orders.

Why is the Government Weighing in?

Despite major progress by the IRS and the Security Summit partners against identity theft, evolving tactics continue to threaten the tax community and the sensitive data of taxpayers.

Creating and maintaining a data security plan ensures that tax professionals are reviewing their data security protections and implementing appropriate safeguards. In the three years since the Summit’s founding, IRS data shows that:

• The number of taxpayers who reported to the IRS that they were victims of identity theft fell 71 percent. In 2018, the IRS received 199,000 identity theft affidavits from taxpayers compared to 677,000 in 2015. This was the third consecutive year this number declined.
• The number of confirmed identity theft returns stopped by the IRS declined by 54 percent, falling from 1.4 million in 2015 to 649,000 in 2018.

However, as the Summit has increased the tax community’s defenses against identity theft and refund fraud, cybercriminals have risen to meet the new challenges. Increasingly, they look to data thefts at tax professionals’ offices to obtain large amounts of sensitive taxpayer data. The guide the IRS issued not only aims to educate tax professionals about their responsibilities, but to share information about the evolving face of cybercrimes.

Who Qualifies as a “Tax Professional?”

The Security Summit was started in 2015 specifically to combat identity theft and protect taxpayers. But who falls into this category?

Simply put, the definition includes everyone from one-person shops to large partnerships who manage or prepare tax materials.

The “Taxes. Security. Together.” federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. In the statement, the Summit reminds all practitioners they’re required to create a written data security plan if they themselves qualify as a “professional tax preparer.”

The Security Summit partners noted that many in the tax professional community do not realize they are required under federal law to have a data security plan, thus motivating the public statement.

The IRS create the “Taxes. Security. Together.” checklist to help tax professionals protect sensitive taxpayer data.

How do Tax Professionals Meet New Standards?

The Summit partners urge the tax community to review these basic security steps. Some tax pros may routinely overlook these checklist items and others need to regularly revisit them. The steps are not only important for tax practitioners, but for taxpayers as well. Everyone has a responsibility to protect sensitive data.

The "Taxes-Security-Together" Checklist highlights key security features: 

• Deploy the “Security Six” measures:
• Activate anti-virus software.
• Use a firewall.
• Opt for two-factor authentication when it’s offered.
• Use backup software/services.
• Use Drive encryption.
• Create and secure Virtual Private Networks.
   
• Create a data security plan:
• Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. 
• The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large. 
• Tax professionals are asked to focus on key risk areas such as employee management and training; information systems; and detecting and managing system failures.
• Educate yourself and be alert to key email scams, a frequent risk area involving:
• Learn about spear phishing emails.
• Beware ransomware.
   
• Recognize the signs of client data theft:
• Clients receive IRS letters about suspicious tax returns in their name.
• More tax returns filed with a practitioner’s Electronic Filing Identification Number than submitted. 
• Clients receive tax transcripts they did not request.
   
• Create a data theft recovery plan including:
• Contact the local IRS Stakeholder Liaison immediately.
• Assist the IRS in protecting clients’ accounts.
• Contract with a cybersecurity expert to help prevent and stop thefts.

The fight against cybercrime doesn’t begin or end with tax professionals, but since the data they manage affects businesses, communities and people collectively, they make a great place to mobilize from. If you’re a tax professional who needs to revisit your security policies to get up to speed with the new Summit guidelines, contact us for a free security consultation.