There’s a reason why the IRS sends out alerts every year about new scams that criminals are using to trick or intimidate taxpayers into sharing their data. When criminals are successful, they can file fraudulent tax returns and steal the refunds. Because they’re using legitimate data, fraud is difficult to detect.
To combat these threats, the IRS has partnered with state tax agencies, tax industry professionals, software developers and others to form the Security Summit. This group has developed safeguards designed to protect taxpayer data. These efforts, along with steps taken in the private sector, seem to be helping. The number of taxpayer identity theft incidents reported to the IRS has declined for three straight years, dropping 71 percent from 2015 to 2018.
Significant progress has been made, but more work needs to be done.
Legal Requirements for the Protection of Taxpayer Data
Any organization that holds taxpayer data must take steps to protect it according to the Federal Trade Commission (FTC) Safeguards Rule. This includes not only CPAs, but human resources departments, payroll, financial institutions and advisors, and more. IRS Publication 4557 provides guidance for recognizing threats, preventing and responding to data breaches, and understanding and complying with the FTC Safeguards Rule.
The IRS recommends performing thorough assessments of security processes and technology. The first step is to make sure you have a solid foundation — current antivirus software on all devices, next-generation firewalls, complex user passwords that are updated regularly, data encryption, reliable data backup, a documented procedure for safely and responsibly disposing of old devices, and a tested incident response plan. Organizations should also limit access to taxpayer data, and tax preparers should check their IRS e-Services accounts every week to monitor the number of filed returns.
Wireless network security should also be addressed. Change the name and default passwords on all wireless routers and other devices, limit the range of your wireless network, use strong encryption, and never use public Wi-Fi to access or view sensitive data. To protect data “at rest,” know where taxpayer data is stored, avoid installing unnecessary applications on the business network, and make sure data is encrypted on all devices and in all storage repositories.
Compliance with the FTC Safeguards Rule
The FTC Safeguards Rule requires companies to designate at least one employee to coordinate information security, assess risks to sensitive data, and evaluate the effectiveness of existing safeguards. You must then design, implement, monitor and test an information security program that accounts for items addressed in the risk assessment, new safeguards that must be followed, and roles and responsibilities.
When partnering with service providers, you must oversee how they handle customer data to ensure compliance with the FTC Safeguards Rule and make compliance part of your service provider contracts. The security and threat landscape is always changing, so your information security program should be evaluated and updated at least once per year.
IRS Publication 4557 also includes an extensive Safeguards Rule Checklist that covers recommendations for employee management and training, information systems, and system failure detection and management.
Cerium Can Help
Cerium has extensive experience developing information security programs that protect data without compromising business operations or the customer experience. Let us help you comply with the FTC Safeguards Rule and reduce the risk of taxpayer identity theft.