Tax Security 2.0 – A "Taxes-Security-Together" Checklist

Notice: Historical Content


This is an archival or historical document and may not reflect current law, policies or procedures.

IRS, Security Summit partners urge tax professionals to review their practices, enhance safeguards to protect taxpayer data

IRS YouTube Videos:

  • Tax Security 2.0: "Taxes-Security-Together" Checklist (Obsolete)

IR-2019-122, July 9, 2019

WASHINGTON — Leaders from the IRS, state tax agencies and the tax industry today called on tax professionals nationwide to take time this summer to review their current security practices, enhance safeguards where necessary and take steps to protect their businesses from global cybercriminal syndicates prowling the Internet.

Despite major progress by the IRS and the Security Summit partners against identity theft, evolving tactics continue to threaten the tax community and the sensitive data of taxpayers. 

To help combat this, the Security Summit partners created a new “Taxes-Security-Together” Checklist to serve as a starting point for tax professionals. Beginning next week, the IRS and Summit partners will issue a series of five Tax Security 2.0 news releases highlighting “Taxes-Security-Together” Checklist action items.

“The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data,” said IRS Commissioner Chuck Rettig. “But a major risk remains, regardless of whether you are the sole tax practitioner in your office or part of a multi-partner accounting firm. To help with this, we assembled a security checklist to assist the tax community. We hope tax professionals will use our checklist as a starting point to do everything necessary to protect their client’s data.”

The Security Summit — a partnership between the IRS, states and the private-sector tax community — started in 2015 to combat identity theft and protect taxpayers. Key IRS data show the Summit continues making major progress against tax-related identity theft. Between 2015 and 2018, key indicators showed:

  • The number of taxpayers who reported to the IRS that they were victims of identity theft fell 71 percent. In 2018, the IRS received 199,000 identity theft affidavits from taxpayers compared to 677,000 in 2015. This was the third consecutive year this number declined.
  • The number of confirmed identity theft returns stopped by the IRS declined by 54 percent, falling from 1.4 million in 2015 to 649,000 in 2018.

As the Summit has increased the tax community’s defenses against identity theft and refund fraud, cybercriminals continue to evolve. Increasingly, they look to data thefts at tax professionals’ offices to obtain large amounts of sensitive taxpayer data. Thieves then use stolen data from tax professionals to create fraudulent returns that are harder to detect.

The "Taxes-Security-Together" Checklist

The Summit partners urge the tax community to review these basic security steps this summer. Some tax pros may routinely overlook these checklist items and others need to regularly revisit them. The steps are not only important for tax practitioners, but for taxpayers as well. Everyone has a responsibility to protect sensitive data.

The "Taxes-Security-Together" Checklist highlights key security features: 

  • Deploy the “Security Six” measures:
    • Activate anti-virus software.
    • Use a firewall.
    • Opt for two-factor authentication when it’s offered.
    • Use backup software/services.
    • Use Drive encryption.
    • Create and secure Virtual Private Networks.
       
  • Create a data security plan:
    • Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. 
    • The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large. 
    • Tax professionals are asked to focus on key risk areas such as employee management and training; information systems; and detecting and managing system failures.
       
  • Educate yourself and be alert to key email scams, a frequent risk area involving:
    • Learn about spear phishing emails.
    • Beware ransomware.
       
  • Recognize the signs of client data theft:
    • Clients receive IRS letters about suspicious tax returns in their name.
    • More tax returns filed with a practitioner’s Electronic Filing Identification Number than submitted. 
    • Clients receive tax transcripts they did not request.
       
  • Create a data theft recovery plan including:
    • Contact the local IRS Stakeholder Liaison immediately.
    • Assist the IRS in protecting clients’ accounts.
    • Contract with a cybersecurity expert to help prevent and stop thefts. 

Security Summit partners/tax professionals urge review

“The states and our partners have made progress in the fight against tax-related identity theft, but criminals continue to evolve. We cannot let our guard down in this fight because our common enemy is well-funded, technologically skilled and savvy about state and federal tax processes,” said Sharonne Bonardi, president of the Board of Trustees of the Federation of Tax Administrators and Deputy Comptroller in Maryland. “To make this work, we need help from individual tax professionals across the nation.”

Checklist marks third year of Summit campaigns aimed at tax professional community

This year’s Tax Security 2.0 effort involving the Security Checklist is the third summer campaign in a row involving the Summit partners. The effort follows feedback and recommendations from the Electronic Tax Administration Advisory Committee (ETAAC) that encouraged the Summit partners to expand and intensify outreach efforts to the tax professional community on identity theft and security issues. 

This year’s campaign also coincides with this summer’s IRS Nationwide Tax Forums, which will again feature a major focus on security protection for tax professionals. The sessions will provide continuing education credits for sessions led by experts from inside and outside the IRS. The American Coalition for Taxpayer Rights also will again sponsor special sessions with experts from the Pell Center for International Relations and Public Policy at Salve Regina University in Rhode Island. 

Last year's Summit education effort focused on Protect Your Clients; Protect Yourself: Tax Security 101. In 2017, the campaign highlighted email schemes in Don’t Take the Bait.

Separate Summit initiatives focus on identity theft awareness for individual taxpayers and consumer alerts for developing tax scams and schemes. 

Resources available for tax professionals

Tax professionals also can get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer DataPDF, and Small Business Information Security: The FundamentalsPDF by the National Institute of Standards and Technology.

Publication 5293, Data Security Resource Guide for Tax ProfessionalsPDF, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and social media.