How to Safeguard Taxpayer Data
If you handle taxpayer information you may be subject to the Gramm-Leach Bliley Act (GLB Act) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. Whether or not you are subject to the GLB Act and the FTC Rules, you could benefit from implementing the general processes and best practices outlined in FTC information privacy and safeguards guidelines.
Financial institutions as defined by FTC include professional tax preparers, data processors, their affiliates and service providers who are significantly engaged in providing financial products or services. They must take the following steps to protect taxpayer information. Other businesses, organizations and individuals handling taxpayer information should also follow these steps because they represent best practices for all.
- Take responsibility or assign an individual or individuals to be responsible for safeguards;
- Assess the risks to taxpayer information in your office, including your operations, physical environment, computer systems and employees, if applicable.
- Make a list of all the locations where you keep taxpayer information (computers, filing cabinets, bags and boxes taxpayers may bring you);
- Write a plan of how you will safeguard taxpayer information. Put appropriate safeguards in place;
- Use only service providers who have policies in place to also maintain an adequate level of information protection defined by the Safeguards Rule; and
- Monitor, evaluate and adjust your security program as your business or circumstances change.
The FTC has fact sheets and guidelines on privacy and safeguards for businesses on their Web site. In addition, you may seek outside professional help to assess your information security needs.
To safeguard taxpayer information, you must determine the appropriate security controls for your environment based on the size, complexity, nature and scope of your activities. Security controls are the management, operational and technical safeguards you may use to protect the confidentiality, integrity and availability of your customers’ information. Examples of security controls are:
- Locking doors to restrict access to paper or electronic files;
- Requiring passwords to restrict access to computer files;
- Encrypting electronically stored taxpayer data;
- Keeping a backup of electronic data for recovery purposes;
- Shredding paper containing taxpayer information before throwing it in the trash.
- Do not mail unencrypted sensitive personal information.
Further, Authorized IRS e-file Providers that participate in the role as an Online Provider must follow the six security, privacy and business standards to better serve taxpayers and protect their individual income tax information collected, processed and stored. See “Safeguarding IRS e-file” in Publication 1345 for more information.
All Authorized IRS e-file Providers who own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored must register their Uniform Resource Locator (URL). See instructions for submitting the URL information.
For additional examples of security controls, refer to the National Institute of Standards and Technology (NIST) SP 800-53 publication listed in "Safeguarding Taxpayer Data, References to Applicable Standards and Best Practices."