E-file Security, Privacy and Business Standards Mandate

 

The IRS has mandated six  security, privacy, and business standards supplement the Gramm-Leach-Bliley Act to better serve taxpayers and protect their information collected, processed and stored by Online Providers of individual income tax returns. The first five standards continue to apply to Online Providers, while Standard number 6, "Reporting of Security Incidents", is now mandated for all Providers.

Individual income tax returns generally refer to the 1040 family of returns. Refer to IRS Publication 3112, IRS e-file Application and ParticipationPDF, for definition of Online Provider.

The security and privacy objectives of these standards are: setting minimum encryption standards for transmission of taxpayer information over the internet and authentication of Web site owner/operator's identity beyond that offered by standard version SSL certificates; periodic external vulnerability scan of the taxpayer data environment; protection against bulk-filing of fraudulent income tax returns; and the ability to timely isolate and investigate potentially compromised taxpayer information.

These standards also address certain business and customer service objectives such as instant access to Web site owner/operator's contact information, and Online Provider's written commitment to maintaining physical, electronic, and procedural safeguards of taxpayer information that comply with applicable law and federal standards.

Compliance with these standards is mandatory effective January 1, 2010. However, there will be a one-year enforcement grace period. The grace period expires December 31, 2010.

1. Extended Validation SSL Certificate

Online Providers of individual income tax returns shall possess a valid and current Extended Validation Secure Socket Layer (SSL) certificate using SSL 3.0 / TLS 1.0 or later and minimum 1024-bit RSA/128-bit AES.

2. External Vulnerability Scan

Online Providers of individual income tax returns shall contract with an independent third-party vendor to run weekly external network vulnerability scans of all their "system components" in accordance with the applicable requirements of the Payment Card Industry Data Security Standards (PCIDSS). All scans shall be performed by a scanning vendor certified by the Payment Card Industry Security Standards Council and listed on their current list of Approved Scanning Vendors (ASV). In addition, Online Providers of individual income tax returns whose systems are hosted shall ensure that their host complies with all applicable requirements of the PCIDSS.

For the purposes of this standard, "system components" is defined as any network component, server, or application that is included in or connected to the taxpayer data environment. The taxpayer data environment is that part of the network that possesses taxpayer data or sensitive authentication data.

If scan reports reveal vulnerabilities, action shall be taken to address the vulnerabilities in line with the scan report's recommendations. Retain weekly scan reports for at least one year. The ASV and the host (if present) shall be in the United States.

3. Information Privacy and Safeguard Policies

This standard applies to Authorized IRS e-file Providers participating in Online Filing of individual income tax returns that own or operate a website through which taxpayer information is collected, transmitted, processed or stored. These Providers shall have written information privacy and safeguard policies consistent with the applicable government and industry guidelines including the following statement: "we maintain physical, electronic and procedural safeguards that comply with applicable law and federal standards". In addition, Providers' compliance with these policies shall be certified by a privacy seal vendor acceptable to the IRS.

4. Protection Against Bulk Filing of Fraudulent Income Tax Returns

This standard applies to Online Providers of individual income tax returns that own or operate a website through which taxpayer information is collected, transmitted, processed or stored. These Online Providers shall implement effective technologies to protect their website against bulk filing of fraudulent income tax returns. Taxpayer information shall not be collected, transmitted, processed or stored otherwise.

5. Public Domain Name Registration

This standard applies to Online Providers of individual income tax returns that own or operate a website through which taxpayer information is collected, transmitted, processed or stored. These Online Providers shall have their website's domain name registered with a domain name registrar that is in the United States and accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). The domain name shall be locked and not be private.

6. Reporting of Security Incidents

Providers of individual income tax returns shall report security incidents to the IRS as soon as possible but not later than the next business day after confirmation of the incident. For the purposes of this standard, an event that can result in an unauthorized disclosure, misuse, modification, or destruction of taxpayer information (e.g., breach) shall be considered a reportable security incident.

Providers with multiple roles must follow instructions for submitting incident reports at Instructions for Reporting Security Incidents.

Those that are EROs only must contact their local stakeholder liaison by following the instructions at Data Theft Information for Tax Professionals.

In addition, if the Online Provider's website is the proximate cause of the incident, the Online Provider shall cease collecting taxpayer information via their website immediately upon detection of the incident and until the underlying causes of the incident are successfully resolved.

Important Notice:

In July 2007, the IRS issued an e-file rule requiring all Authorized IRS e-file Providers to submit to the IRS the Uniform Resource Locator (URL) of websites they own or operate through which taxpayer information is collected, transmitted, processed or stored. This requirement remains mandatory for all Authorized IRS e-file Providers. See instructions for submitting the URL information.

For additional information see the Frequently Asked Questions (FAQs).