Data Theft Information for Tax Professionals

 

All tax professionals should be aware that they, too, are targets of cybercriminals seeking access to client data in order to file fraudulent tax returns for refunds. Are you prepared? Protect your clients and protect yourself by taking a few critical steps.

The IRS recommends tax professionals use Publication 4557, Safeguarding Taxpayer DataPDF, as a guide for conducting a review of your current security measures and to create or update your security plan. It is critical you assess your current security precautions and address any weaknesses.

The IRS also recommends tax professionals create an action plan to outline the steps you would take in the event of a data theft. This will save valuable time should the worst occur.

The “Protect Your Clients; Protect Yourself” campaign to raise awareness among tax professionals is an initiative of the Security Summit, a joint project by the IRS, states and the tax community to combat identity theft. Because of the sensitive client data held by tax professionals, cybercriminals increasingly are targeting the tax preparation community. All tax professionals must take appropriate steps to protect their clients’ data and protect their businesses.

IMPORTANT: Always use robust security software for all computers and devices, and routinely perform deep scans often to identify any malware/virus infections. Use strong password to access computers and client files. Learn to recognize and avoid phishing email schemes.

Should you experience a data compromise – whether by cybercriminals, theft or accident – there are certain basic steps you should take. For a comprehensive list of security actions, consult a security professional.

Preliminary steps include:

Contacting the IRS and law enforcement:

  • Internal Revenue Service, report client data theft to your local stakeholder liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
  • Federal Bureau of Investigation, your local office.
  • Secret Service, your local office (if directed).
  • Local police – To file a police report on the data breach.

Contacting states in which you prepare state returns:

  • Any breach of personal information could have an effect on the victim's tax accounts with the states as well as the IRS. Get information on how to report victim information to state tax agencies. Visit the Federation of Tax Administrators "Report a Data Breach" to find state contact information.
  • State Attorneys General for each state in which you prepare returns.  Most states require that the attorney general be notified of data breaches.  This notification process may involve multiple offices.

Contacting experts:

  • Security expert – to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring.
  • Insurance company – to report the breach and to check if your insurance policy covers data breach mitigation expenses

Contacting clients and other services:

  • Federal Trade Commission
    • If you would like more individualized guidance, you may contact the FTC at idt-brt@ftc.gov
  • Credit / ID theft protection agency- certain states require offering credit monitoring / ID theft protection to victims of ID theft.
  • Credit bureaus – to notify them if there is a compromise and clients may seek their services.
    • Equifax Credit Information Services - Consumer Fraud Division
      P.O. Box 105496
      Atlanta, Georgia 30348-5496
      Tel: (800) 997-2493
      www.equifax.com
    • Experian
      P.O. Box 2104
      Allen, Texas 75013-2104
      Tel: (888) EXPERIAN (397-3742)
      www.experian.com
    • Trans Union Fraud Victim Assistance Dept.
      P.O. Box 390
      Springfield, PA 19064-0390
      Tel: (800) 680-7289
      www.transunion.com
  • Clients – Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. (Clients should complete IRS Form 14039, Identity Theft Affidavit, only if they receive a notice/letter from the IRS or their e-filed return is rejected because of a duplicate Social Security number.)
  • IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Again, preparers should use their local IRS Stakeholder Liaison.

Other resources:

Publication 4557, Safeguarding Taxpayer DataPDF

Security Summit Initiative

Identity Theft Information for Tax Preparers

Identity Theft Central

Fact Sheet 2015-24, Tax Return Preparers: Data Thefts and Protecting Client Tax Information

 

What to Do After a Tax Professional Data Compromise