IRS Tax Tip 2018-160, October 16, 2018
Tax preparers who experience a data theft should report it immediately and should also follow an established process to protect their clients. If notified timely, the IRS can help stop fraudulent tax returns from being filed in taxpayers’ names.
When a tax professional experiences a data compromise, there are certain basic steps they should take. They should take these steps whether the compromise is caused by cybercriminals, theft or accident. These steps include:
Contact the IRS and law enforcement:
- Internal Revenue Service – The tax preparer should report client data theft to local stakeholder liaisons. Liaisons will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names.
- Federal Bureau of Investigation and Secret Service – the preparer should contact these local offices.
- Local police – The taxpayer should contact police to file a report on the data breach.
Contact states in which the tax professional prepares state returns:
- Any breach of personal information could have an adverse effect on the victim’s tax accounts with the states as well as the IRS. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings.
- The preparer should contact the State Attorneys General for each state in which the tax professional prepares returns.
- Security expert – Tax preparers should consult an expert who can help determine the cause and scope of the breach, to stop the breach, and to prevent further breaches from occurring.
- Insurance company – The preparer should report the breach to their insurance company and to check if the insurance policy covers data breach mitigation expenses.
- Federal Trade Commission – Preparers and other businesses can go to the FTC for guidance. For more individualized guidance, preparers can contact the FTC at firstname.lastname@example.org.
- Credit and identity theft protection agency – Certain states require that preparers offer credit monitoring and ID theft protection to victims of ID theft.
- Credit bureaus – Preparers should notify them if there is a compromise and clients may seek their services.
- Clients – Preparers should send an individual letter to all victims to inform them of the breach, but they should work with law enforcement on when to send the letter.
The IRS and its partners in the Security Summit are reminding preparers about reporting a data theft as part of the Tax Security 101 awareness initiative. The goal is to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.
- Publication 4557, Safeguarding Taxpayer Data
- Small Business Information Security: The Fundamentals
- Publication 5293, Data Security Resource Guide for Tax Professionals
- Data Breach Response: A Guide for Business