IR-2018-185, Sept. 11, 2018
WASHINGTON — The Internal Revenue Service and its Security Summit partners today reminded tax professionals that they should report data theft immediately and follow an established process for helping the IRS protect their clients.
If notified timely, the IRS can help stop fraudulent tax returns being filed in clients’ names, which otherwise might delay legitimate tax refunds. This action to help protect taxpayers requires the cooperation of the tax professional with the IRS.
This is the conclusion of a 10-part series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign by the IRS, states and the private-sector tax community is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.
Although the Security Summit is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices are on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.
Should a tax professional experience a data compromise – whether by cybercriminals, theft or accident – there are certain basic steps to take. These include:
Contacting the IRS and law enforcement:
- Internal Revenue Service, report client data theft to local stakeholder liaisons. Liaisons will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names.
- Federal Bureau of Investigation, local office (if directed).
- Secret Service, local office (if directed).
- Local police – To file a police report on the data breach.
Contacting states in which the tax professional prepares state returns:
- Any breach of personal information could have an effect on the victim’s tax accounts with the states as well as the IRS. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings.
- State Attorneys General for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches. This notification process may involve multiple offices.
- Security expert – to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring.
- Insurance company – to report the breach and to check if the insurance policy covers data breach mitigation expenses.
Contacting clients and other services:
- Federal Trade Commission – for guidance for businesses. For more individualized guidance, contact the FTC at email@example.com.
- Credit / identity theft protection agency – certain states require offering credit monitoring/ID theft protection to victims of ID theft.
- Credit bureaus – to notify them if there is a compromise and clients may seek their services.
- Clients – Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. (Clients should complete IRS Form 14039, Identity Theft Affidavit, but only if their e-filed return is rejected because of a duplicate Social Security number or they are instructed to do so.
- Remember: IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Again, preparers should use their local IRS Stakeholder Liaison to report data loss.
The Security Summit partners urge all tax professionals to help avoid data thefts by taking the appropriate precautions detailed during this 10-week education and awareness campaign for tax professionals.
The objective of “Protect Your Clients, Protect Yourself: Tax Security 101” is to ensure all tax professionals, whether a one-person shop or a major firm, understand the risk posed by national and international criminal syndicates, take the appropriate steps to protect their clients and business and understand the laws around their obligation to secure that data.
The Security Summit reminds all tax professionals that they must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax pros should stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.
To improve data security awareness by all tax professionals, the IRS will host a webinar on Sept. 26, 2018. The focus will be on the same topics as this series: “Protect Your Clients; Protect Yourself: Tax Security 101.” Although tax preparers will be eligible for one CPE credit, the IRS invites others working on tax issues to attend. Protecting taxpayer information takes everyone working together.