Tax Security 101: Security Summit reminds professional tax preparers of data security plan requirements

Notice: Historical Content


This is an archival or historical document and may not reflect current law, policies or procedures.

IR-2018-175, Aug. 28, 2018

WASHINGTON — The Internal Revenue Service and Security Summit partners reminded tax professionals that protecting taxpayer information isn’t just good for the clients and good for business – it’s also the law.

The Summit partners urged tax professionals to be aware of their obligations to protect client data and to cooperate with any IRS investigation related to data theft.

The IRS has a number of publications to help tax professionals navigate tax-related rules and regulations related to protecting data. In addition, the IRS, state tax agencies and the tax industry today reminded tax return preparers that a 1999 law requires that they create and implement a data security plan.

This is the eighth in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.

Although the Security Summit is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices are on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.

The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley (GLB) Act, gives the Federal Trade Commission authority to set information safeguard regulations for various entities, including professional tax return preparers.

According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation. The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.

In addition, members of the IRS Electronic Tax Administration Advisory Committee (ETAAC) in June noted that they believe “far fewer than half of tax professionals are aware of their responsibilities under the FTC Safeguards rule and that even fewer professionals …have implemented required security practices.”

The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. According to the FTC, each company, as part of its plan, must:

  • designate one or more employees to coordinate its information security program;
  • identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
  • design and implement a safeguards program and regularly monitor and test it;
  • select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
  • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

The FTC says the requirements are designed to be flexible so that companies can implement safeguards appropriate to their own circumstances. The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operations.

The IRS has revised Publication 4557, Safeguarding Taxpayer DataPDF, to detail critical security measures that all tax professionals should enact. The publication also includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan.

The IRS and certain Internal Revenue Code (IRC) sections also focus on protection of taxpayer information and requirements of tax professionals. Here are a few examples:

IRS Publication 3112, IRS e-file Application and Participation, states - Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers. Providers must be diligent in recognizing fraud and abuse, reporting it to the IRS, and preventing it when possible. Providers must also cooperate with the IRS’ investigations by making available to the IRS upon request information and documents related to returns with potential fraud or abuse.

IRC, Section 7216 - This provision imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses information furnished to them in connection with the preparation of an income tax return.

IRC, Section 6713 - This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.

Rev. Proc. 2007-40 - This procedure requires authorized IRS e-file providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure.

Many state laws govern or relate to the privacy and security of financial data, which includes taxpayer data. They extend rights and remedies to consumers by requiring individuals and businesses that offer financial services to safeguard nonpublic personal information. For more information on state laws that businesses must follow, consult state laws and regulations.

In some states, data thefts must be reported to various authorities. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings. To notify the IRS in case of data theft, contact local IRS Stakeholder Liaisons.

Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer DataPDF, and Small Business Information Security: the FundamentalsPDF by the National Institute of Standards and Technology.

Publication 5293, Data Security Resource Guide for Tax ProfessionalsPDF, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.

To improve data security awareness by all tax professionals, the IRS will host a webinar on Sept. 26, 2018. The focus will be on the same topics as this series: “Protect Your Clients; Protect Yourself: Tax Security 101.” Although tax preparers will be eligible for one CPE credit, the IRS invites others working on tax issues to attend. Protecting taxpayer information takes everyone working together.