Tax professionals urged to report thefts immediately; create recovery plan
IR-2019-143, August 13, 2019
WASHINGTON — The Internal Revenue Service and its Security Summit partners today reminded tax professionals that they should report data theft immediately to the IRS and follow an established process for helping the IRS protect their clients.
If notified promptly, the IRS can help stop fraudulent tax returns from being filed in clients’ names, thereby avoiding refund delays and other problems for the affected tax professional. But this action requires the cooperation of the tax professional with the IRS.
The IRS, state tax agencies and the private-sector tax industry are calling on all tax professionals to pause this summer and review their security measures and make appropriate changes. Acting as the Security Summit, the partners created a special “Taxes-Security-Together” checklist to help tax professionals with this review. Fraudulent returns using stolen tax data are harder to detect.
“Our objective is to get every tax professional to stop and think about client data security. The “Taxes-Security-Together” Checklist is intended as a starting point, spelling out the basic steps necessary to start a security review,” said Chuck Rettig, IRS Commissioner. Practitioners are the first line of defense against organized criminal syndicates running these identity theft scams. Despite our progress, this is no time to let down our guard in the tax community. We need your help.”
Creating a data theft recovery plan is the fifth and final action item in this summer’s Security Summit series. Previous checklist topics included: deploying the “Security Six” safeguards, creating a written data security plan, educating yourself on phishing scams and recognizing the signs of data theft.
Checklist Item 5: Create a data theft recovery plan
Rather than wait for an emergency, tax professionals should consider creating a data theft recovery plan in advance and make calling the IRS an immediate action item. Having an action plan can save valuable time and protect your clients and yourself. Should a tax professional experience a data compromise – whether by cybercriminals, theft or just an accident – there are certain basic steps to take. These include:
Contacting the IRS and law enforcement:
- Internal Revenue Service. Report client data theft to local IRS Stakeholder Liaisons, who will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names, helping your firm and your clients.
- Federal Bureau of Investigation, local office (if directed).
- Secret Service, local office (if directed).
Contacting states in which the tax professional prepares state returns:
- State revenue agencies. Any breach of personal information could have an effect on the victim’s tax accounts with the state revenue agencies as well as the IRS. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special email address as a contact point: StateAlert@taxadmin.org.
- State Attorneys General for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches, so this notification process may involve multiple offices in some locations.
- Security expert. They can help determine the cause and scope of the breach as well as stop the breach and prevent further breaches from occurring.
- Insurance company. Not only to report the breach, but to check if the insurance policy covers data breach mitigation expenses.
Contacting clients and other services:
- Federal Trade Commission for guidance for businesses. For more individualized guidance, contact the FTC at firstname.lastname@example.org.
- Credit / identity theft protection agency. Certain states require offering credit monitoring and identity theft protection to victims of identity theft.
- Credit bureaus. Notifying them if there is a compromise and your clients may seek their services.
- Clients. At a minimum, send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. Clients should complete IRS Form 14039, Identity Theft Affidavit, but only if their e-filed return is rejected because of a duplicate Social Security number or they are instructed to do so.
- Remember: IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Again, preparers should use their local IRS Stakeholder Liaison to report data loss.
The objective of the “Taxes-Security-Together” Checklist is to ensure all tax professionals, whether a one-person shop or a major firm, understand the risk posed by national and international criminal syndicates, take the appropriate steps to protect their clients and business and understand the laws around their obligation to secure that data.
“The number of tax professionals reporting data thefts to the IRS remains too high, and it puts tens of thousands of taxpayers at risk for identity theft,” Rettig said. “We hope tax professionals will use the Summit checklist as a starting point, not an end point, to protect their client’s data — and themselves. It’s not only a good business practice, it’s the law.”
Reporting schemes helps everyone
The IRS, states and tax industry share information about scams and schemes through their Identity Theft Tax Refund Fraud Information Sharing and Analysis Center, which allows the partners to rapidly respond to emerging threats. When tax professionals report data thefts to the IRS, it enables the partners to identify new schemes.
The ability to share information about emerging threats is critical to the ability to combat identity theft and refund fraud. Thieves are constantly creating new scams to trick tax professionals and taxpayers into divulging sensitive information.
The Security Summit reminds all tax professionals that they must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data (PDF), and Small Business Information Security: the Fundamentals (PDF) by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals (PDF), provides a compilation of data theft information available on IRS.gov. Also, tax pros should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.
Reminder: The Taxes-Security-Together Checklist
During this special Security Summit series, the checklist highlighted these key areas: