How to Update Your Tax Firm’s Data Safeguards Based on IRS Pub 4557

Protecting taxpayer information isn’t just good for clients and good for business – it’s also the law. Part of tax season readiness should include a review and update of your firm’s plan to safeguard taxpayer data.

The Gramm-Leach-Bliley Act requires that tax professionals create and implement a data security plan. Here are some of the important updates to Publication 4557, Safeguarding Taxpayer Data, and related actions tax professionals should take today to protect taxpayer data.

Create a Written Security Plan. Create a data security plan using IRS Publication 4557 and Small Business Information Security – The Fundamentals by the National Institute of Standards and Technology. The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an authorized IRS e-file provider.

Use Strong, Unique Passwords and Change Them Regularly. It is critical that all tax practitioners establish strong, unique passwords for all accounts, whether it’s to access a device, tax software products, cloud storage, wireless networks or encryption technology. The IRS recommends a minimum of eight characters; longer is better. Use a combination of letters, numbers and symbols such as XYZ, 567, or !@#. Use a password manager program to track passwords, but protect it with a strong password.

Use Multi-Factor Authentication (MFA). Whenever it is an option for a password-protected account, users also should opt for a multi-factor authentication process. Many email providers now offer customers two-factor authentication protections to access email accounts. Tax professionals should always use this option to prevent their accounts from being taken over by cybercriminals, and putting their clients and colleagues at risk. Two-factor authentication helps by adding an extra layer of protection. Often, two-factor authentication means the returning user must enter credentials (username and password) plus take another step such as entering a security code sent via text to a mobile phone. The idea is that a thief may be able to steal your username and password, but it’s highly unlikely they also would have your mobile phone to receive a security code and complete the process.

Drive Encryption. Use drive encryption to lock all files on your computer and on all devices. Drive encryption makes stored data unreadable by hackers until the user enters a password, at boot up or login, to access the drive data. Microsoft operating systems include encryption tools that may be configured to protect stored data. For example, Microsoft BitLocker Drive Encryption is an encryption feature available for recent Windows operating system.

Secure Wireless Networks. Take protective steps when setting up your router and wireless network. Change default administrative password of your wireless router; use a strong, unique password. Reduce the wireless range so you are not broadcasting further than you need. Choose a router name (Service Set Identifier – SSID) that is not personally or professionally identifying, and disable the SSID broadcast so that it cannot be seen by those who have no need to use your network. Use Wi-Fi Protected Access 2 (WPA-2) with the Advanced Encryption Standard (AES) for encryption.

Anti-Virus Security Software. Use anti-virus security software on all workstations, educate staff about phishing emails and scams, and watch for suspicious activity that might indicate a hack or data theft.

Educate Yourself. There are a number of resources to help navigate tax-related rules and regulations related to protecting data.

• IRS Publication 4557, Safeguarding Taxpayer Data, details critical security measures, includes information on how to comply with the FTC Safeguards Rule, and includes a checklist of items for a prospective data security plan.
• Protect Your Clients; Protect Yourself: Tax Security 101. Is an IRS and Security Summit series that provides tax professionals with basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.
• Intuit® ProConnect™ offers “Safeguarding Taxpayer Data,” a free webinar with more information to protect taxpayer data.

Safeguarding taxpayer data should feel routine now, but updating your security plan will always be necessary to keep up with changing technology and new tactics by hackers. Make a few updates now and sleep better at night.