IRS Reminds Tax Pros to Use Strong Passwords, Encryption to Protect Taxpayer Data

Practice Management Email in a tax firm

The IRS and its Security Summit partners urge all tax professionals to use strong passwords to protect accounts from cyberthieves and to consider encryption for all sensitive data.

Strong password and encryption protocols should be standard features of any data security plan that must be created by all professional tax return preparers. The Electronic Tax Administration Advisory Committee (ETAAC) noted in its recent annual report to Congress that many tax pros do not have data security plans that are required by the Federal Trade Commission.

This is the third in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.

Although the Security Summit is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices is on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.

In recent months, cybersecurity experts’ recommendations on what constitutes a strong password has changed. They now suggest that people use word phrases that are easy to remember, rather than random letters, characters and number that cannot be easily recalled.

For example, experts formerly suggest something like “PXro#)30” but now suggest a phrase like “SomethingYouCanRemember@30.” By using a phrase, you don’t have to write down your password and expose it to more risk. Also, people may be more willing to use strong, longer passwords if it’s a phrase rather than random characters.

Strengthen Your Password

It is critical that all tax practitioners establish strong, unique passwords for all accounts, whether it’s to access a device, tax software products, cloud storage, wireless networks or encryption technology. Here’s how to get started:

  • Use a minimum of eight characters; longer is better.
  • Use a combination of letters, numbers and symbols, i.e., XYZ, 567, !@#.
  • Avoid personal information or common passwords; opt for phrases.
  • Change default/temporary passwords that come with accounts or devices.
  • Do not reuse passwords, e.g., changing Bgood!17 to Bgood!18 is not good enough; use unique usernames and passwords for accounts and devices.
  • Do not use your email address as your username if that is an option.
  • Store any password list in a secure location, such as a safe or locked file cabinet.
  • Do not disclose your passwords to anyone for any reason.
  • Use a password manager program to track passwords, but protect it with a strong password.

Whenever it is an option for a password-protected account, users also should opt for a multi-factor authentication process. Many email providers now offer customers two-factor authentication protections to access email accounts. Tax professionals should always use this option to prevent their accounts from being taken over by cybercriminals and putting their clients and colleagues at risk.

Two-factor authentication helps by adding an extra layer of protection. Often two-factor authentication means the returning user must enter credentials (username and password) plus another step such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal your username and password, but it’s highly unlikely they also would have your mobile phone to receive a security code and complete the process.

Some providers of tax software products for tax professionals offer two-factor or even three-factor authentication. Tax practitioners should use the most secure option available, not only for your tax software, but other products such as email accounts and storage provider accounts. If hosting your own website, also consider some other form of multi-factor authentication to further increase your login security.

Password-protect data encryption also is critical to protecting client information. Cybercriminals work hard through various tactics to penetrate your network or trick you into disclosing passwords. They may steal the data, hold the data for ransom or use your own computers to complete and file fraudulent tax returns.

Basic Steps for Encrypting Client Data

Here are a few basic steps about encryption and protecting client data stored on your systems:

  • Use drive encryption to lock all files on your computer and on all devices. Drive or disk encryption often is a stand-along software product. It converts text on files into an unreadable format for anyone who makes an unauthorized access. Entering the password unlocks the files for legitimate users.
  • Backup encrypted copies of client data to external hard drives (USBs, CDs, DVDs) or use cloud storage. If you use external drives, keep them in a secure location. If you use cloud storage, encrypt the data before uploading to the cloud.
  • Avoid attaching USB drives and external drives with client data to public computers.
  • Avoid installing unnecessary software or applications to the business network; avoid offers for “free” software, especially security software, which is often a ruse by criminals; download software or applications only from official sites.
  • Perform an inventory of devices where client tax data are stored, i.e., laptops, smart phones, tablets, external hard drives, etc.; inventory software used to process or send tax data, i.e., operating systems, browsers, applications, tax software, web sites, etc.
  • Limit or disable internet access capabilities for devices that have stored taxpayer data.
  • Delete all information from devices, hard drives, USBs (flash drives), printers, tablets or phones before disposing of devices; some security software include a “shredder” that electronically destroys stored files.
  • Physically destroy hard drives, tapes, USBs, CDs, tablets or phones by crushing, shredding or burning; shred or burn all documents containing taxpayer information before throwing away.

In addition to these steps, the Security Summit reminds all professional tax preparers that you must have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. You also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology. Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation data theft information available on IRS.gov.