IRS Releases Part 4 and 5 of a Five-Part Security Summit Tips for Tax Professionals during COVID-19

This article wraps up the last of the ​Security Summit’s​ five-part series called Working Virtually: Protecting Tax Data at Home and at Work. ​As a refresher, the Security Summit is made up of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials. The impetus for releasing this five-part series was to equip ​tax practitioners with specific strategies to assess and secure their home and office data, due to the fact that many tax professionals are not working from home.​ ​This article explains the fourth and fifth tips that the Security Summit issued. The fourth tip reminds tax practitioners to be alert of and avoid phishing scams. The fifth tip reminds tax professionals that federal law requires them to have a written information security plan. The Security Summit further recommends that practitioners create an emergency response plan if they experience a data theft.

Tip 4: Avoiding Phishing Scams
What should tax practitioners be on the lookout for to spot potential phishing scams? First, phishing emails can have an urgent message. For example, cybercriminals can send an email impersonating human resources or an administrator asking for the recipient to update their password or other personal information by clicking on a link. The link will then take the individual to a fake site that feigns the appearance of a trusted source requesting them to insert personal information. Or, the email could contain an attachment for the recipient to click on that instead downloads malware on their computer. Now cybercriminals are capitalizing on COVID-19 fears ​by presenting themselves as providers of face masks or personally protective equipment in short supply. Tax professionals should beware of emails from criminals posing as potential clients. Tax practitioners should thus stay vigilant in scanning all emails and urge on the side of caution rather than clicking on any email attachment or any link in an email. When in doubt, taxpayers and tax preparers can forward suspicious emails posing as the IRS to phishing@irs.gov.

Lastly, because phishing scams are commonplace, and often successful, the Security Summit urges tax professionals to educate all office personnel about the dangers and risks of opening suspicious emails – especially during the COVID-19 period.

Tip 5: Make a Plan for Protecting Data and Reporting Theft
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley ACT, requires that tax professionals have a written security plan in place to safeguard their client’s tax data. This federal law is administered and enforced by the Federal Trade Commission (“FTC”). The FTC underscores that a tax preparer’s security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. Therefore, a security plan for a solo tax practitioner would differ from a global firm’s security plan. On the other hand, the FTC does have requirements that apply to all tax companies, irrespective of their size and complexity.

Each tax institution must:
● Designate one or more employees to coordinate its information security program;

● Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate its effectiveness of the current safeguards for controlling these risks;

● Design and implement a safeguards program, and regularly monitor and test it;

● Select service providers that can maintain appropriate safeguards, making sure the contract requires them to maintain safeguards, and oversee their handling of customer information; and

● Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Failure to have a data security plan may result in an FTC investigation. The IRS may also treat a violation of the FTC safeguards rule as a violation of the IRS Revenue Procedure 2007-40 which stipulates the rules for tax professionals participating as an Authorized IRS e-file Provider.

On July 10, 2019, the IRS created this ​youtube video​ to reiterate that all tax preparers must have a written security plan. The video also reiterates the basic requirements for how tax preparers can safeguard taxpayer data. And, as an additional tool, you can revisit the “Taxes-Security-Together” Checklist​ the Security Summit rolled out during the 2019 summer as a starting point for analyzing office data security. You can also look at IRS ​Publication 4557, Safeguarding Taxpayer Data (PDF)​, which details critical security measures that all tax professionals should enact. Finally, the Security Summit noted that the FTC is currently re-evaluating the Safeguards Rule and has proposed new regulations. Therefore, tax preparers should be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.

Creating a Data Theft Response Plan; Report Data Thefts to the IRS
The Security Summit also recommends that all tax practitioners create a response plan so that they have steps in place should they experience a data theft. If a client or the tax firm are the victim of data theft, the Security Summit states that they should immediately:

Report it to the ​local IRS Stakeholder Liaison​. ​Stakeholder Liaisons will notify IRS Criminal Investigation and others within the agency. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist through the process.

Email the Federation of Tax Administrators at statealert@taxadmin.org. ​Get information on how to report victim information to the states. Most states require that the state attorney general be notified of data breaches. This notification process may involve multiple offices.

Cyber attackers could also steal a tax practitioner’s identity too. Tax practitioners should
regularly check their IRS e-Services e-File Application to see a weekly count of tax returns filed with their Electronic Filing Identification Number (“EFIN”). Excessive filings are a sign of data theft. E-file applications should also be kept up to date. Circular 230 practitioners also can review weekly the number of tax returns filed using their Preparer Tax Identification Number (“PTIN”). Excessive filings are also a sign of data theft.

As always, tax professionals should take advantage of the additional resources the IRS provides related to security recommendations and questions in ​Publication 4557 Safeguarding Taxpayer Data​ (PDF), as well as the National Institute of Standards and Technology (NIST’s) Small Business Information Security: The Fundamentals​ (PDF).

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

Circuit Split on Data Breach Litigation

On March 25th, 2019, the Supreme Court denied review of a case involving individuals whose personal information held in a database was breached by hackers. Specifically, the issue was whether the parties requesting review had Article III “standing” to sue due to the database breach.

Standing is the authority of a court to hear a case. For the court to exercise such authority, the court will only hear cases based on events that cause actual injuries or create real threats of imminent harm to individuals who brought the case. The D.C. Circuit Court in its ruling of June 21st, 2019 deepened the split among contradicting circuit rulings. The D.C. Circuit Court ruled the petitioning party had standing to bring the case due to the breach of 21.5 million social security numbers, birth dates, and residency details of former, current, and prospective employees. The court held that, the plaintiff’s fear of facing a substantial risk of future identity theft met the burden to establish standing.

While the Sixth, Seventh, and Ninth circuits have similarly concluded that a heightened risk of identity theft is sufficient for individuals to possess standing to sue; the Second, Third, Fourth, and Eighth Circuits have ruled in the opposite direction. Distinct facts from this  latest data breach case include the nature of the defendant being a federal government agency and the alleged identity of the hacker being a foreign government entity where the breach was executed for purposes other than identity theft. Nonetheless, the D.C. Circuit Court found the federal government agency liable as well as Office of Personnel Management’s (OPMs) third-party vendor, despite the contract between the two parties. The Supreme Court may need to review and rule on this crucial issue in the near future given the current split of authority.

© 2019 Vandenack Weaver LLC

For more information, Contact Us