IRS Releases Part 4 and 5 of a Five-Part Security Summit Tips for Tax Professionals during COVID-19

This article wraps up the last of the ​Security Summit’s​ five-part series called Working Virtually: Protecting Tax Data at Home and at Work. ​As a refresher, the Security Summit is made up of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials. The impetus for releasing this five-part series was to equip ​tax practitioners with specific strategies to assess and secure their home and office data, due to the fact that many tax professionals are not working from home.​ ​This article explains the fourth and fifth tips that the Security Summit issued. The fourth tip reminds tax practitioners to be alert of and avoid phishing scams. The fifth tip reminds tax professionals that federal law requires them to have a written information security plan. The Security Summit further recommends that practitioners create an emergency response plan if they experience a data theft.

Tip 4: Avoiding Phishing Scams
What should tax practitioners be on the lookout for to spot potential phishing scams? First, phishing emails can have an urgent message. For example, cybercriminals can send an email impersonating human resources or an administrator asking for the recipient to update their password or other personal information by clicking on a link. The link will then take the individual to a fake site that feigns the appearance of a trusted source requesting them to insert personal information. Or, the email could contain an attachment for the recipient to click on that instead downloads malware on their computer. Now cybercriminals are capitalizing on COVID-19 fears ​by presenting themselves as providers of face masks or personally protective equipment in short supply. Tax professionals should beware of emails from criminals posing as potential clients. Tax practitioners should thus stay vigilant in scanning all emails and urge on the side of caution rather than clicking on any email attachment or any link in an email. When in doubt, taxpayers and tax preparers can forward suspicious emails posing as the IRS to phishing@irs.gov.

Lastly, because phishing scams are commonplace, and often successful, the Security Summit urges tax professionals to educate all office personnel about the dangers and risks of opening suspicious emails – especially during the COVID-19 period.

Tip 5: Make a Plan for Protecting Data and Reporting Theft
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley ACT, requires that tax professionals have a written security plan in place to safeguard their client’s tax data. This federal law is administered and enforced by the Federal Trade Commission (“FTC”). The FTC underscores that a tax preparer’s security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. Therefore, a security plan for a solo tax practitioner would differ from a global firm’s security plan. On the other hand, the FTC does have requirements that apply to all tax companies, irrespective of their size and complexity.

Each tax institution must:
● Designate one or more employees to coordinate its information security program;

● Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate its effectiveness of the current safeguards for controlling these risks;

● Design and implement a safeguards program, and regularly monitor and test it;

● Select service providers that can maintain appropriate safeguards, making sure the contract requires them to maintain safeguards, and oversee their handling of customer information; and

● Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Failure to have a data security plan may result in an FTC investigation. The IRS may also treat a violation of the FTC safeguards rule as a violation of the IRS Revenue Procedure 2007-40 which stipulates the rules for tax professionals participating as an Authorized IRS e-file Provider.

On July 10, 2019, the IRS created this ​youtube video​ to reiterate that all tax preparers must have a written security plan. The video also reiterates the basic requirements for how tax preparers can safeguard taxpayer data. And, as an additional tool, you can revisit the “Taxes-Security-Together” Checklist​ the Security Summit rolled out during the 2019 summer as a starting point for analyzing office data security. You can also look at IRS ​Publication 4557, Safeguarding Taxpayer Data (PDF)​, which details critical security measures that all tax professionals should enact. Finally, the Security Summit noted that the FTC is currently re-evaluating the Safeguards Rule and has proposed new regulations. Therefore, tax preparers should be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.

Creating a Data Theft Response Plan; Report Data Thefts to the IRS
The Security Summit also recommends that all tax practitioners create a response plan so that they have steps in place should they experience a data theft. If a client or the tax firm are the victim of data theft, the Security Summit states that they should immediately:

Report it to the ​local IRS Stakeholder Liaison​. ​Stakeholder Liaisons will notify IRS Criminal Investigation and others within the agency. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist through the process.

Email the Federation of Tax Administrators at statealert@taxadmin.org. ​Get information on how to report victim information to the states. Most states require that the state attorney general be notified of data breaches. This notification process may involve multiple offices.

Cyber attackers could also steal a tax practitioner’s identity too. Tax practitioners should
regularly check their IRS e-Services e-File Application to see a weekly count of tax returns filed with their Electronic Filing Identification Number (“EFIN”). Excessive filings are a sign of data theft. E-file applications should also be kept up to date. Circular 230 practitioners also can review weekly the number of tax returns filed using their Preparer Tax Identification Number (“PTIN”). Excessive filings are also a sign of data theft.

As always, tax professionals should take advantage of the additional resources the IRS provides related to security recommendations and questions in ​Publication 4557 Safeguarding Taxpayer Data​ (PDF), as well as the National Institute of Standards and Technology (NIST’s) Small Business Information Security: The Fundamentals​ (PDF).

VW Contributor: Skylar Young
© 2020 Vandenack Weaver LLC
For more information, Contact Us

CBD Sellers Beware: FTC Issues Warnings on CBD Marketing Practices

By Ryan Coufal

On September 10th, 2019 the Federal Trade Commission (“FTC”) sent warning letters to three companies that sell oils, tinctures, capsules, “gummies,” and creams which contain cannabidiol (“CBD”), a chemical compound derived from the cannabis plant.  While the FTC did not identify the companies publicly, the letters warn that it is illegal to advertise a product that can prevent, treat, or cure human disease without reliable scientific evidence to support such claims. 

The companies’ websites claim that CBD products “’work like magic’ to relieve ‘even the most agonizing pain,’” are a “miracle pain remedy,” and are highly effective at treating “the root cause of most major degenerative diseases.”  The websites then promote that CBD treats a whole host of diseases including: cancer, Alzheimer’s disease, multiple sclerosis (MS), fibromyalgia, cigarette addiction, colitis, autism, anorexia, bipolar disorder, post-traumatic stress disorder, schizophrenia, anxiety, depression, Lou Gehrig’s Disease (ALS), stroke, Parkinson’s disease, epilepsy, brain injuries, diabetes, Crohn’s disease, psoriasis, AIDS, arthritis, and heart disease, with one of the websites even stating the treatment is “clinically proven.” 

In its letters the FTC instructs the companies to review all claims made about their products, including consumer testimonials, to ensure such claims are supported by competent and reliable scientific evidence.  Making such unsubstantiated claims can be in direct violation of sections of the FTC Act, 15 U.S.C. §§ 45(a) and 52, which regulate advertising.  Additionally, such claims can violate the Federal Food, Drug, and Cosmetic Act (FDCA), 21 U.S.C. § 321(g)(1)(B) which is regulate by the U.S. Food and Drug Administration (FDA).  On March 28, 2019 the FTC and FDA jointly sent similar warnings to three different CBD companies about their marketing practices, with the FDA taking the stance that such marketing practices are evidence that CBD products are intended to be used as drugs, which require extensive testing and FDA approval before marketing the products in such a manner.  Making a claim that CBD is a drug that can cure disease when it has not been approved by the FDA could create the potential for violation of the FDCA.

The FTC gave the latest three companies fifteen (15) days to notify the agency of the specific actions they have taken to correct the agency’s concerns.  Companies that sell CBD products should take note of the marketing practices the FTC and FDA are regulating and review all claims made about their CBD products and ensure they are backed by reliable and competent scientific evidence, and ensure they are not marketing CBD products as drugs under the FDCA.

© 2019 Vandenack Weaver LLC
For more information, Contact Us

 

 

 

Tax Related Identity Theft Awareness

The holiday season is underway and while this is a time for family events and holiday parties, this is also the time that many identity theft scams occur. The Internal Revenue Service (IRS) started the process of alerting taxpayers about potential tax-related identity theft and to provide advice on how to prevent threats to your identity.

For prevention, the initial steps include ensuring use of security software on devices, use of secure wireless networks, and never providing sensitive data when replying to emails, texts, or pop-up ads. For individuals that are hit with tax-related identity theft, it may not become apparent until attempting to file taxes or receiving a notice from the IRS and finding out that a tax return has been filed on your behalf. When this occurs, file a complaint with the Federal Trade Commission (FTC) at https://www.identitytheft.gov/, file a report with the credit agencies, and contact the IRS. Importantly, regardless of the situation, ensure that your taxes are filed and paid, even if it requires filing in paper form.

Taking steps now to add layers of security for your social security number and other sensitive data can help prevent tax-identity theft in the future. If you have questions, please contact the attorneys at Vandenack Weaver LLC.

© 2016 Vandenack Weaver LLC
For more information, Contact Us

 

 

Initial Steps for Victims of Tax Related Identity Theft

As the 2016 tax season comes to a close, many taxpayers may have discovered they were victims of identity theft. Taxpayers often discover that they have been a victim of identity theft after they receive information that a tax return has already been filed using their social security number. If you are e-filing and a return has already been filed, your filing will likely be rejected. If the IRS suspects identity theft, you will receive Letter 5071C, which will request you verify your identity. Such verification can be completed online at https://idverify.irs.gov/IE/e-authenticate/welcome.do.

 After discovering that you have been a victim of identity theft, you should take multiple actions to protect your identity and correct any fraudulent returns with the IRS. It is recommended that you contact the FTC at identitytheft.gov and contact one of the major credit bureaus to place a fraud alert on your credit. If you have received a notice from the IRS or your attempt to e-file a return was denied, you should immediately contact the IRS. If your e-filing has been denied and you believe it is related to identity theft, you must complete Form 14039, Identity Theft Affidavit. Form 14039, a paper copy of your return, and any required payment of tax should be mailed to the IRS.

 If issues persist related to any fraudulently filed tax returns, additional information can be obtained from the IRS’s website, https://www.irs.gov/, or by contacting Vandenack Williams LLC.

© 2016 Vandenack Williams LLC
For more information, Contact Us