Tax filing season 2020 starts Monday, Jan. 27
2019 tax return filing checklist, including the documents itemizers need to fill out Schedule A

Tax preparers filing season prep: A written security plan


The tax world is atwitter, literally on social media and figuratively for those not addicted to the sociability component of their electronic devices, now that the Internal Revenue Service is already accepting business tax returns and will start taking 2019 tax year 1040 forms from individuals on Jan. 27.

Everyone, from taxpayers to income payers to tax professionals are already at work, with most at this point gathering data in preparation for the actual filings.

For tax professionals, that includes a written security plan to safeguard all the sensitive tax and financial information they handle for their clients.

Tax data treasure trove: Tax data contains some of the most sensitive information about the 150 million or so of us who will submit returns this year.

Official earnings statements (like W-2, 1099 and other tax-related forms) and year-end statements (from our checking, savings, retirement and investments accounts) all contain our names, addresses, account numbers and, of course, our Social Security numbers.

Much of the info on these documents will find its way onto our annual tax returns.

By now, we all are terrified by well aware of the lure this info poses to identity thieves and other criminals. So we're careful to ensure that this crucial data is protected.

Tax pro security required: Reputable tax preparers that millions of us hire to handle our taxes also are on guard against tax season identity theft.

But just to be sure, Uncle Sam demands that these tax pros have a written security plan in place to safeguard all their clients' tax data.

It's a requirement of the Financial Services Modernization Act of 1999 and administered by the Federal Trade Commission.

Why tax professionals are required
to create a written information security plan.

The Gramm-Leach-Bliley Act (GLBA), popularly known by its
Congressional authors' names but officially known as
the Financial Services Modernization Act of 1999, mandates that
companies defined under the law as "financial institutions"
ensure the security and confidentiality
of any and all consumer information they collect.

Professional tax preparers are included
in the law's definition of financial institutions

As part of its implementation of the GLBA in 2003, the Federal Trade Commission (FTC) issued the Safeguards Rule. This requires the affected financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

Specifically, the Safeguards Rule requires companies, including tax professionals and their offices, to develop a written information security plan that describes their program to protect customer information.

Security plan specific: The FTC, cognizant that not all tax preparers (like taxpayers) are not alike, offers tax pros some leeway in creating their plan.

Basically, says the FTC, a tax preparer's security plan must be appropriate to the company's size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. 

That said, the FTC does have certain, absolute requirements.

It demands that each financial institution:

  • Designate one or more employees to coordinate its information security program;
  • Identify and assess the risks to customer information in each relevant area of the company's operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
  • Design and implement a safeguards program, and regularly monitor and test it;
  • Select service providers that can maintain appropriate safeguards, making sure the contract requires them to maintain safeguards, and oversee their handling of customer information; and
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Keep these guidelines in mind as you create or reassess and update your written information security plan.

Cybersecurity specs could be added: Also note that The FTC is doing some re-evaluating itself of its Safeguards Rule. Specifically, in this growing age of online connectivity, the FTC is proposing adding detailed cybersecurity requirements to the GLBA requirements.

"While our original groundbreaking Safeguards Rule from 2003 has served consumers well, the proposed changes are informed by the FTC’s almost 20 years of enforcement experience," said Andrew Smith, Director of the FTC's Bureau of Consumer Protection. "It also shows that, where we have rule-making authority, we will exercise it as necessary to keep up with marketplace trends and respond to technological developments."

Some of the proposed changes include requiring:

  • customer information to be encrypted, both in transit and at rest;
  • implementation of multi-factor authentication for any individual accessing customer information;
  • regular testing and continuous monitoring of relevant key controls, systems and procedures; and
  • development of procedures for the secure disposal of customer information in any format that is no longer necessary for their business operations or other legitimate business purposes.

Comments on the FTC proposals closed last August. Tax professionals should be alert for any of these potential changes in the Safeguards Rule and, where possible, get ahead of the FTC and implement them now.

IRS' tax security efforts, too: The IRS and its Security Summit partners also have been working to educate tax professionals (and their clients) about the need for adequate (or more) safeguards when it comes to identity theft precautions.

TaxSecurityTogether_IRS Security Summit logo

The reason is simple. Crooks know that one big haul from a tax preparation office is a much easier way to get their hands on beau coups data that gives them the ability to file hundreds or fake tax returns seeking fraudulent refunds.

That's so much easier and more efficient than stealing our identities one at a time. (If only these scammers used their skills for legal efforts, the economy would be in even better shape!)

So the IRS reiterated the FTC security plan requirements in a recent security tip for tax preparers.

Such educational efforts appear to have paid off, with the professional tax community has made notable security protection progress.

"The Security Summit partners have made great progress against tax-related identity theft," said IRS Commissioner Chuck Rettig.

But, noted the commish, "we need to do more, and we need the help of taxpayers and tax professionals to continue our momentum. We all have a role to play, especially tax professionals that remain among the most coveted of targets by identity thieves."

Hence, the reminder to tax pros, if they haven't already, to create that written information security plan.

IRS added ID theft prevention tips: The IRS' security plan YouTube video (that's a screen shot below) highlights the written info security plan key points.

Tax preparer written security plan IRS video screenshot-cropped

Tax preparers also can get more details from IRS Publications 4557, Safeguarding Taxpayer Data, and 5293, Data Security Resource Guide for Tax Professionals.

And you — and by you, I mean tax pros and all us individual filers — also should check out the IRS Security Summit's "Taxes. Security. Together." online page.

It has tips and links for taxpayers, businesses and tax pros on the information security steps we all can take, during the 2020 tax filing season and beyond.

You also might find these items of interest:





Feed You can follow this conversation by subscribing to the comment feed for this post.

The comments to this entry are closed.