UPDATE, Jan. 11, 2023: Computer incidents made today a bad day to fly in the United States and Canada, or try to send international mail in the United Kingdom. But those crashes make it a good day to double check your personal and business cyber security plans. The IRS has some tips and guidance for tax professionals' data reliability and protection.
The Internal Revenue Service relies on taxpayers and tax professionals to help ensure that our national tax system is secure. These efforts are particularly critical as the federal tax agency goes more electronic.
It's also a legal requirement for tax professionals.
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act after the names of its primary Congressional sponsors, mandates that financial institution companies ensure the security and confidentiality of any and all consumer information they collect. The Federal Trade Commission administers the law.
Tax professional tax preparers are included in the law's definition of financial institutions. That means tax preparers must create a written security plan.
A new security plan guideline: Under the FTC's rules, information security programs "must be written and it must be appropriate to the size and complexity of your business, the nature and scope of your activities, and the sensitivity of the information at issue."
Tax data, obviously, is incredibly sensitive.
"But for many tax professionals, it is difficult to know where to start when developing a security plan," said Carol Campbell, director of the IRS Return Preparer Office.
So the IRS and its Security Summit partners — representatives of state revenue departments and the tax industry — have created a have created a document to help tax professionals develop a written security plan dubbed WISP for Written Information Security Plan. Led by the Summit's Tax Professionals Working Group, the 29-page WISP guide is downloadable as a PDF document.
Since security issues for a tax professional can be daunting, the document walks tax pros through the many considerations needed to create a plan that protects their businesses, clients, and complies with federal law.
Plain(er) English security steps: "We have tried to stay away from complex jargon and phrases so that the document can have meaning to a larger section of the tax professional community," said Campbell, who also is co-lead of the Security Summit tax professional group. "It is not intended to be the final word in Written Information Security Plans, but it is intended to give tax professionals a place to start in understanding and attempting to draft a plan for their business."
Jared Ballew of Drake Software, is the other tax professional team lead and incoming chair of the Electronic Tax Administration Advisory Committee (ETAAC), noted that beyond being a legal requirement, having a written security plan is a sound business practice.
"The sample provides a starting point for developing your plan, addresses risk considerations for inclusion in an effective plan and provides a blueprint of applicable actions in the event of a security incident, data losses and theft," said Ballew.
Other security plan resources: In addition to the WISP guide, tax professionals can get help with security recommendations in IRS Publication 4557, Safeguarding Taxpayer Data, as well Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology.
And security concerns aren't just for professionals. All taxpayers need to be aware of ways to safeguard their personal financial and tax data. A review of the WISP document can help us, too, as we work to avoid tax scams and identity theft schemes.
You also might find these items of interest:
- Be ready for the worst: Create a tax data theft recovery plan
- IRS employee misconduct cited in accessing taxpayer accounts
- Tax-exempt bond spear phishing effort is latest tax pro security threat