It's no surprise tax season is prime time for cyberattacks. With huge amounts of personal information constantly switching hands, tax season gives hackers ample fodder for launching attacks that range from phishing scams to remote computer takeovers. The IRS revealed over 90% of all returns are prepared using software, and more than 80% are filed electronically, with taxpayers storing the data on and sending it from their computers. The IRS has made its stance crystal-clear: It's the "legal responsibility of businesses and individuals that maintain, share, transmit, or store taxpayer data to have safeguards in place to protect client information." In fact, "Sec. 7216 imposes criminal and monetary penalties on tax preparers who knowingly or recklessly disclose return-related information." What are you doing to protect the sensitive data of your clients?
Let's describe the factors at play here: data and data protection. The IRS defines taxpayer data as "any information obtained or used in the preparation of a tax return". The Journal of Accountancy characterizes data protection as encompassing “all aspects of tax preparation: physical security, storage and transmission of data, and staff behavior."
The IRS recommends taking the following cybersecurity measures:
- Make sure physical devices and paperwork are locked behind closed doors
- Give your staff ID badges that act as keys
- Always secure taxpayer data, including data on hardware and media
- When sending data across networks, encrypt it
- Use your best judgement on enabling remote access to internal networks
- Take care in how you dispose of information (and don't keep taxpayer data of former employees)
- Make sure your email program is encrypted and secure
- Mandate password changes every two to three months
- Instruct your staff to use strong passwords on their computers and programs (and get help from IT enforcing this practice)
- Educate your staff on the latest forms of cyberattacks
- Communicate the risks of filing tax returns online to your clients and show them everything your firm does to protect their personal information
- Have a plan in place that includes how you'll notify your clients in case a data breach occurs
You probably have most of these measures at work already. If you don't, you're not alone. However, the time to bolster your security plan is now. Cyberthreats are getting worse, but there are many resources to help you enhance your security. For one, the IRS established the "Protect Your Clients; Protect Yourself" campaign, which "is intended to raise awareness among tax professionals on their responsibilities and the common-sense steps they can take to protect their clients from identity theft and to protect their businesses." The IRS also maintains Publication 4524, "Taxes. Security. Together.", which can help you teach your clients how to protect their own information, and security videos that offer best practices for data security and identity protection.
There’s no one-size-fits-all approach for protecting data, but by taking the steps above, you’ll be off to a great start. The best defense against cyberthreats is being proactive and developing a comprehensive strategy for your firm.