As cybersecurity threats evolve, tax professionals must adapt their security practices to protect sensitive client data. Recent IRS discussions highlight that traditional security measures are no longer sufficient on their own, including simple multi-factor authentication that most firms consider compliant.
Traditional multifactor authentication (MFA), while still necessary, is no longer adequate as a standalone security measure. Cybercriminals have developed sophisticated methods to bypass MFA through session cookie theft, making it essential to implement multiple layers of protection.
The modern tax professional needs to implement a comprehensive security approach that goes beyond basic authentication. Identity Protection PINs (IP PINs) have emerged as the new gold standard for preventing fraudulent returns, though they must be used in conjunction with other security measures. Multi-Factor Authentication remains a crucial component, particularly as it's required for compliance with FTC regulations and cyber liability insurance policies. Tax professionals should also consider implementing session management software such as Cisco Duo or Microsoft Azure AD, which provide advanced session monitoring and automated cookie expiration.
The industry is rapidly moving away from email-based client communication toward more secure alternatives. Secure client portals have become essential tools for modern tax practices. Solutions like ShareFile, SmartVault, CCH Axcess Portal, and Drake Software's SecureFile Pro offer encrypted file transfer and storage capabilities that significantly reduce security risks associated with traditional communication methods.
For smaller practices, an air gap implementation can provide robust security at a reasonable cost. This approach involves maintaining a dedicated offline computer for tax software and client data, separate from an internet-connected computer used for email and web browsing. A basic air gap setup typically costs between $500 and $1,500, making it an accessible option for many practitioners.
The IRS continues to expand its digital offerings to support tax professionals' security efforts. The online account monitoring system allows practitioners to verify CAF documents regularly. Upcoming features will include state tax withholding information in transcripts, online CAF address editing capabilities, and the ability to remove client CAF authorizations in bulk, streamlining practice management while maintaining security.
Meeting FTC requirements demands a structured approach to security. Practices must implement mandatory MFA, conduct regular security assessments, maintain written security policies, and document employee training. Cyber liability insurance adds another layer of compliance requirements, making it essential for tax professionals to verify MFA requirements in policy terms, document security measures for claims purposes, and regularly review policies to ensure alignment with evolving requirements.
Successful security implementation requires a systematic approach to monitoring and maintenance. Tax professionals should establish regular security audit schedules, including monthly reviews of active sessions, quarterly assessment of access logs, and annual security policy reviews. Client data management must include clear retention policies, regular cleanup procedures, and secure disposal protocols.
Emergency response planning has become equally important. Practices should maintain documented breach response procedures, backup verification protocols, and prepared client notification templates in case of security incidents.
Tax professionals should approach security technology investments with both immediate and long-term considerations in mind. Initial focus should be on establishing fundamental security measures such as secure client portals and robust authentication systems. As practices grow, consideration should be given to more advanced solutions including cloud-based tax preparation platforms with built-in security features.
While no security system is completely impenetrable, tax professionals must demonstrate due diligence in protecting client data through multiple layers of security. The goal is not just to prevent breaches but to maintain compliance and show a proactive approach to security. As threats continue to evolve, staying current with security measures and regularly updating systems and protocols will remain crucial for tax professionals.
Christine Gervais is a licensed CPA, using her skills to help businesses grow and achieve their fullest potential. Christine has a Master’s degree in accounting from Southern New Hampshire University in addition to holding her CPA license for over a decade. Notably, Christine is a nationally recognized speaker providing education to other CPAs on how to best serve clients as well as instruction on a wide variety of topics for business owners on how to maximize success. Christine prides herself on the value she can bring to clients with her extensive tax knowledge and provides strategic, forward-thinking financial strategies to help clients grow. When not behind her desk, you can find Christine spending quality time with her daughter and stepson or tending to the family’s excessively loved farm animals.
Subscribe to the TPN Newsletter!
Like what you're reading?
Subscribe to our FREE newsletter and we'll deliver content like this directly to your inbox.