Cyber Security Basics for the Tax Practice
Recognize that tax-return fraud is still a threat. Master the basics of cybersecurity to shield your tax practice against a devastating theft of client data.
If you work in an accounting firm tax practice, you are a tempting target for cybercriminals. You already know this, of course. But since you regularly work with client tax data and tax returns, it’s easy to downplay the risk of becoming a cybercrime victim, especially of identity theft tax refund fraud (IDTTRF). We’re here to remind you the risk is real. Tax scammers continue to steal personally identifiable information (PII). And, they continue to pocket IRS refund checks in your clients’ names, even though they may not have filed a return yet.
Develop a Data Security Plan
The Gramm-Leach-Bliley Act requires tax professionals to develop a data security plan to safeguard client information. It should reflect your firm’s characteristics, the type of work it performs and the sensitivity of the client information with which it works. The Federal Trade Commissions (FTC) enforces this requirement, known as “The Safeguards Rule.”
Once you have a plan, distribute it widely among your team and require they read it.
Determine Your Plan’s Scope
As mentioned earlier, your data security plan’s scope should reflect your firm’s nature. The more sensitive client data you store locally or in the cloud, and the more extensive your use of this information, the more threat mitigation steps your plan should include. In general, according to the IRS, your preventive steps will fall into three main areas:
- Employee management and training
- Information systems
- Detecting and managing system failures
To review a comprehensive list of useful safeguards, access the IRS publication, Safeguarding Taxpayer Data: A Guide for Your Business.
Identify and Safeguard Client PII
We can’t stress this highly enough: Know what client PII lives on your computers. Scammers who commit identity theft tax refund fraud steal client data that allow them to fabricate a false tax return and refund. Seizing data such as name, address, wage and income reports (W-2s and 1099s), along with prior tax returns, is their holy grail. When they acquire this information, they can easily create a tax return and file for a refund under someone else’s name.
The IRS recommends the following preventive measures to keep your clients’ tax data safe:
- Inventory all PII stored locally and in the cloud. Make sure it’s locked down tight and only people with appropriate privileges can access it.
- When you store client data on a server or other device, make it accessible only to those who present a strong password. Also, store the information in a physically secure location.
- When communicating client information over email, use a Secure Sockets Layer (SSL) or other comparable safe connection.
- Encrypt data before sending PII or other financial information by email. Even better, rather than relying on email, send data using the Secure File Transfer Protocol (SFTP).
Finally, when disposing of records that include PII, use secure methods and follow the FTC’s Disposal Rule.
Appoint a Data Security Coordinator
Your firm should name a staff person to coordinate the development and maintenance of your data security plan. Given the technical knowledge involved, consider retaining a qualified information security professional or firm to help you craft and implement your plan.
Provide Staff Training
Your data security plan will only be as good as those who implement its provisions. To that end, make sure every new staffer agrees in writing to follow your data security standards. Then train them to follow measures to preserve the safety and integrity of customer PII. These steps include, but aren’t limited to:
- Encrypting sensitive client data before sending it over the internet.
- Referring third-party requests to access client PII to qualified team members.
- Reporting all suspicious attempts to access and use client data in unlawful ways.
Monitor and Test Your Data Security Plan for Weaknesses
Developing a data security plan is not a “one and done” exercise. Once created, monitor how well it performs. If you uncover weaknesses or have a security breach, assess and revise your plan to prevent repeat incidents.
The IRS offers the following tips to help you maintain strict data security:
- Log activity on your network and look for evidence of unauthorized use of client data.
- Install a current intrusion warning system.
- Watch for large volumes of data sent to unknown individuals or locations.
- Insert a dummy record into your client lists and watch for unauthorized access or unusual financial transactions.
A Final Word
A cyber breach at your firm can strike a catastrophic blow to your firm’s finances. The cost for legal counsel to steer a tax practice through the minefield of liability issues can range from $50,000 to $250,000 per incident. Make sure to carry the right kind and amount of liability insurance to protect your business, including robust cyber liability and data breach insurance. The nominal monthly fee for this coverage will pale compared to the cost of an uninsured loss.
Unprotected against data breaches and third-party claims of data loss? Then consider buying cyber liability and data breach insurance from 360 Coverage Pros.