The IRS has been reminding tax professionals that the FTC’s Safeguard Rules apply to them, so pros must take action to protect taxpayer data from being compromised.
To assist tax professionals in being compliant, we have curated the security tips below and created an IRS Security Policy Template that can be edited and used by tax professionals when establishing their internal policies.
Violation of these rules can result in civil penalties of up to $2,500 per violation. Much larger penalties could come as a result of any civil action brought by a client and an astute plaintiff attorney armed with the fact that the defendant did not abide by the “Red Flag Rules.”
Each practitioner firm is responsible for developing its own list of red flags based upon its own specific methods and business operations, and the list should be as exhaustive as possible.
Unfortunately, there is no specific set of red flags for tax preparation, accounting, or financial services businesses. The FTC does not provide industry guidelines. Each business must include every situation that they can envision. The FTC does provide a Four-Step Process for identifying risks (red flags) here which should be reviewed prior to developing the firms’ security policy.
Download our IRS Security Policy Template for free.
Few professions have felt the brunt of identity theft like the tax and accounting profession. This profession is in the crosshairs; clients may have their identities stolen and have to deal with fraudulent tax returns, and financial professionals may get hit with spoofing emails. It is important to understand that many of these issues are not truly hacks but rather careless uses of passwords and/or poor office policies.
This overview is meant to provide some insight and best practices to help protect your practice and your clients from bad actors. Know that CPAs, enrolled agents, and other tax professionals are attractive targets to hackers. Never let your guard down and say “It won’t happen to my practice.”
The most common hack involves a third party gaining access to an email account—either yours or one of your clients’. A hacker can gain access to an email password by using brute-force attacks, or by sending spoofing emails. The majority of intrusions are due to poor password management.
First, be sure that each account has a unique and very strong password. Nothing is worse than letting a hacker gain access to multiple accounts because you use the same password across the board. If hackers gain access to your email, they can then send spoof emails to your client base. This is very dangerous: the clients likely will trust the message and actually open it because you are the sender (or so it seems).
Spoof emails come in various formats. Sometimes they are sent posing as password-reset emails from common sites such as DropBox, PayPal or Intuit QuickBooks. The IRS has warned of ransomware scam where the email impersonated the IRS and FBI in one message. These are the types of tactics that unsuspecting people can fall for. In addition, if you have sent private client files via email, any hacker who gets access to your email account (or your client’s) can use this information to commit identity theft.
Sample ransomware scam email:
Utilizing a client-portal system that requires unique usernames and passwords and that uses a secure SSL connection can help minimize this risk. Make sure that any such system has safety mechanisms built in — for instance, to limit the number of incorrect passwords that a user can enter before being locked out. Most portals also encrypt files stored on their servers, which adds another layer of protection.
If you are still using paper documentation for your practice, add a shredder to your office equipment list. In addition, make sure that you install an office security system—including camera surveillance—to help deter thieves. Crooks often target CPA offices and other accounting firms because of these offices’ bounty of private data, including social security numbers. Do not write down clients’ personal data such as credit card numbers or banking information.
If you use file cabinets, make sure they are secure and locked. Do not write usernames or passwords on sticky notes near your computer. Although many of these best practices seem obvious, many people are guilty of breaking our own rules. Mistakes can occur if you get careless. For instance, when disposing of old tax records, always do so properly; thieves do go through the trash, and so if you are not careful, they can easily access private data in this way.
When it comes to securing your digital office, you can take a number of steps:
The IRS and the Federal Trade Commission have taken steps to combat fraud resulting from identity theft. Many of their safeguards have already helped to cut down on the amount of fraud. However, it is hard to stop all fraud, especially after large-scale intrusions such as the 2017 Equifax hack of 143 million consumers.
If any of your clients’ Social Security numbers are part of a future breach, please direct them the special IRS identity theft website, which includes the steps to take if you are a victim. This includes access to IRS Form 14039.
Tax professionals are often in the middle of this issue, as they need to help both individuals and business owners who are victims of tax-related identity theft. They may become aware of such problems when clients’ returns are rejected as duplicates.
The IRS suggests that tax and accounting professionals take the following steps when this occurs:
The best defense is keeping your guard up. Hackers and identify thieves probe tax and accounting professionals daily. Using common sense and integrating cybersecurity best practices into your business will help minimize your risk. If you have any questions about security for your practice, contact us today at 1-800-442-2477 x3 or set up some time to speak with one of our digital marketing experts. We’re here to help you stay compliant and keep your practice – and your clients – secure.
August 15, 2018
In this Quick Hits video ClientWhys/CountingWorks PRO CEO, Lee Reams II is discussing the latest […]
August 7, 2018
In this Quick Hits video ClientWhys/CountingWorks PRO CEO, Lee Reams II discusses how accounting and […]
July 17, 2018
Service starts with more than 240,000 accounting professionals following the success of the popular TaxBuzz […]