The Security Summit, consisting of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials, is encouraging tax professionals during the 2019 summer season to take some time to assess their data security policies and review critical security steps to ensure adequate measures are in place to fully protect sensitive taxpayer information from cybercriminals and to help battle identity theft. As part of this initiative, the Security Summit has released a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security in a special five-part weekly series over this summer. Snell & Wilmer cybersecurity and privacy lawyers are tracking these releases. Step 1 of the Checklist can be found here. Step 2 of the Taxes-Security Checklist is to Create a Data Security Plan.
Some tax professionals may not realize they are legally required to have a data security plan. Federal law requires professional tax preparers to create a written information security plan to protect clients’ data.
The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley (GLB) Act, gives the Federal Trade Commission (“FTC”) authority to set information safeguard regulations for various entities, including professional tax return preparers. 16 CFR § 314.1 et al., 2019. According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data.
The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. According to the FTC, each company, as part of its plan, must:
designate one or more employees to coordinate its information security program;
identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
design and implement a safeguards program and regularly monitor and test it;
select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
Failure to have a data security plan may result in an FTC investigation. The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.
IRS Publication 4557, Safeguarding Taxpayer data, includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan.