The Security Summit, consisting of the Internal Revenue Service (“IRS”), state tax agencies, and private-sector tax industry officials, is encouraging tax professionals during the 2019 summer season to take some time to assess their data security policies and review critical security steps to ensure adequate measures are in place to fully protect sensitive taxpayer information from cybercriminals and to help battle identity theft.
As part of this initiative, the Security Summit released a “Taxes-Security-Together” Checklist for analyzing office data security in a special five-part weekly series over this summer. Snell & Wilmer cybersecurity and privacy lawyers have been tracking these releases.
Step 1: Protect Your Systems can be found here.
Step 2: Create a Data Security Plan here.
Step 3: Avoid E-mail Phishing Scams here.
Step 4: Recognizing Identity Theft here.
The last and final step of the Security Summit’s summer series on taxpayer cybersecurity, Step 5, is to create a data theft recovery plan, to be used if it has been determined that a data breach has occurred. Tax professionals must understand the risks posed by national and international criminal syndicates and take the appropriate steps to protect sensitive data as well as understand the laws, regulations, and other obligations surrounding information security. You do not want to be caught by a data breach without having a response plan in place — preferably one that your data breach response and recovery team has practiced using table top exercise drills.
Contacting the IRS and law enforcement:
- Report client data theft to local IRS Stakeholder Liaisons, who will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent access to sensitive taxpayer information.
- Federal Bureau of Investigation, local office (if directed).
- Secret Service, local office (if directed).
Contacting states in which the tax professional prepares state returns:
- Any breach of personal information could have an effect on the victim’s tax accounts with the state revenue agencies as well as the IRS. To help tax professionals find where to report data security incidents at the state level, contact: StateAlert@taxadmin.org.
- State Attorneys General for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches, so this notification process may involve multiple offices in some locations. Check local state requirements.
Contacting subject matter experts:
- Security experts can help determine the cause and scope of the breach as well as stop the breach and prevent further breaches from occurring.
- Report a breach to your Insurance Company as soon as reasonably possible and verify if the insurance policy covers data breach mitigation expenses.
- Lawyers with experience assisting clients with data breach response can help navigate the aftermath of data breaches, including mitigating damages, preparing for and possibly avoiding potential litigation claims resulting from data breaches.
Contacting clients and other services:
- See the Federal Trade Commission’s data breach response guide for businesses. Contact the FTC at firstname.lastname@example.org for individualized help.
- Certain states require offering credit monitoring and identity theft protection to victims of identity theft. Check local state requirements.
- Notify credit bureaus if there is a compromise. Your clients may seek their services.
- If a reportable data breach has occurred, notify all affected customers/clients to inform them of the breach — but work with law enforcement on timing. Clients should complete IRS Form 14039, Identity Theft Affidavit, but only if their e-filed return is rejected because of a duplicate Social Security number or they are instructed to do so.
- Tax preparers should use their local IRS Stakeholder Liaison to report data loss.
Through the five (5) part summer series on taxpayer cybersecurity, the Security Summit wants to encourage tax professional to review their data security. With the help of interested tax stakeholders, the IRS hopes to reduce the number of fraudulent tax returns, rejected and delayed refunds, and help fight identify theft.
Professionals and businesses that deal with sensitive client data should be aware that cybercriminals are constantly creating new scams to trick victims into divulging sensitive information and steal valuable data. Your information security systems and response plans must always be ready; breaches come like cyberthieves in the night. Be vigilant!