In March 2015, the Internal Revenue Service (“IRS”) convened an unprecedented coalition of state tax agencies and private-sector tax industry officials to fight back against emerging criminal syndicates exploiting sensitive taxpayer information by creating the Security Summit. The Security Summit members are organized into six work groups addressing different areas of need with the goal of putting in place safeguards to protect taxpayer information, help battle identity theft, prevent tax fraud, and counter evolving criminal tactics. More information on the Security Summit and its ongoing work can be found here.
The Security Summit is encouraging tax professionals during the 2019 summer to assess their security policies and review critical security steps to ensure adequate measures are in place to fully protect sensitive taxpayer information from cybercriminals. To do so, the Security Summit announced that it was creating a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security in a special five-part weekly series starting July 16, 2019, that will address deploying basic safeguards, creating a data security plan, educating on phishing scams, and creating a theft recovery plan. Snell & Wilmer will be monitoring and summarizing the Checklist steps as the IRS releases them.
The First Step of the “Taxes-Security-Together” Checklist is to protect systems with the following “Security Six” protections, which are a starting point for providing basic security protection for computer systems handling sensitive taxpayer data.
1. Anti-virus software.
It is important to have the latest updates installed on computers as anti-virus vendors find new issues and update protections against malicious programs (malware) daily. Keeping security software set to automatically receive the latest updates will help ensure the software is always current and able to provide the best protection. Preferably, anti-virus software should perform automatic scans periodically, but if there are no automatic scans performed then manual scans of files and media received from outside sources should be performed before opening them.
Properly configured firewalls, whether hardware or software based, may be effective at blocking some cyber-attacks as they provide protection against outside attackers by shielding computers or networks from malicious or unnecessary web traffic. Firewalls primarily help protect against malicious traffic, not malware, and may not protect the device if the user accidentally installs malware.
3. Two-factor (multi-factor) authentication.
The use of multi-factor, particularly two-factor, authentication is on the rise. Two-factor authentication requires that a user enter credentials such as a username and password plus another step, such as entering a security code sent via text to a mobile phone. This adds an extra layer of protection beyond the traditional username and password. If a valid username and password is stolen, then the second step to authenticate access should thwart unauthorized access despite the unauthorized user having a valid username and password.
4. Backup software/service.
Critical files on computers should routinely be backed up to external sources, whether cloud-based or on an external hard drive and encrypted.
5. Drive encryption.
Drive encryption, or disk encryption, transforms data on a computer into unreadable files for an unauthorized person accessing the computer to obtain data. This can be useful for sensitive data that is necessarily maintained on computers.
6. Virtual Private Network (VPN).
Useful to protect data when connecting to unknown networks or connecting to networks remotely, such as when working at home. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and a company’s network. As remote work increases across various industries, having a VPN in place is becoming more and more important.
These “Security Six” protections, however, cannot protect data if computer users fall for email phishing scams and divulge sensitive data, such as usernames and passwords. Users, not the software, is the first-line of defense in protecting sensitive data.
The Security Summit also encourages a review of any professional insurance policies to ensure businesses are protected should a data theft occur as having the proper insurance coverage is a common recommendation from those who have experienced data thefts. Additional resources regarding security recommendations can be found in IRS Publications covering these topics.
 Although the recommendations of the Security Summit are generally geared towards tax professionals, the “Security Six” protections are basic system protections that anyone handling sensitive information should consider employing in their Information Security arsenal.