Here’s the scoop
Professional tax preparers are required by law to have a written data security plan. Read the IRS guidance here.
Many in the tax professional community don't realize they are now required under federal law to have a written data security plan. Failure to follow the new laws may result in an FTC investigation and the IRS may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40.
Why it matters
We couldn't put it better than William Evanina, director of the National Counterintelligence and Security Center (NCSC) in a talk he gave in June:
"The private sector has become the new geopolitical battlespace. It’s an asymmetric warfare where nation states are targeting companies in nearly every U.S. sector, costing our nation jobs and an estimated $300 to $500 billion per year. These companies are your clients. Their data is in your hands. Hackers are targeting your firms to get at that data. And you have a fiduciary duty to those clients."
What does it mean for me?
There's some good news. The IRS has also created a point by point checklist to help guide you through the requirments. We've carefully reviewed the guidelines and can help walk you through it, create a budget and put a customized compliant system in place. You can start now by reading their “Taxes-Security-Together” Checklist.
What are the penalties?
Not only is the IRS imposing these rules, they are imposing penalties. From what we understand that could range from IRS investigation of ALL of your files, paper or electronic PLUS your written information security plans and policies PLUS the signed copies of those policies that show your staff was aware of and knew how you were enforcing those policies PLUS all of the logs of your local computer and cloud computing systems for past 2 years PLUS documentation showing your staff has been trained on cybersecurity best practices PLUS your cyberinsurance policies and claims PLUS your network activity logs PLUS they have the right to actually review your physical infrastructure, backup systems, emergency operations plans, PLUS they’ll want to see EVIDENCE that ALL staff has satisfactory antivirus and antispyware in place and all patches, updates and upgrades are performed on a timely basis PLUS they’ll want proof that you are using licensed and supported versions of everything from operating systems to accounting software. How long would it take you to gather all of this?
Are your eyes crossing yet? Ready to talk solutions? Click here to book a time
It isn't fair for small businesses
We see first-hand how lax your customers are when it comes to security AND we know how quickly they will turn around and blame YOU for not protecting their data. That isn’t fair... but it's how it goes. It's also not fair that nationstates and organized cybercriminals are targetting small businesses just because small businesses typically have smaller budgets for IT infrastructure and security than the big accounting and money management firms. But just because small firms don't have corporate level resources doesn't mean they can't have enterprise quality tools. We’ve developed assessment, plans, procedures, implementation and a training program uniquely designed to fit small business infrastructure and budgets. We have even have a portal that makes it easy to have all of your documentation and staff acknowledgements in one accessible place when you need them for reporting purposes, or in the unlikely case you are breached. We say unlikely because if we've put the items on the IRS checklist in place for you, we can practically guarantee you won't lose data.
Here’s a recent story about a CPA in New Jersey whose compromise by malware led to identity theft and phony tax refund requests filed on behalf of his clients. If he had followed the IRS guidelines, this wouldn’t have happened. https://krebsonsecurity.com/2018/04/when-identity-thieves-hack-your-accountant/
Consider this
Wolters Kluwer accounting software users around the world have been dealing with a breach of their systems. If you are ‘all-in’ with a platform that is breached, do you have a backup plan for accessing client data so that you continue operations? What would it cost you to have your accountants sit idle for 4 days? What would it cost you for penalties and interest for late filings that were your fault?
"We have a deadline on 5/15 and need to be filing extensions/returns," one person wrote in response on Twitter. "Wolters Kluwer, you are going to be responsible for any penalties and interest," another vented. During the outage, Deiterich said she and the other tax accountant who works for Collings, plus an executive assistant, sat idle. Unable to access their time keeping records on CCH, Collings missed its payroll deadline, meaning Deiterich and the other tax professionals will get paid late. Collings had considered resorting to old-fashioned paper forms to meet tax filing deadlines for clients, she said, but even doing that was problematic because all of the client data they needed to fill in those forms was inaccessible, stored on the CCH servers.
Why us?
Computer Experts, Ltd., has been compliance-centric since before the NYS DFS requirements and before the IRS issued this checklist. We have an excellent understanding of what your practice needs plus the deep infrastructure and support you need for enterprise-level security. We're local, responsive, and trusted.
We don’t want to see you lose business...data breaches aren't just about lost data. They're about lost trust. And small accounting firms rely on that trust to maintain their client base. Let’s work together to get you compliant with IRS recommendations AND protect your hard earned reputation.
Have upcoming plans with friends or family? Really, worry can ruin a vacation. We guarantee that you’ll worry less after we collaborate to get your cyber operations in order.
Insurance?
Here’s a bottom line benefit that you can calculate into your overall cyber budget: when you have a data security plan in place, and sign on for full service security plus support BetterNET plan that keeps all of your machines, applications, etc etc, we can qualify you for low cost cyber insurance. When we prove your data is secured, monitored, documented and maintained, you can save 1,000’s annually on cyber insurance.
The "Taxes-Security-Together" Checklist highlights key security features:
from IRS news release July 9, 2019
- Deploy the “Security Six” measures:
- Activate anti-virus software.
- Use a firewall.
- Opt for two-factor authentication when it’s offered.
- Use backup software/services.
- Use Drive encryption.
- Create and secure Virtual Private Networks.
- Create a data security plan:
- Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data.
- The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large.
- Tax professionals are asked to focus on key risk areas such as employee management and training; information systems; and detecting and managing system failures.
- Educate yourself and be alert to key email scams, a frequent risk area involving:
- Learn about spear phishing emails.
- Beware ransomware.
- Recognize the signs of client data theft:
- Clients receive IRS letters about suspicious tax returns in their name.
- More tax returns filed with a practitioner’s Electronic Filing Identification Number than submitted.
- Clients receive tax transcripts they did not request.
- Create a data theft recovery plan including:
- Contact the local IRS Stakeholder Liaison immediately.
- Assist the IRS in protecting clients’ accounts.
- Contract with a cybersecurity expert to help prevent and stop thefts.