What Data Protection Plan?
The #1 Question for your tax advisers this year is –
Do you have a Data Protection Plan?
My friend, Deborah Rodgers, a dedicated and decorated public servant serving since the dawn of time as an IRS Stakeholder Liaison in the Denver Office called the other day (before the government shutdown) with all sorts of questions about my firm’s data protection plan. Time with Deborah is ALWAYS well spent!
Working inside the proverbial heart of the beast she truly knows my pain as I invest significantly in data protection planning. Out of compassion she felt compelled to share with me that the IRS needs help too from tax payers and tax practitioners alike to work diligently together towards protecting their private data.
It is evident to both of us that with increasingly sophisticated profiling aplenty online (and otherwise) people compiling and processing all the personal and business data required for reporting taxes to the IRS had best have a plan in place to protect that data.
Specifically she reminded me that:
“Professional tax practitioners are required by federal law to create and maintain a written data security plan regardless of the practice’s size.
The Gramm-Leach-Bliley Act of 1999 requires all financial institutions, which it also defines as professional tax preparers, to create and maintain information security plans.
The Federal Trade Commission, not the IRS, administers this law and created a Safeguards Rule to administer it.However information about the FTC requirements can be found in IRS Publication 4557, Safeguarding Taxpayer Data.
IRS Senior Stakeholder Liaison – Deborah Rodgers
The IRS also recently created & released Publication 5293, Data Security Resources Guide for Tax Professionals.“
To reinforce the fact that size purportedly doesn’t matter her boss, our esteemed IRS Commissioner, went on to state:
“As the IRS, the states and the tax industry improve our defenses against tax-related identity theft, cyber criminals are looking for better data sources to fill out fraudulent tax returns.
This makes tax professionals and their client data a treasure trove for cyber criminals to target.
Tax professionals are a critical line of defense, and we urge them to protect their data, their systems and their clients.
And we want taxpayers to seek out reliable tax professionals who use the latest security features.”
IRS Commissioner Chuck Rettig
His Boss (of sorts) our esteemed Taxpayer Inspector General for Tax Administration went further on to both state and write:
Taxpayer Inspector General for Tax Administration J. Russell George
Why is this important?
From the discourse I was able to suss out the following facts:
- The IRS received 5 to 7 reports per week from tax firms that have experienced a data theft.
- Through Nov. 5, 2018, the IRS received 234 reports for the year.
- That’s a 29 percent increase from the 182 reports received during the same time in 2017.
And came to the following conclusions:
- Partnerships between the federal government and state governments – industry leaders is how tax related identity theft will be reduced.
- Tax payers and tax practitioners alike need to be diligent in protecting data when they communicate and protecting themselves from falling victim to crooks.
Be on the lookout for:
Thieves search for taxpayer data so they can create a fraudulent tax return that looks legitimate and might bypass IRS filters.
Thieves also impersonate tax professionals, using stolen:
- Electronic Filing Identification Numbers (EFINS)
- Tax Identification Numbers (PTINs)
- Centralized Authorization File (CAF) numbers.
Take Basic Security Steps
Create a data security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals, by the National Institute of Standards and Technology.
If you are a tax practitioner and do not know where to start with your plan development, please feel welcome to contact me anytime. My team and I are happy to help!
Review internal controls:
- Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
- Create passwords of at least eight characters; longer is better. Use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and consider a password manager program.
- Encrypt all sensitive files/emails and use strong password protections.
- Back up sensitive data to a safe and secure external source not connected fulltime to a network.
- Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
- Limit access to taxpayer data to individuals who need to know.
- Check IRS e-Services account weekly for number of returns filed with EFIN.
- Report any data theft or data loss to the appropriate IRS Stakeholder Liaison.
- Stay connected to the IRS through subscriptions to:
- Opt for multi-factor authentication protections whenever it is available. Multi-factor authentication helps prevent cybercriminals from accessing accounts, even if they steal passwords.
Watch for signs of data theft
- Client e-filed returns begin to reject because returns with their Social Security numbers were already filed.
- The number of returns filed with tax practitioner’s Electronic Filing Identification Number (EFIN) exceeds number of clients.
- Tax professionals or clients responding to emails that practitioner did not send.
- Network computers running slower than normal.
- Computer cursors moving or changing numbers without touching the keyboard.
- Network computers locking out tax practitioners.
“Identity theft can be devastating to small businesses, and the IRS continues to see instances where cyber criminals are targeting these groups to obtain sensitive employee information that can be used to file fake tax returns.
And as tax season approaches, the IRS and the Security Summit partners continue to warn employers to be on the lookout for emails asking for sensitive W-2 information, a dangerous scheme aimed at payroll and human resource offices.
We encourage small businesses and others to follow some important steps to help protect themselves and their employees.”
IRS Commissioner Chuck Rettig
Identity thieves have long made use of stolen Employer Identification Numbers (EINs) to create fake Forms W-2 that they would file with fraudulent individual tax returns.
Fraudsters also used EINs to open new lines of credit or obtain credit cards. Now, they are using company names and EINs to file fraudulent returns.
The IRS has identified an increase in the number of fraudulent Forms 1120, 1120S and 1041 as well as Schedules K-1.
The fraudulent filings apply to partnerships as well as estate and trust forms.
Businesses, partnerships and estate and trust filers should be alert to potential identity theft and contact the IRS if they experience any of these issues:
- Extension to file requests are rejected because a return with the Employer Identification Number or Social Security number is already on file;
- An e-filed return is rejected because a duplicate EIN/SSN is already on file with the IRS;
- An unexpected receipt of a tax transcript or IRS notice that doesn’t correspond to anything submitted by the filer.
- Failure to receive expected and routine correspondence from the IRS because the thief has changed the address.
Complete trusted customer questions
The IRS, state tax agencies and software providers also share certain data points from returns, including business returns, that help identify a suspicious filing.
The IRS and states also are asking that business and tax practitioners provide additional information that will help verify the legitimacy of the tax return.
These “know your customer” procedures are being put in place and include the following questions:
- The name and SSN of the company executive authorized to sign the corporate tax return. Is this person authorized to sign the return?
- Payment history – Were estimated tax payments made? If yes, when were they made, how were they made and how much was paid?
- Parent company information – Is there a parent company? If yes, who?
- Additional information based on deductions claimed.
- Filing history – Has the business filed Form(s) 940, 941 or other business-related tax forms?
Sole proprietorships that file Schedule C and partnerships filing Schedule K-1 with Form 1040 also will be asked to provide additional information items, such as a driver’s license number.
Providing this information will help the IRS and states identify suspicious business-related returns.
For small businesses looking for a place to start on security, the Federal Trade Commission maintains a Protecting Small Business page which includes a series on cybersecurity and a Cybersecurity for Small Business publication.
This is a cooperative effort between the FTC, the National Institute of Standards and Technology, the Department of Homeland Security and the Small Business Administration.
Guard against W-2 scam
All employers – in both the public and private sectors – also are targets for the W-2 scam that has in recent years become one of the more dangerous email scams for tax administration.
These emails appear to be from an executive or organization leader to a payroll or human resources employee.
It may start with a simple, “Hey, you in today?” and, by the end of the exchange, all of an organization’s Forms W-2 for their employees may be in the hands of cybercriminals.
This puts workers at risk for tax-related identity theft.
Because payroll officials believe they are corresponding with an executive, it may take weeks for someone to realize a data theft has occurred.
Generally, the criminals are trying to quickly take advantage of their theft, sometimes filing fraudulent tax returns within a day or two.
This scam is such a threat to taxpayers that a special IRS reporting process has been established.
Here’s an abbreviated list of how to report these schemes:
- Email dataloss@irs.gov to notify the IRS of a W-2 data loss and provide contact information. In the subject line, type “W2 Data Loss” so that the email can be routed properly. Do not attach any employee personally identifiable information data.
- Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
- Businesses/payroll service providers should file a complaint with the FBI’s Internet Crime Complaint Center (IC3.gov). Businesses/payroll service providers may be asked to file a report with their local law enforcement agency.The Federal Trade Commission’s www.identitytheft.gov provides guidance on general steps employees should take.
- Forward the scam email to phishing@irs.gov.
Data loss reporting
- If you are a victim of data theft or loss more information is available at Data Theft Information for Tax Professionals.
- Report client data theft to local stakeholder liaisons.
- Liaisons will notify IRS Criminal Investigation and others within the agency.
- Speed is critical.
- If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names and will assist in the process.
Additional resources:
- Identity Theft Protection: Prevention, Detection and Victim Assistance – See tax pro section.
- Protect Your Clients; Protect Yourself – Awareness campaigns, tips and scam alerts.
- Security Summit – Follow IRS, states and tax industry efforts to combat identity theft.
- “Taxes. Security. Together.” awareness campaign or review
- IRS Publication 4524, Security Awareness for Taxpayers, for additional steps to protect themselves and their data from identity theft.
- Tax professionals can get more information through the: Protect Your Clients; Protect Yourself&Tax Security 101 series.