Understanding the IRS Safeguards Rule for Tax Preparers

Understanding the IRS Safeguards Rule for Tax Preparers

Tax season is upon us. For some of us, that means a nice refund, while for others, it means it’s time to settle up with Uncle Sam. But, unfortunately there’s one group who will be looking for a big payday this tax season: Tax refund scammers and identity thieves.

In the last few years, instances of fraudulently filed tax returns have spiked. So, to combat this problem, the IRS has introduced new data protection rules for professional tax preparers. IRS Publication 4557, “Safeguarding Taxpayer Data”, lays out the information security and data protection requirements that all tax return originators are expected to comply with.

Protecting your clients’ data isn’t just the law -- it will protect your business and reputation. This week, we’ll look at how you can comply with the FTC’s Safeguards Rule. Then next week we’ll look at some practical ways to secure your business and your customers’ data.

IRS Data Protection Rules - Who Is Covered?

While things like “written information security plans” and “data protection regulations” sound like they only apply to large companies, according to the IRS, all professional tax return preparers are required to comply with its data protection rules. Under the Gramm-Leach-Bliley Act (GLBA), all financial institutions are covered by the “Safeguards Rule”. The IRS has ruled that tax preparers are included under that definition.

The good news is that the Safeguards Rule is rather flexible. IRS publication 4557 says that “Companies should implement safeguards appropriate to their circumstances.” So, naturally, larger companies would be expected to develop a more sophisticated security plan than a one-person operation. But, all companies are required to create a written security plan that details how they plan to safeguard customer information.

Creating a Written Security Plan for the Safeguards Rule

Creating a written security plan for your business doesn’t have to be a daunting challenge. According to the FTC and IRS, “the required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles.”

So your security plan only needs to be as complex as you need it to be. In Publication 4557, the IRS gives us five requirements that every company needs in its security plan. We’ll cover each point briefly here -- but keep an eye out for future articles that go more in-depth on some of these requirements.

First, you’ll need to “designate one or more employees to coordinate its information security program.” If you’re the only employee, then this part is easy. If not, it can be your office manager or someone who takes care of your computer needs.

Second, you must “identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks.” This doesn’t mean thinking of every single bad thing that could happen to your customers’ data, but it does mean coming up with some scenarios that may compromise customer data. What about a malware infection on your main workstation? Leaving your laptop in the back of a cab? All of these things represent risks to your customers’ data that must be defended against.

Third, you can “design and implement a safeguards program, and regularly monitor and test it”. This means taking the risks you identified and protecting against them. For instance, antivirus software and full-disk encryption on your laptop will protect against theft and viruses.

Fourth, you need to “select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information”. This includes cloud service providers and others who you trust with access to your data. Make sure that they have policies and procedures in place that shows that they take your clients’ security as seriously as you do.

Finally, “evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.” Once you’ve created a security plan, it will need to be updated in light of new threats and information. Keeping your plan up-to-date will help you to protect your customers’ data from future developments.

Find a Trusted Partner

If this sounds like a lot of work, that’s because it is. Creating, evaluating, and maintaining your security plan can take your focus away from running your business and meeting your customers’ needs. That’s why partnering with a trusted IT service provider is a smart decision. E-N Computers has decades of experience protecting businesses like yours from security threats. We’ll help you create and implement a security plan that will comply with IRS regulations and keep your customers -- and your business -- protected.