Lock in "cyber security" word circle and other dot circles

Cybersecurity Ignorance is No Excuse for Tax Professionals

Image Credit: Pete Linforth from Pixabay

Co-authored with Lily Li and Kenny Kang. Mr. Kang is a Certified Public Accountant (CPA), Charted Global Management Accountant (CGMA), and Certified Fraud Examiner (CFE) with a wealth of experience in public accounting and industry.

CPAs and other tax professionals collect their client’s crown jewels: sensitive financial data. This makes them prime targets for cybercriminals. For hackers looking to make a quick buck, or engage in more sophisticated identity theft and tax fraud schemes, tax professionals are a treasure trove of social security numbers, tax ID numbers, bank account numbers, confidential agreements, and other personally identifiable information. Consequently, 3-5 tax practitioners get hacked each week, according to a 2017 webcast by the IRS criminal investigations unit – a number that has likely increased over the last couple of years.

In July 2019, IRS released its own statistics relating to identity theft:

IRS Individual Filing Article “Identity Theft Information for Tax Professionals”

[Page Last Reviewed or Updated: 24-Jul-2019]

An estimated 91 percent of all data breaches and cyberattacks begin with a spear phishing email that targets an individual. The criminal poses as a trusted source, perhaps IRS e-Services, a tax software company or a cloud-storage provider, or the criminal poses as a potential client or professional colleague. The objective is to get the tax professional to open a link or PDF attachment. This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer. 

In light of the rise in cyberattacks against tax practitioners, the IRS has taken notice. For this year’s PTIN renewal season, the IRS has revised Form W-12, IRS Paid Preparer Tax Identification Number (PTIN) (Rev. October 2019) by adding Line 11, which included a mandatory checkbox for tax preparers, requiring them to confirm their awareness of their data security responsibilities. Line 11, Data Security Responsibilities, states:

 As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information.  Check the box to confirm you are aware of this responsibility.

This affirmative checkbox applies to licensed tax attorneys, CPAs, enrolled agents, enrolled actuaries, enrolled retirement plan agents, state regulated tax return preparers, certifying acceptance agents, and it should not come as a surprise for tax professionals.

As early as 2008, the IRS released Publication 4557 “Safeguarding Taxpayer Data” under the federal security requirements of the Graham-Leach Bliley Act of 1999 (GLBA). In 2018, the IRS updated Publication 4557 in recognition of the growing crisis of tax preparer data breaches.

In an IRS news release (IR-2018-175, Aug. 28, 2018), the IRS noted that “protecting taxpayer information isn’t just good for the clients and good for business – it’s also the law…tax return preparers must create and enact security plans to protect client data.”

Furthermore, over the 2019 summer, the IRS published a series of news releases: “Tax Security 2.0 – A “Taxes-Security-Together” Checklist” [IR-2019-122, IR-2019-127, IR-2019-131, IR-2019-136, IR-2019-140, IR-2019-143] for tax practitioners to consider as a starting point for analyzing data security. 

IRS, states and industry outline ‘Security Six’ protections to help tax professionals and taxpayers be safer online

IR-2019-127, July 16, 2019

WASHINGTON — Using a new “Taxes-Security-Together” Checklist, the Internal Revenue Service and the Security Summit partners urged tax professionals to review critical security steps to ensure they are fully protecting their computers and email as well as safeguarding sensitive taxpayer data.

The Security Summit partners – the IRS, states and tax industry – urge tax professionals to take time this summer to give their data safeguards a thorough review. To help the tax community, the Summit created a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security.

By failing to enact security plans, and violating the FTC Safeguards Rule (the implementing regulation for the GLBA), the IRS noted this could result in a:

Violation of IRS Publication 3112: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers.

Violation of IRC, Section 7216: Criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures.

Violation of IRC, Section 6713 – This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.

Violation of Rev. Proc. 2007-40 – This procedure specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure. (See 2007-26)

Now, with an affirmative checkbox, tax professionals cannot claim ignorance of the rules. Instead, they will now have to make a representation of their security compliance. Since Form W-12 is signed under penalty of perjury, making false or misleading information may result in criminal penalties and/or the denial or termination of a PTIN. 

So where should tax professionals start? First of all, the IRS has provided handy resources for tax preparers to understand the FTC Safeguards Rule and their obligations (see links below). Second, per these resources, tax professionals should conduct security risk assessments of their systems (potentially in conjunction with counsel) to mitigate current risks. Third, and finally, stay alert! As hackers get more sophisticated, risks change, and it is up to the tax professional to stay updated on the latest cyber risks or seek the assistance of third parties to manage these ongoing risks.

Publication 4557, Safeguarding Taxpayer Data

Publication 5293, Data Security Resource Guide for Tax Professionals

Identity Theft Information for Tax Professionals

*Disclaimer* This article is not legal advice or legal opinion, and the contents are intended for general informational purposes only. Circumstances may differ from situation to situation. All legal and other issues must be independently researched.

******

******

Federal Trade Commission logo

The FTC Ramps Up Privacy Enforcement

Following increased congressional scrutiny over its data privacy enforcement practices in 2018, the FTC has ramped up its enforcement actions in recent months, giving some real bite to current federal privacy laws:

  • On February 27, 2019 the FTC filed a complaint against the operators of lip-syncing app Musical.ly—now known as TikTok – for failing to seek parental consent before collecting the personal information of users under the age of 13. In response to the FTC’s complaint, TikTok agreed to pay a $5.7 million settlement to the agency, marking the largest-ever COPPA fine in US history.
  • Throughout March, the FTC obtained settlements against 4 separate robocall operations: NetDotSolutions, Higher Goals Marketing, Veterans of America, and Pointbreak Media. These cases charged these separate entities for violations of the FTC Act (unfair and deceptive trade practices) and the agency’s Telemarketing Sales Rule (TSR) – including its Do Not Call (DNC) provisions.
  • On March 26, 2019 the FTC announced a broad inquiry into the data collection practices of broadband companies under Section (b) of the FTC Act. The agency issued orders to AT&T Inc., AT&T Mobility LLC, Comcast Cable Communications doing business as Xfinity, Google Fiber Inc., T-Mobile US Inc., Verizon Communications Inc., and Cellco Partnership doing business as Verizon Wireless, seeking information about the collection, retention, and sharing of personal information. The FTC investigation highlights recent consumer concerns about data privacy and tracking by ISPs, following high-level acquisitions of content providers like AOL, Yahoo, and DirectTV. We are watching closely, as this may be the start of one of the first joint privacy-antitrust enforcement actions by the FTC.

These enforcement actions highlight the FTC’s role as the de facto data protection authority for the United States. Yet, the FTC’s mandate extends far beyond data privacy, and includes regulatory authority over false advertising claims, anticompetitive behavior, and merger review. While Congress continues to debate the passage of a federal bipartisan privacy bill, it behooves them to keep in mind the current staff and funding limitations of the FTC in any proposed drafts.