Image Credit: Pete Linforth from Pixabay
Co-authored with Lily Li and Kenny Kang. Mr. Kang is a Certified Public Accountant (CPA), Charted Global Management Accountant (CGMA), and Certified Fraud Examiner (CFE) with a wealth of experience in public accounting and industry.
CPAs and other tax professionals collect their client’s crown jewels: sensitive financial data. This makes them prime targets for cybercriminals. For hackers looking to make a quick buck, or engage in more sophisticated identity theft and tax fraud schemes, tax professionals are a treasure trove of social security numbers, tax ID numbers, bank account numbers, confidential agreements, and other personally identifiable information. Consequently, 3-5 tax practitioners get hacked each week, according to a 2017 webcast by the IRS criminal investigations unit – a number that has likely increased over the last couple of years.
In July 2019, IRS released its own statistics relating to identity theft:
IRS Individual Filing Article “Identity Theft Information for Tax Professionals”
[Page Last Reviewed or Updated: 24-Jul-2019]
An estimated 91 percent of all data breaches and cyberattacks begin with a spear phishing email that targets an individual. The criminal poses as a trusted source, perhaps IRS e-Services, a tax software company or a cloud-storage provider, or the criminal poses as a potential client or professional colleague. The objective is to get the tax professional to open a link or PDF attachment. This allows the thief to steal passwords or download malware that tracks keystrokes or gives the thief control of your computer.
In light of the rise in cyberattacks against tax practitioners, the IRS has taken notice. For this year’s PTIN renewal season, the IRS has revised Form W-12, IRS Paid Preparer Tax Identification Number (PTIN) (Rev. October 2019) by adding Line 11, which included a mandatory checkbox for tax preparers, requiring them to confirm their awareness of their data security responsibilities. Line 11, Data Security Responsibilities, states:
As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information. Check the box to confirm you are aware of this responsibility.
This affirmative checkbox applies to licensed tax attorneys, CPAs, enrolled agents, enrolled actuaries, enrolled retirement plan agents, state regulated tax return preparers, certifying acceptance agents, and it should not come as a surprise for tax professionals.
As early as 2008, the IRS released Publication 4557 “Safeguarding Taxpayer Data” under the federal security requirements of the Graham-Leach Bliley Act of 1999 (GLBA). In 2018, the IRS updated Publication 4557 in recognition of the growing crisis of tax preparer data breaches.
In an IRS news release (IR-2018-175, Aug. 28, 2018), the IRS noted that “protecting taxpayer information isn’t just good for the clients and good for business – it’s also the law…tax return preparers must create and enact security plans to protect client data.”
Furthermore, over the 2019 summer, the IRS published a series of news releases: “Tax Security 2.0 – A “Taxes-Security-Together” Checklist” [IR-2019-122, IR-2019-127, IR-2019-131, IR-2019-136, IR-2019-140, IR-2019-143] for tax practitioners to consider as a starting point for analyzing data security.
IRS, states and industry outline ‘Security Six’ protections to help tax professionals and taxpayers be safer online
IR-2019-127, July 16, 2019
WASHINGTON — Using a new “Taxes-Security-Together” Checklist, the Internal Revenue Service and the Security Summit partners urged tax professionals to review critical security steps to ensure they are fully protecting their computers and email as well as safeguarding sensitive taxpayer data.
The Security Summit partners – the IRS, states and tax industry – urge tax professionals to take time this summer to give their data safeguards a thorough review. To help the tax community, the Summit created a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security.
By failing to enact security plans, and violating the FTC Safeguards Rule (the implementing regulation for the GLBA), the IRS noted this could result in a:
•Violation of IRS Publication 3112: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers.
•Violation of IRC, Section 7216: Criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures.
•Violation of IRC, Section 6713 – This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.
•Violation of Rev. Proc. 2007-40 – This procedure specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure. (See 2007-26)
Now, with an affirmative checkbox, tax professionals cannot claim ignorance of the rules. Instead, they will now have to make a representation of their security compliance. Since Form W-12 is signed under penalty of perjury, making false or misleading information may result in criminal penalties and/or the denial or termination of a PTIN.
So where should tax professionals start? First of all, the IRS has provided handy resources for tax preparers to understand the FTC Safeguards Rule and their obligations (see links below). Second, per these resources, tax professionals should conduct security risk assessments of their systems (potentially in conjunction with counsel) to mitigate current risks. Third, and finally, stay alert! As hackers get more sophisticated, risks change, and it is up to the tax professional to stay updated on the latest cyber risks or seek the assistance of third parties to manage these ongoing risks.
Publication 4557, Safeguarding Taxpayer Data
Publication 5293, Data Security Resource Guide for Tax Professionals
*Disclaimer* This article is not legal advice or legal opinion, and the contents are intended for general informational purposes only. Circumstances may differ from situation to situation. All legal and other issues must be independently researched.