Why did IRS release Pub. 4557, titled Safeguarding Taxpayer Data?
Because tax preparers are extremely juicy targets for identity thieves. The client information containing social security numbers and all the related personal data is super valuable on the black market. First, each identity sells for $100 or so on the black market. So, getting a few dozen families from a tax preparer is tens of thousands of dollars in easy money. Second, the information is often sufficient to file fraudulent tax returns and pocket the refunds. This makes tax related client data even more attractive.
An undetected data theft at your office could mean that your clients do not get their refunds from the IRS (because the refunds are delivered to identity thieves). The risk of identity theft is rising by 47% every year according to the FTC.
What happens to the tax preparer after such a data theft? Sixty percent of small businesses close down after a data breach, according to this report by the US Securities and Exchange Commission. And even for those who survive, the costs can be crippling.
First, there are the monetary costs of reporting the breach to every client and providing them identity theft insurance. Second, there is the time cost of restoring lost data, potentially re-doing some of the return filing work, taking extra steps to deal with fraudulent returns filed, and cooperating with the law enforcement agencies. But the biggest cost is the loss of reputation. Customers may not understand the intricacies of how the theft occurred or whose fault it was. All they see is that either your systems were not sufficiently protected, or you have somehow been selected by identity thieves as an attractive target. In either case, they may not want to deal with you again.
Prevention Is Better than Cure
When it comes to data theft, prevention is so totally worth the effort. While it may seem like a huge distraction at the time, it is effort well spent. Avoiding this work could mean having no work down the road.
The good news is that there are a few basic steps to take, some of which you have probably implemented already. Both for physical theft and digital. And while cyber-security may see like a complex mix of jargon from viruses, ransomware, trojans, rootkits, worms and phishing, there are again some essential steps to take that help protect you against a variety of such attacks.
Having a layer of the protection in place makes your business a less juicy target to attackers. Also, some of your safeguards will show through to customers such as when you use a secure channel to communicate their sensitive paperwork electronically. This instills confidence in your abilities and earns their trust by showing that you care about keeping their data safe.
Step By Step
We have put together the following five steps to help close out different types of security holes, both physical and electronic. Each step is written as a stand-alone article so that you may focus on one step at a time, say taking one of the steps each week.
You may also use this free data security templatefree data security template to quickly review and document your security risks and safeguards.
The list below provides handy links to each of the steps.
Step 1: Physical Safeguards
The physical safeguards are designed to protect against an unauthorized person who can physically reach where you work or store your data records. They may have after-hours access to your work area such as for facility maintenance or even during work hours, where they have brief periods of unattended or unaccompanied time, to browse through your paperwork or computers.
Click here to read the physical safeguards step.
Step 2: Digital Safeguards - Devices
Digital or cyber attacks call for protection not just when the data is in your possession, but also when the data travels over the network. That is why we divide digital safeguards into two steps: one focusing on devices and data in your possession, and the second addressing data security when data is communicated over the network.
Click here to read the digital safeguards for devices step.
Step 3: Digital Safeguards - Data Communication
Data communication becomes a security hole when any of your customers' data is sent over your local network or over the Internet. This can happen, for instance, when
- you receive paperwork from your clients electronically (e.g. over email)
- send them emails, messages, or electronic copies of their paperwork (W2, prepared 1040s, 1099s, and the like)
- use an online service for tax prep, data backup, or payments
- share files with your vendors, service providers, or reviewers
- move data from one device to another using a network connection (e.g. from the phone to your PC or from your work PC to a laptop at home)
Each time data travels over the network, someone can eavesdrop on it. Even data sent over a wired network can be read
Click here to read the digital safeguards for data communications step.
Step 4: Data Disposal
Disposing off old data correctly includes not just shredding the physical paperwork but also removing or destroying electronic copies of sensitive data from old computers, mobile devices, and storage media.
Click here to read the data disposal step.
Step 5: IRS Checklists
IRS Publication 4557 provides 7 checklists to review most of the common data security risks, and procedures to protect customer data. Checking off the items in these checklists will not only help prepare you for an external security audit but also give you the peace of mind through meeting the IRS recommendations.
Click here to read the IRS checklists step.
Identity theft is the fastest growing crime in the US and affects more people than any other crime. Data from US Department of Justice shows that 17.6 million Americans suffered identity theft in 2014. The Federal Trade Commission reports that ID theft attacks grow by over 47% every year.
The sad truth is that while an individual affected by identity theft will eventually recover, though after some frustrations and temporary losses, a business may not always be able to recover from a data breach. The years of hard work spent in building up your client base may be wiped away ruthlessly by a single data breach.
Your general liability and professional liability policies most likely do not cover losses due to data theft (you need to add a cyber-risk policy for that). And while a bank could write-off a bad debt for an identity theft victim once the victim proves they did not obtain the credit or loan, there is no easy way to repair the tarnished reputation of a business affected by data breach.
So while you are busy running and growing your business, it is important to keep it safe. Download this free data security templatefree data security template to make sure that you have implemented the essential security safeguards.