IRS Pub. 4557 provides 7 checklists for your business to protect tax-payer data. These checklists, fundamentally, cover three things:
Recognize that your business needs to secure your client's information. Designate yourself, and/or team members as the person(s) responsible for security and document that fact. Use this free data security template to document this and other required details.
Conduct a risk assessment and implement relevant safeguards. The safeguards should protect against all reasonable security risks. The previous articles in this series, available at Data Security for Tax Preparers: An Overview help you implement several essential safeguards for this purpose. The template can again be used for this. Risk must also be managed when you share client information with your vendors or service providers.
Periodically re-evaluate and update your security safeguards as your business, technology, or other external factors change. Create a reminder or an appointment in your calendar to re-visit your security assessment in 3-4 months.
Let's discuss the IRS checklists one by one:
Checklist 1: Administrative Activities
This checklist covers conducting a security risk assessment, defining the required safeguards, and designating an individual to implement them. It also covers testing your security plan and addressing deficiencies. The free template includes a sample list of safeguards to implement. You may adapt it to suit your firm's needs.
The IRS checklist also covers checking on the FTC Privacy rule to determine if you are required to give privacy notices to your clients. The FTC document includes accountants and tax preparers specifically as activities for which this rule applies, stating that financial activities include "providing financial, investment or economic advisory services. These activities cover services offered by credit counselors, financial planners, tax preparers, accountants, and investment advisors." The FTC document also explains what the privacy notice should contain, how it may be delivered, and when.
Lastly, it reminds you to ensure that your service providers also have information safeguards in place, and that they commit to handling your clients' data securely in their contract with you. They should also share their written security policy with you.
A Note on Vendors and Service Providers
If you use vendors such as book-keepers or others who will have access to sensitive information, you need to verify that the vendors have appropriate safeguards in place.
For certain vendors, such as an online tax software provider, your secure document portal, or encrypted backup provider, such a verification may be easy to obtain from their website.
For others, especially local service providers, you may have to explicitly ask the owner or your account representative. If they do not already have the right safeguards in place, you may have to work with them to start enforcing the same security standards that you use, or search for alternative providers. If you use written contracts (which you should), you may add security as a requirement in the contract itself.
If you will be getting your own security setup audited or certified for compliance with security standards, you will very likely need to obtain written security and privacy policies from each of your vendors and also contractually obligate them to follow those policies.
If you will obtain a cyber-risk insurance policy to protect yourself against breaches or leaks of customers' personal information, the underwriter may require certain privacy obligations to be contractually agreed upon by your vendors. The cyber-risk policy is often expensive because identity theft risk is very high and as an accountant you possess significant high-risk customer information.
As far as your clients are concerned, and by law, securing your client's data is your responsibility.
Checklist 2: Facilities Security
This covers your physical safeguards to prevent unauthorized access, including door locks and secure disposal. If you have already implemented the physical safeguards we discussed in Physical Safeguards to Protect Client Data, this portion of the checklist is easy to satisfy.
The IRS checklist also covers protection against natural disasters such as floods and tornadoes as applicable to your location. An offsite data backup goes a long way in protecting your digital data in case of such events. Additionally, you may create a disaster action plan that includes steps such as turning off gas/electric supplies, moving portable equipment and data to a higher level (in case of floods), and maintaining emergency contacts for staff members. You may also consider appropriate building retrofits to reduce damage from such events such as earthquake braces, non-return valves on drains (for flood prone areas), and getting the right insurance.
Checklist 3: Personnel Security
This checklist covers performing background checks and screening before hiring someone for a position that will give them access to confidential customer information.
It also covers creating and sharing rules of behavior and expected responsibilities in handling customer information, both on paper and using computer systems. You should have your staff sign non-disclosure agreements on the use of all confidential information shared with them.
Also, create and follow correct termination procedures that ensure computer accounts/logins are terminated correctly, access passes and keys are returned or deactivated, and all information in employee possession (laptops, storage devices, etc.) is handed back.
Periodic refresher training is recommended for all staff members. Regularly sharing some of the security articles from this blog can help.
Checklist 4: Information Systems Security
This checklist covers maintaining access controls that ensure information access (digital or physical) is only granted to those who need it.
Checklist #4 also covers implementing a contingency plan to run your business in case of a disruption such as due to ransomware, unexpected computer failure, or a key staff member being unavailable. Data backups and written procedures to restore data and disrupted systems are essential to help in this regard.
Some of your data may be stored online through various cloud providers, such as Quickbooks Online and the Encyro document portal. Most reputable providers strive to limit downtime and commit to maximum time limits on how long it takes their systems to recover after a major disruption. For instance, Encyro promises a 99.9% (three nines) uptime. That is, the service is expected to remain available 99.9% of the time. To this end Encyro implements automated failover mechanisms that keep online services operational despite equipment failures, with almost no disruption to users. Encyro also uses multi-location backups to protect data from major events such as a data center failure or natural disaster. A recovery time commitment, that is, the time to restore systems after a major event, is placed at 48 hours, though actual recovery is likely to be much quicker. Using reputable cloud services with high availability will help minimize your own business downtime in case of disruptions and disasters affecting their locations.
Checklist 5: Computer Systems Security
This checklist covers computer system security such as the use of strong passwords, automatic screen locking, data encryption for stored data and when communicating it externally. The techniques discussed in the articles on Digital Safeguards: Devices and Data Communication help meet most of these requirements.
Additionally, you may hire third party services to perform vulnerability scans and penetration tests for your systems. These tests can be moderately to very expensive, depending on whether they cover only automated scans, include custom manual testing, or also include social engineering attacks (e.g. talking your staff into giving away confidential information).
Checklist 6: Media Security
This checklist reminds you to secure all storage media that is used to store confidential information, and to dispose it off securely. We covered the detailed steps to secure and dispose media in Digital Safeguards: Devices and Data Disposal. So if you implemented those steps, items in this checklist would be easy to check off.
You may also wish to consider meeting the requirements of the FTC Disposal Rule, which are relatively easy to satisfy using the methods we described to destroy data.
Checklist 7: Certifying Information Systems for Use
This checklist covers official certification of your systems by a security expert. Such a certification can give you greater peace of mind. The audit will likely identify deficiencies that you can fix and also additional risks that you may need to mitigate. Some cyber-risk insurance policies may ask for such an audit and may offer a discounted premium based on it, though most policies do not mandate having an external audit done.
Completing the information in each of the worksheets of this free data security templatefree data security template will allow you to quickly review your safeguards and then check off many of the items in the IRS checklists.