Cybersecurity and Tax Season: What Tax Preparers Need To Know From the IRS
By Mark Burnette, CPA, CISA, CISSP, CISM, CRISC, QSA
Practice Leader, LBMC Advisory Services
While tax preparers are likely fully boned-up on the applicable tax rules for their jurisdictions, one area they may miss has been a recent focus of the IRS: cybersecurity, and specifically, the tax preparer's duty to protect the personally identifiable information (PII) they collect when preparing the tax return. PII is information about an individual maintained by an agency (such as a CPA firm) that can be used to distinguish or trace an individual’s identity, such as name, Social Security number, date and place of birth, mother‘s maiden name or biometric records, and any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information. Another way to think about PII is that it is information about a person that is not typically publicly available (such as Social Security numbers, bank account information, credit card numbers, etc.).
As a part of its focus on cybersecurity, the IRS has issued two publications that outline some cybersecurity requirements for tax preparers, and two sections of the Internal Revenue Code delineate penalties for tax preparers who do not comply with the cyber specifications. Publication 4557, "Safeguarding Taxpayer Data," recommends that preparers create a data security plan that specifically defines how all sensitive data in the preparer's care will be protected during storage, processing and transmission. For preparers who exchange tax information via the internet (such as via a web portal), IRS Publication 1345 outlines six security and privacy standards for online providers. Preparers would be wise to review these two documents and ensure their existing practices are in alignment with the specifications. A brief summary of the key elements of these two documents follows.
A proper data security plan starts with a written set of security policies that specify management’s expectations for personnel who are storing, processing and/or transmitting sensitive data on the firm’s behalf. Those policies should outline specific requirements for cybersecurity controls within the firm’s operations environment. Some specific security requirements listed within Publication 4557 include setting strong passwords (long, with multiple character types), wiping or destroying computer hard drives before disposal, encrypting all sensitive files and emails, and installing anti-malware (antivirus) software on all devices that have access to sensitive information. Within the security policy, firms should clearly define what constitutes sensitive information, so employees will be able to easily recognize it and ensure proper handling. Taxpayers’ personally identifiable information should always be included in the firm’s description of sensitive information.
In addition to a set of cybersecurity controls, firms should ensure that all employees are educated on common cybersecurity attacks, so they can recognize and avoid falling victim to the types of attacks that target individuals. One of the most common (and successful) types of cyberattacks is email phishing. The written security policy should specify, and employees should be regularly reminded, to avoid clicking on emailed links or file attachments in emails from unknown senders, as well as how to spot suspicious emails that may be designed to trick individuals into believing the email is legitimate. Thieves often pose as tax software providers, a financial institution or as a prospective client to entice personnel to click on the malicious content. The IRS publication “Don’t Take the Bait” provides detailed guidance on various phishing scams and prevention techniques. As a part of the phishing prevention process, desktop and laptop computers, as well as mobile devices that receive company email, should be “hardened” against attack by turning off unnecessary services, closing open ports and installing all software patches on a frequent basis. These practices are in addition to having robust anti-malware software installed and active on those devices. Proper hardening controls for each type of operating system can be found on the software vendor’s website, as well as at the Center for Internet Security.
Once security controls have been defined and implemented, and computers have been patched and hardened against common attack types, there is one more important control that all organizations should implement: multi-factor authentication (MFA). MFA consists of requiring at least two different types of authentication techniques when allowing access to a computer system. There are three types of authentication: something known (such as a password), something possessed (such as a token or cell phone) and a physical characteristic unique to the individual (such as a biometric). MFA systems require at least two of the different types of authentication techniques (such as a password and a code sent via text message to a cell phone). By requiring two factors, if an attacker guesses or steals a user’s password, they would also need to have possession of the user’s token device or biometric (in this example, the user’s cell phone) in order to successfully log in to the user’s account. MFA is the most important and effective security control to protect against email phishing and other types of web-based malware attacks.
Firms that eFile on behalf of their clients as well as those firms that collect taxpayer personal information via a website are required to implement some additional security controls to reduce the likelihood of taxpayer data sent or received via the internet being compromised. Websites used to capture taxpayer personal information (such as portals) must be configured with a Secure Sockets Layer (SSL) certificate. SSL certificates allow the website to encrypt the traffic from the taxpayer’s computer system as it’s uploaded to the firm’s web portal, protecting it from snoopers and attackers. Another important control for online providers is the requirement that they conduct weekly vulnerability scans of their internet-facing systems. Vulnerability scanning is the process of using automated software to evaluate the security configuration of computer systems to identify missing patches, open ports, vulnerable services and other configuration-related issues. The requirements specify that vulnerability scans must be conducted by certain qualified cybersecurity organizations, and vulnerabilities identified during scans should be remediated in a timely manner. This means that firms will need a qualified and capable information technology professional available to adjust system configurations as dictated by the vulnerability scans and the firm’s cybersecurity control requirements.
Once the data security plan has been defined and put in place, firms need to have a way to detect when breaches occur and a detailed response plan for minimizing the impact. Detecting when a breach occurs requires a few important controls, including security monitoring capabilities and security-aware personnel. Security monitoring capabilities (often called intrusion detection systems) are designed to analyze traffic that is passing through the network to identify and alert on malicious attacks. While these tools can be highly effective, they require quite a bit of “tuning” in order to work well. Tuning is the process of training the intrusion system to learn what typical types of network traffic and data pass through the company’s network, so that it can quickly and accurately identify non-typical traffic and analyze it for malicious content. Security-aware personnel are regularly trained and reminded to report any suspected security incidents (such as emails with sensitive information sent to the wrong recipient, missing or altered data, malfunctioning computers, etc.) so they can be investigated.
In the event that a data breach occurs, IRC section 6713 imposes monetary penalties on unauthorized disclosures of taxpayer information. While monetary penalties can have an impact, IRC section 7216 "kicks it up a notch" by imposing criminal penalties on tax preparers who make unauthorized disclosures of information. The prospect of criminal charges and loss of CPA license is likely motivation for preparers who may otherwise be tempted to ignore the requirements! Note that the criminal penalties would apply in situations where a preparer is deemed to have knowingly or recklessly disclosed or used return information. Having a defined cybersecurity plan in place (as described in Publication 4557) and endeavoring to follow it would likely be sufficient evidence to help a preparer avoid criminal charges in the event of a breach.
In addition to the IRS cyber requirements, the Federal Trade Commission (FTC) Safeguards Rule requires financial institutions (including tax preparers) to have measures in place to keep customer information secure. The good news is that if tax preparers have developed and implemented a data security plan that includes the elements in Publication 4557 as described above, they will be aligned and in compliance with the Safeguards Rule. Violations of this rule result in monetary penalties imposed by the FTC (separate from the IRS' penalties described above), as well as additional ongoing audits and scrutiny from the FTC.
About the Author
Mark Burnette is the shareholder-in-charge of LBMC's Information Security practice. His background includes extensive experience in security program strategy and development, regulatory compliance, security policies and procedures, risk assessment and management, penetration testing, and security function design, development, and staffing.