Most data security-related press releases and outreach campaigns from the Internal Revenue Service and Federal Trade Commission focus on preventing the theft or loss of data. The reality is that many taxpayers and tax professionals fall victim to identity thieves every year. When data theft occurs, it’s important to know how to mitigate the damage and start picking up the pieces.
Tax professional in particular are a prime target for identity thieves. Tax offices hold personally identifiable information (PII) and financial records for hundred—in some cases, thousands—of taxpayers. Not only are criminals acutely aware of that fact, but they rely on the frenetic pace of filing season and the uncertainty surrounding natural disasters to slip their scams past even the most security-minded preparers.
An IRS Tax Tip published this week specifically addresses how tax professionals should respond to a data theft event. The agency outlines four groups you will need to contact immediately following a data theft, ranging from law enforcement to clients.
Here’s the list, verbatim:
Contact the IRS and law enforcement:
- Internal Revenue Service – The tax preparer should report client data theft to their local Stakeholder Liaison. Stakeholder Liaison will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names.
- Federal Bureau of Investigation (FBI) or the United States Secret Service (USSS) – the preparer should contact a local office of either the FBI or the USSS.
- Local police – The taxpayer should contact police to file a report on the data breach.
Contact states in which the tax professional prepares state returns:
- Any breach of personal information could have an adverse effect on the victim’s tax accounts with the states as well as the IRS. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings.
- The preparer should contact the State Attorneys General for each state in which the tax professional prepares returns.
- Security expert – Tax preparers should consult an expert who can help determine the cause and scope of the breach, to stop the breach, and to prevent further breaches from occurring.
- Insurance company – The preparer should report the breach to their insurance company and to check if the insurance policy covers data breach mitigation expenses.
- Federal Trade Commission (FTC) – Preparers and other businesses can go to the FTC for guidance. For more individualized guidance, preparers can contact the FTC at email@example.com.
- Credit and identity theft protection agency – Certain states require that preparers offer credit monitoring and ID theft protection to victims of ID theft.
- Credit bureaus – Preparers should notify them if there is a compromise and clients may seek their services.
Preparers should send an individual letter to all victims to inform them of the breach, but they should work with law enforcement on when to send the letter.
The IRS stresses that immediate, thorough action is the best way to reduce the potential damage to your business and clients after a data theft event. Be sure to keep good records of all conversations to help create a comprehensive, effective response plan.
Check out other GruntWorx blogs for more IRS and FTC tips for avoiding phishing scams.
Source: IRS Tax Tip 2021-145