We discussed the IRS recommendations for improving the passwords you use to secure online accounts last week. Keeping that data-security theme going strong, this week we’re going to briefly look at written data security plans.
Why do I need a written data security plan?
Tax professionals are required by the FTC Safeguards Rule to create and maintain a written data security plan. Those looking for more of an explanation than “it’s the law” should start by considering why identity thieves are so interested in PII.
While everyone should be concerned about keeping their private information out of the hands of identity thieves, tax professionals are responsible for the PII of hundreds (if not thousands) of their clients—and criminals know it.
Your tax office, regardless of how many clients are on the books, looks a lot like Fort Knox to the criminals who use stolen PII to fraudulently apply for credit cards and bank loans or file a tax return.
As we’ve covered in the past, identity thieves have one goal when they fraudulently file tax returns: get the U.S. Treasury to issue a refund check. That’s one reason the IRS has been forced to delay issuing refunds for returns claiming certain tax credits in recent years.
Unfortunately, successfully identifying a fraudulent return once it’s been sent to the IRS means a taxpayer’s PII has already been stolen. Developing, maintaining, and implementing a data security plan is one way to stop thieves from getting that data in the first place.
How do I create a written data security plan?
The IRS generally directs tax professionals who are interested in writing or updating a data security plan to Publication 4557, Safeguarding Taxpayer Data. It lays out basic guidelines for following the FTC Safeguards Rule:
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
While much of the same advice you get regarding personal data security applies to written data security plans—use strong, unique passwords for each online account; install and maintain security software; and learn to identify and avoid phishing scams—you may prefer a more concrete resource for following the law.
Luckily, Pub. 4557 has an extensive Safeguards Rule checklist that covers three key areas of data security:
- Employee Management and Training
- Information Systems
- Detecting and Managing System Failures
If all of this seems overwhelming, the IRS also has an easy-to-digest video introduction to written data security plans that you can check out on YouTube (click here).
Remember, identity thieves are more than happy to use your business to make a quick buck. Having a well-rounded data security plan can keep them from having an easy payday.