From multi-factor authentication to Virtual Private Networks, the Security Summit has highlighted data-security tips that would be helpful additions to any tax professional’s security protocols during the five-week Working Virtually campaign. So, it’s only fitting that the Summit closed out the event by emphasizing written data security plans.
What is a written data security plan?
Your written data security plan includes all the steps your tax office will take to secure client data. Since tax pros routinely handle sensitive financial information, they are subject to the Federal Trade Commission’s Safeguards Rule. While the Summit explains that tax pros’ written data security plan “must be appropriate to the nature and scope of the company’s activities,” it has to include these five basic elements prescribed by the FTC:
- Designate one or more employees to coordinate its information security program;
- Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
- Design and implement a safeguards program and regularly monitor and test it;
- Select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
- Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
Another “relevant [circumstance]” that could require you to update your written data security plan would be changes made to the Safeguards Rule itself, which the Summit says could be coming sooner than you might expect: “The FTC currently is re-evaluating the Safeguards Rule and has proposed new regulations,” so you should “be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.”
Having a prevention plan in place is just one piece of the puzzle. Like practicing a fire drill, your data security plan needs to carefully detail what you’re going to do after a data breach. And just like a fire, the Security Summit says you should be prepared to act quickly to mitigate the damage. Your first step should be to report the theft to the proper authorities; in this case, that would mean your IRS Stakeholder Liaison and the Federation of Tax Administrators.
How do I create a written data security plan?
If you’re not sure where to start when designing or updating your written data security plan, take a look at these resources highlighted throughout the release:
- IRS Publication 4557, Safeguarding Taxpayer Data
- IRS Publication 5293, Data Security Resource Guide for Tax Professionals
- Data Theft Information for Tax Professionals
- Small Business Information Security: the Fundamentals
Look, it’s easy to see security measures as a nuisance, especially when you already have so much on your plate. Even I roll my eyes whenever I see a notification reminding me to update my operating system or an application like iTunes. (Seriously, does Apple update that program every 15 minutes!?) The reality is that you’ll be glad you kept all of your installed applications up to date and spent an extra 30 seconds to type in your multi-factor authentication code if it keeps your data out of criminals’ hands.
If that’s not enough to convince you to dust off your written data security plan, consider this fair warning: “The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40.”