Skip to main content
Establishing Secure Connection...
IRS Cybersecurity for Tax Professionals

Cybersecurity for Tax Professionals: IRS Compliance Basics

In today's digital age, cybersecurity for tax professionals is paramount. As a tax preparer, protecting your clients' sensitive financial and personal information must be a top priority. With cybercrime on the rise, client data is increasingly vulnerable to being compromised. It's crucial to take proactive measures to safeguard their information and prevent costly data breaches.


However, achieving cybersecurity compliance isn't an easy feat for tax practitioners. The industry is subject to numerous government authorities and standards, making it one of the most complex fields when it comes to digital security. Installing a few security measures is not sufficient to keep your clients' data protected.


To avoid noncompliance penalties and costly data breaches, you must become familiar with the basics of cyber security for tax professionals. This includes understanding the different regulations and guidelines established by various government agencies, implementing appropriate security measures, and continuously monitoring and updating these measures to stay ahead of emerging threats.


Ultimately, protecting your clients' data is no longer just a responsibility, but a necessity in today's digital age. By learning the essentials of IRS cybersecurity compliance, you can guarantee that you're meeting legal requirements while simultaneously keeping your clients' data secure from cyber threats.


Compliance Basics


The good news is that all the of publicly available information surrounding the cyber security responsibilities of a tax preparer can be broken down and explored in detail.  To make things easy, compliance can be summed up in one line:


Cyber security compliance for the IRS is as simple as adhering to the laws and guidance that are acknowledged on the PTIN application and renewal form, the W12.


For reference, any individual with a preparer tax identification number agreed to this statement on the W12:

W12 Snippet

To break it down further, compliance involves two key components: producing and maintaining a data security plan and providing system security protections for all taxpayer information. Both of these components are equally crucial in ensuring the safety of client data. However, each component has several facets that must be considered, some of which are defined by written law.


To create an effective data security plan, tax preparers must identify and assess potential risks to client data, implement appropriate safeguards, and establish incident response protocols. Providing system security protections involves implementing safeguards such as firewalls, antivirus software, and secure authentication methods.


While these requirements may seem daunting, there are plenty of resources available to help tax professionals navigate the complex world of cyber security compliance. By taking the time to understand and fulfill these obligations, tax preparers can protect their clients' data and ensure that they remain in compliance with the law.


Compliance Part 1/2: Written Information Security Plan


While most tax preparers are familiar with the Gramm–Leach–Bliley Act (GLBA), many may not be aware that the requirement to have a data security plan originates from this law. Section 11 of the PTIN renewal form now includes updated data security responsibilities, which serve as a reminder to tax professionals of their legal obligation to create and maintain a data security plan. However, it's worth noting that this requirement has been a federal law since 1999, and the recent changes merely reinforce the importance of compliance.


The GLBA's Safeguards Rule requires that financial institutions, including tax preparers, develop, implement, and maintain a comprehensive information security program that is appropriate for the size and complexity of the business and the nature and scope of its activities. This includes identifying and assessing risks to customer information, implementing safeguards to control those risks, regularly monitoring and testing the effectiveness of those safeguards, and adjusting the program as needed to reflect changes in the business or its operations.


Compliance with the Safeguards Rule is essential for tax professionals to protect their clients' sensitive information from cyber threats. In today's increasingly digital world, cyber attacks are becoming more frequent and sophisticated, making it crucial for tax preparers to prioritize cybersecurity measures. By creating and maintaining a data security plan in compliance with federal regulations, tax professionals can help mitigate the risk of data breaches and safeguard their clients' trust and financial wellbeing.


There is no denying that the GLBA has had significant consequences, and the FTC Safeguards Rule is a complex topic that warrants extensive analysis. However, for the purpose of this article, let's focus on the basics of compliance. It's important to note that anyone with a PTIN is legally obligated to have a data security plan in place. While the details of the GLBA and FTC Safeguards Rule are beyond the scope of this article, it's crucial for tax preparers to understand the basics of cyber security compliance in order to protect their clients' data and avoid legal repercussions.


IRS Requirements for a Data Security Plan


As per the IRS guidelines, a data security should be appropriate for the size, scope of activities, complexity, and sensitivity of the data being handled.  Even though IRS publication 4557 Safeguarding Taxpayer Data provides a basic outline for creating a plan, it is essential to delve deeper into other publications in order to fully comprehend the complexities of cybersecurity and understand what is necessary for protecting sensitive data.


For a comprehensive understanding of cybersecurity in tax preparation, one must consult publications such as NISTIR 7621, FIPS 199, FIPS 200, and most importantly, the Special Publication 800-18 Revision 1. All these publications have been created by the National Institute of Standards and Technology (NIST) and provide detailed information on how to handle client information securely and document security procedures.


It is vital to note that a data security plan is not a one-size-fits-all solution. Instead, it must be tailored to the specific needs of the business. While this might seem daunting, the resources provided by NIST can guide tax preparers in creating a plan that is both effective and compliant with federal regulations.


Assistance in Creating a Data Security Plan


There are various resources available to assist tax preparers in creating a data security plan, including guides, templates, and whitepapers provided by several companies, insurance agencies, and tax software providers. In August, the Security Summit also released an IRS WISP template that can be used as a starting point. However, it is important to note that these resources are not a one-size-fits-all solution, and a completed security plan should be tailored to the specific needs of each company. The plan's size, complexity, and content should all be adjusted accordingly.


A complete security plan should include the following, but is not limited to:

• A description of company information, including the types of data collected and stored;

• A description of who will have access to this data;

• An explanation of how data is protected; and

• The policies on how employees should use company resources (e.g., computers, devices) when on- or off-duty.


It's important to remember that a data security plan is more than just a document that is created and then forgotten about. It's a living plan that needs to be regularly reviewed and updated to ensure its effectiveness. One critical component of the plan is the Action Plan, which outlines the steps to be taken in case of an emergency and is also know as an incident response plan. This plan needs to be regularly reviewed and tested to ensure that it is up-to-date and effective.


In the event of an emergency, whether it's a data breach, fire, theft, or any other incident, the Action Plan is crucial for limiting the loss and unauthorized release of client and tax data. Following the predefined set of actions outlined in the plan can help ensure that the incident is handled quickly and effectively. Additionally, having a well-documented and tested plan can help demonstrate to clients, regulatory bodies, and other stakeholders that the tax preparer takes data security seriously and is taking proactive steps to protect sensitive information.


In the event of an IRS investigation or a security audit, this plan should be readily available for any concerned parties to review. If a client requests information on what you are doing to protect their data, this is the document that should be presented. Keeping the plan up-to-date with any changes to your operations, systems, or threats is crucial to ensure its effectiveness in protecting sensitive information. By regularly reviewing and updating the plan, you can ensure that your clients' data is always safeguarded against cyber threats.


It's important to keep in mind that developing a comprehensive written information security plan involves a considerable amount of effort and planning. This quick overview only scratches the surface of what's involved in creating and maintaining an effective plan. Moreover, the plan is not a one-time project but requires ongoing attention and revision as your business grows and evolves. As such, it should be updated periodically to reflect any changes in your organization's structure, operations, or technology, as well as to align with shifting compliance requirements and emerging security threats. By staying vigilant and keeping your plan current, you can help protect your clients' sensitive data and safeguard your business's reputation.


Compliance Part 2/2: Proper System Safeguards


Having a well-written data security plan is essential, but it's only the first step in protecting sensitive information. The next critical step is to implement proper system safeguards to ensure the plan is effective. This involves selecting appropriate security measures and verifying that they're operating as intended. Without adequate safeguards in place, the plan is little more than a set of theoretical guidelines that may not be able to withstand a real-world attack.


To determine the necessary security measures, the IRS, FTC, and NIST offer extensive documentation. Publication 4557 provides a good foundation, but it is important to note that the IRS regards this resource only as a starting point. To ensure comprehensive protection, tax preparers should consult additional resources provided by NIST, including FIPS 199 and 200, NISTIR 7621, and Special Publication 800-18 Revision 1. These documents provide detailed information on security measures to protect against data breaches and other threats.


The IRS has taken steps to educate tax professionals on the importance of compliance by releasing Publication 4557. This publication serves as a valuable resource for tax preparers, outlining the necessary safeguards that must be implemented to ensure the proper handling and protection of sensitive customer information. Specifically, Publication 4557 provides guidance for those who prepare and file federal income tax returns for others, with the aim of preventing data breaches and unauthorized access to confidential client information.


Proper system safeguards encompass a wide range of measures that tax preparers can take to secure their clients' sensitive financial data. These safeguards include encryption of all sensitive data, storage of such data on servers with limited access to trusted employees only, storage in a secure environment, testing the ability to recover from disasters without compromising customer data, and protection against unauthorized access or disclosure of customer records by employees or third parties.


In addition to these measures, tax preparers also need to guard against malware attacks on employee devices that could result in unauthorized access to customer records or other information. This requires the implementation of strong antivirus software and regular updating of security patches. By taking these precautions, tax preparers can minimize the risk of data breaches and ensure the safety of their clients' sensitive financial information.


Security Six


The Security Six is a set of critical components in cyber security that the IRS created to assist tax preparers in understanding the most important aspects of safeguarding sensitive financial data. These security measures are also detailed in Publication 4557, and it's important to note that they are the bare minimum safeguards that should be in place to protect customer data from cyber attacks. Any tax preparer who wants to ensure their clients' financial data is secure should not only implement the Security Six but also take additional measures beyond these requirements.

The security measures in the Security Six are:

1. Antivirus

2. Firewall

3. Two-factor Authentication

4. Comprehensive Backups

5. Drive Encryption

6. Virtual Private Network


While Publication 4557 and the Security Six provide a useful starting point for tax preparers to understand the necessary safeguards, each business is unique and requires an individualized approach to cybersecurity. A more in-depth discussion is necessary to understand the nuances of each compliance requirement and how they apply to a specific business.


For instance, the setup of a firewall must be tailored to the individual tax preparer's network, as well as every other security measure implemented. All security measures should be configured according to the specific needs of the business, taking into account factors such as the type of data being stored, the size of the company, and the potential risks and threats faced. By taking an individualized approach to cybersecurity, tax preparers can ensure they are meeting the necessary compliance requirements while also providing the highest level of protection for their clients' sensitive financial data.


There are Many Important Documents for IRS Cyber Security Compliance


Publications 5293 and 4524 serve as supplementary resources to the larger body of compliance requirements provided by the IRS, FTC, and GLBA. While these documents are shorter in length, they still offer important insights into the necessary security measures that tax preparers should be implementing.


Publication 5293, titled "Data Security for Tax Professionals: Basic Security Recommendations," provides a concise overview of security recommendations that tax preparers should follow. These recommendations include protecting all devices that contain sensitive data with strong passwords and ensuring that all software is kept up to date. This publication is a great starting point for tax preparers who are just beginning to learn about data security and need a quick reference guide.


Publication 4524, titled "Security Recommendations for Tax Professionals," is another resource that provides additional guidance on the security measures that tax preparers should have in place. This publication covers topics such as securing paper documents, securing electronic devices, and creating a data backup and recovery plan. By following the recommendations outlined in these publications, tax preparers can ensure that they have the necessary safeguards in place to protect sensitive client information.


By delving into the IRS's repository of information, you can discover numerous newsletters and articles that address various security measures in more detail. These resources cover a wide range of topics, such as the best practices for choosing secure passwords, the appropriate time frames for patch management, the importance of drive encryption, and when and where to use multi-factor authentication. Each of these subjects is equally crucial for remaining in compliance with the regulations and guaranteeing the protection of the taxpayer's sensitive information.


It is essential for tax preparers to take the time to read these resources thoroughly and to implement any necessary measures to secure their systems effectively. Neglecting even a single critical component of cybersecurity can leave the business and its clients vulnerable to data breaches and cyberattacks. Staying informed about the latest trends and techniques in cybersecurity is an ongoing process, and remaining vigilant is key to maintaining a secure tax preparation practice.


In addition to the information provided by the IRS, valuable resources on cybersecurity can be found in the publications of other government agencies. One such publication is 1075, which offers detailed guidance on appropriate safeguards and effective implementation strategies. Although primarily intended for use by federal, state, and local agencies, this document offers valuable insight for tax preparers on best practices for safeguarding sensitive financial data.


Some of the key takeaways from publication 1075 include the importance of conducting regular risk assessments, establishing strict access controls and monitoring procedures, implementing robust physical and environmental controls, and establishing incident response and contingency plans. By following the guidance provided in this and other relevant publications, tax preparers can better understand their obligations with respect to safeguarding customer data and take proactive measures to protect against threats to data security.


If you are searching for a comprehensive resource on cyber security, look no further than NIST Special Publication 800-53 Revision 5. This extensive document spans 492 pages, covering a wide range of topics related to information security. The abstract of this publication begins with the following sentences:


This publication provides a catalog of security and privacy controls for information systems and organizations to protect organizational operations and assets, individuals, other organizations, and the Nation from a diverse set of threats and risks, including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks. The controls are flexible and customizable and implemented as part of an organization-wide process to manage risk.


When it comes to implementing the best cyber security practices, the NIST Special Publication 800-53 Revision 5 is an unparalleled source, providing an A-Z guide for organizations. With topics ranging from incident response and emergency preparedness to advanced techniques like employing detonation chambers to isolate and test programs for malicious code, this document is an invaluable resource for tax preparers looking to safeguard their clients' sensitive data.


In particular, the use of detonation chambers can be especially relevant for the tax preparation industry. Many tax preparers have fallen victim to ransomware attacks by unwittingly opening attachments containing malicious code that appear to be legitimate emails. By testing programs in an isolated environment before deployment, tax preparers can mitigate the risk of malware infiltrating their systems and compromising sensitive client data. The NIST guidelines are an essential reference for tax preparers who want to ensure they are employing the best possible cyber security practices.


Taking Action to Ensure Cyber Security Compliance and Protect Your Clients


As a tax preparer, it is crucial to prioritize cyber security to protect your clients' sensitive information. While there is a vast amount of information available on cyber security, the IRS provides helpful guidelines to get started, such as Publication 4557. Although this publication is only a starting point, it provides ample resources to ensure that you remain compliant and that your clients' data is secure.


However, compliance with IRS guidelines is just the beginning of digital safety. It is essential to continue learning and implementing best practices to strengthen your security measures. If you have any questions or concerns about how to remain compliant or improve your digital security, speak with a security specialist. You can schedule a time to talk with them about your cyber security concerns and compliance with federal law. If you already have safeguards in place, you can schedule a free security assessment to determine what else you can do to improve your digital security. Don't wait until it's too late; take action today to protect your clients' sensitive information and ensure cyber security compliance.


If you're ready to take the next step in securing your tax preparation business and complying with IRS regulations, check out part one of the Security Six Series today.

About Bellator

Your Tax Preparer's Hub: WISP, IRS Compliance & Cybersecurity Solutions. Simplify GLBA Compliance. Expert Support & Value-Driven Services for Peace of Mind.