Incident Response Plan Instruction Guide for Cyber Security Compliance
How To Complete Your Incident Response Plan
The FTC Safeguards Rule requires all Tax Preparers have an Incident Response Plan AND a Written Information Security Plan
Tax preparers should be aware of the federal laws that outline the safeguard requirements for protecting sensitive client information.
The Safeguards Rule, within the Gramm-Leach-Bliley Act, requires individuals involved in providing financial products and tax preparation services to ensure the security and confidentiality of client records and information or face hefty fines. These fines can be up to $100,000.
If you’ve been working on implementing the revised Safeguards Rule at your business to meet the upcoming deadline, that’s good news for your company and your customers. Just know that for certain provisions of the updated Rule, the FTC has extended the compliance deadline by six months – to June 9, 2023 – in response to reports of personnel shortages and supply chain issues.
Some regulations may have cryptic titles, but the FTC Safeguards Rule is black and white for what a tax preparer must do to remain compliant. Its clear purpose is to strengthen the data security safeguards that companies must have in place in order to protect their clients personal information.
What provisions are included in the six-month extension? The revised Rule requires covered companies to:
• Designate a qualified person to oversee their information security program • Develop a written risk assessment • Limit and monitor who can access sensitive customer information • Encrypt all sensitive information • Train security personnel • Develop an incident response plan (Action Plan) • Periodically assess the security practices of service providers • Implement multi-factor authentication or another method with equivalent protection for anyone accessing customer information
Email the State Attorney General alerting them to the specific details of your breach asking if any other offices must be contacted
Talk with your cyber security provider and depending of the type of breach, retrieve the appropriate monitoring logs to submit to the appropriate federal agency
Calling the Insurance Company you are currently with and report the breach
The FTC can be reach by phone (202) 326-2222 or email email@example.com in order to request individualized guidance.
You may find an ID Theft Protection Agency for credit monitoring by using your search engine (Google, Bing, Firefox, etc.) to search the term “ID theft protection Agency.”
A fillable Form 14039 is available on IRS.gov. It can be completed online, printed and attached to a paper tax return for mailing to the IRS. Or, taxpayers may complete the form online at the Federal Trade Commission and FTC will electronically transfer the Form 14039 – but not the tax return – to the IRS.
Report the incident to credit bureaus as clients may seek their services with the information provided below: