Safeguarding Taxpayer Data A GUIDE FOR YOUR BUSINESS 1
| Safeguarding Taxpayer Data A GUIDE FOR YOUR BUSINESS 1 |
|
SAFEGUARDING TAXPAYER DATA
Contents
Introduction
Safeguarding Taxpayer Data ............................3
Protect Your Clients; Protect Yourself
Take Basic Security Steps ..............................4
Use Security Software .....................................5
Create Strong Passwords ................................5
Secure Wireless Networks ..............................6
Protect Stored Client Data ..............................7
Be on Guard
Spot Data Theft................................................8
Monitor EFIN/PTIN ...........................................8
Recognize Phishing Scams .............................9
Guard Against Phishing Emails ......................10
Be Safe on the Internet ..................................10
Report and Respond
Report Data Loss to IRS/States .....................11
Respond and Recover from a Data Loss .......12
Comply with the FTC Safeguards Rule
Understand the FTC Safeguards Rule............13
Comply with the FTC Safeguards Rule...........13
Checklist for Creating a Plan..........................14
Employee Management and Training..............14
Information Systems.......................................15
Detecting and Managing System Failures.......17
Glossary .......................................... 19
2
|
|
SAFEGUARDING TAXPAYER DATA
Introduction - Safeguarding
Taxpayer Data
Combatting today’s cybercriminals takes all of us working together. The
Internal Revenue Service works with state tax agencies and the tax
industry to fight these 21st century identity thieves. After forming the
Security Summit and enacting a series of safeguards, the partners are
making inroads. But, there’s more work to be done.
Data thefts at tax professionals’ offices are on the rise. As the Security
Summit makes progress, identity thieves need more taxpayer data to
file fraudulent tax returns. And they have placed tax practitioners firmly
in their sights. Data security is now a necessity for every tax
professional, whether a partner in a large firm or a sole practitioner, and
every Authorized IRS e-File Provider. Every employee, both professional
and administrative staff, should be educated about security threats and
safeguards. Everyone has a role to play in protecting taxpayer
information.
Protecting taxpayer data is the law. Federal law gives the Federal Trade
Commission authority to set data safeguard regulations for various
entities, including professional tax return preparers. According to the
FTC Safeguards Rule, tax return preparers must create and enact
security plans to protect client data. See Publication 5708 for
information on creating a written information security plan. Failure to do
so may result in an FTC investigation. Online providers also must follow
the six security and privacy standards in Publication 1345, Handbook
for Authorized IRS e-file Providers of Individual Income Tax Returns.
Protecting taxpayer data is good business. Data security can protect
your business as well as your clients. A theft may also mean a loss of
reputation, a loss of clients or a loss of money. Consider engaging
security professionals for assistance or check with your professional
liability carrier about data theft coverage.
This guide seeks to help tax professionals to:
y understand basic security steps and how to take them;
y recognize the signs of data theft and how to report data theft;
y respond and recover from a data loss;
y understand and comply with the FTC Safeguards Rule.
3
|
|
SAFEGUARDING TAXPAYER DATA
Protect Your Clients;
Protect Yourself
Take Basic Security Steps
Here are some basic security steps that tax professionals can take
today to make their clients’ data and their businesses safer:
y Learn to recognize phishing emails, especially those pretending to be
from the IRS, e-Services, a tax software provider or cloud storage
provider. Never open an embedded link or any attachment from a
suspicious email.
y Create a data security plan using IRS Publication 4557, Safeguarding
Taxpayer Data, and Small Business Information Security – The
Fundamentals, by the National Institute of Standards and Technology.
y Review internal controls:
• Install anti-malware/anti-virus security software on all devices
(laptops, desktops, routers, tablets and phones) and keep
software set to automatically update.
• Use strong passwords of 8 or more characters, use different
passwords for each account, use special and alphanumeric
characters, use phrases, password protect wireless devices and
consider a password manager program.
• Implement multi-factor authentication for anyone accessing
customer information on your system.
• Encrypt all sensitive files/emails, especially those with the
taxpayer’s personally identifiable information, and use strong
password protections.
• Back up sensitive data to a safe and secure external source not
connected fulltime to a network.
• Make a final review of return information – especially direct deposit
information - prior to e-filing.
• Wipe clean or destroy old computer hard drives and printers that
contain sensitive data.
• Limit access to taxpayer data to individuals who need to know.
• Check e-File Applications and PTIN accounts weekly for total
returns filed using EFINs and PTINs; deactivate unused EFINs.
• Withdraw from any outstanding authorizations (power of attorney/
tax information) for taxpayers who no longer are clients.
• Implement audit trails (audit logs) that records all activities that
occur. This includes who performed the activity, when it was
performed, and what changes were made.
4
|
|
SAFEGUARDING TAXPAYER DATA
• Implement a clean desk policy.
y Report any data theft or data loss to the appropriate IRS Stakeholder
Liaison.
y Stay connected to the IRS through subscriptions to e-News for Tax
Professionals, QuickAlerts and Social Media.
y Educate clients about the availability of the Identity Protection PIN for
taxpayers.
y Review FTC’s security tips at Cybersecurity for Small Business and
Protecting Personal Information: A Guide for Business
Use Security Software
y A fundamental step to data security is the installation and use of
security software on your computers. Here are the various types of
security software you need and their purpose:
y Anti-virus – prevents bad software, such as malware, from causing
damage to a computer.
y Anti-spyware – prevents unauthorized software from stealing
information that is on a computer or processed through the system.
y Firewall – blocks unwanted connections.
y Drive Encryption – protects information from being read on
computers, tablets, laptops and smart phones if they are lost, stolen
or improperly discarded.
Both Windows and Mac operating systems come with factory-installed
security software and with encryption technology. Both operating
systems also come with built-in firewall protection, which you should
enable unless your anti-virus software includes a firewall feature. Or,
you also may separately purchase security software that offers a suite
of protections.
For product recommendations, check with colleagues, professional
associations or, for those who have data theft insurance protection, the
insurance carrier. Never select “security software” from a pop-up
advertisement while surfing the web. Download security software only
from the chosen vendor’s site.
Set security software to update automatically. This step is critical to
ensuring the software has the latest protections against emerging
threats. For additional safety, ensure that your internet browser (Google,
MS EDGE, Firefox, Safari, etc.) is set to update automatically so that it
remains secure.
5
|
|
SAFEGUARDING TAXPAYER DATA
Create Strong Passwords
It is critical that all tax practitioners establish strong, unique passwords
for all accounts, whether it’s to access a device, tax software products,
cloud storage, wireless networks or encryption technology. Here’s how
to get started:
y Use a minimum of eight characters; consider minimum of 16
characters for an administrator’s password.
y Use a combination of letters, numbers and symbols, i.e., ABC, 123,
!@#.
y Avoid personal information or common passwords; opt for phrases.
y Change default/temporary passwords that come with accounts or
devices, including printers.
y Do not reuse passwords, e.g., changing Bgood!17 to Bgood!18 is not
good enough; use unique usernames and passwords for accounts
and devices.
y Do not use your email address as your username if that is an option.
y Do not disclose your passwords to anyone for any reason; do not
share password among employees. Each individual with access to
client accounts should have a unique password. Use a password
manager program to track passwords, but protect it with a strong
password.
Do not overlook a critical step to protecting accounts: Multi-factor
authentication. This simple feature can protect your accounts even if
your username and password are stolen. Tax software products for both
taxpayers and tax professionals now offer multi-factor authentication.
Use the most secure option available, not only for your tax software, but
other products such as email accounts and storage provider accounts.
An example of multi-factor authentication: you must enter your
credentials (username and password) plus a security code sent as a
text to your mobile phone before you can access an account.
If hosting your own website, also consider some other form of
multifactor authentication to further increase your login security.
Secure Wireless Networks
Failing to protect your wireless network makes the network or data
vulnerable to attack or interception by cybercriminals. Thieves could be
stealing your data without your knowledge. If you can, do not use
wireless networks for computers or devices that process, display, or
print client information. If you must use wireless, you can take these
protective steps with setting up your router or review your router’s
manual to make changes. Here are basic steps::
y Change default administrative password of your wireless router; use a
strong, unique password.
6
|
|
SAFEGUARDING TAXPAYER DATA
y Reduce the power (wireless range) so you are not broadcasting
further than you need. Log into your router to WLAN settings,
advanced settings and look for Transmit (TX) power. The lower the
number the lower the power.
y Change the name of your router (Service Set Identifier - SSID) to
something that is not personally identifying (i.e., BobsTaxService),
and disable the SSID broadcast so that it cannot be seen by those
who have no need to use your network.
y Use Wi-Fi Protected Access 3 (WPA-3).
y Do not use Wired-Equivalent Privacy (WEP) to connect your
computers to the router; WEP is not considered secure.
y Do not use a public wi-fi (for example, at a coffee café or airport) to
access business email or sensitive documents
Use of multi-factor authentication (discussed earlier) and a secure
Virtual Private Network (VPN) should be minimum standards for remote
access to the firm’s office network. A VPN provides a secure, encrypted
tunnel to transmit data between a teleworking employee and the
company network. Search for “Best VPNs” to find a legitimate vendor.
Some firms issue laptops to teleworking employees in order to control
the IT environment..
Protect Stored Client Data
Cybercriminals work hard through various tactics to penetrate your
network or trick you into disclosing passwords. They may steal the
data, hold the data for ransom or use your own computers to complete
and file fraudulent tax returns. Here are a few basic steps to protect
client data stored on your systems:
y Backup encrypted copies of client data to external hard drives
(USBs, CDs, DVDs) or use cloud storage; keep external drives in a
secure location; encrypt data before uploading to the cloud. This is
your best protection against ransomware attacks.
y Use drive encryption to lock files and all devices; encrypted files
require a password to open.
y Avoid attaching USB drives and external drives with client data to
public computers.
y Avoid installing unnecessary software or applications to the business
network; avoid offers for “free” software, especially security software,
which is often a ruse by criminals; download software or applications
only from official sites.
y Perform an inventory of devices where client tax data are stored, i.e.,
laptops, smart phones, tablets, external hard drives, etc.; inventory
software used to process or send tax data, i.e., operating
systems,browsers, applications, tax software, web sites, etc.
7
|
|
SAFEGUARDING TAXPAYER DATA
y Limit or disable internet access capabilities for devices that have
stored taxpayer data.
y Delete all information from devices, hard drives, USBs (flash drives),
printers, tablets or phones before disposing of devices; some security
software include a “shredder” that electronically destroys stored files.
y Physically destroy hard drives, tapes, USBs, CDs, tablets or phones
by crushing, shredding or burning; shred or burn all documents
containing taxpayer information before throwing away.
Be on Guard
Spot Data Theft
You or your firm may be a victim and not even know it. Here are some
common clues to data theft:
y Client e-filed tax returns begin to reject because returns with their
Social Security numbers were already filed.
y Clients who haven’t filed tax returns begin to receive authentication
letters (5071C, 4883C, 5747C) from the IRS.
y Clients who haven’t filed tax returns receive refunds.
y Clients receive tax transcripts they did not request.
y Clients who created an IRS online services account receive an IRS
notice that their account was accessed or IRS emails stating their
account has been disabled; or, clients receive an IRS notice that an
IRS online account was created in their names.
y The number of returns filed with tax practitioner’s Electronic Filing
Identification Number (EFIN or Preparer Tax Identification Number
(PTIN)) exceeds number of returns you actually filed.
y Tax professionals or clients responding to emails that practitioner did
not send.
y Network computers running slower than normal or computers turning
themselves on.l.
y Computer cursors moving or changing numbers without touching the
keyboard.
y Network computers locking out tax practitioners.
Monitor EFIN/PTINs
You can obtain a weekly report of the number of tax returns filed with
your Electronic Filing Identification Number or your Preparer Tax
Identification Number. Only those preparers who are attorneys, CPAs,
enrolled agents or Annual Filing Season Program participants and who
file 50 or more returns may obtain PTIN information. Weekly checks will
help flag any abuses. Here’s how:
8
|
|
SAFEGUARDING TAXPAYER DATA
For EFIN totals:
y Access your e-Services account and your EFIN application;
y Select “EFIN Status” from the application;
y Contact the IRS e-help Desk if the return totals exceed the number of
returns you filed.
For PTIN totals:
y Access your online PTIN account;
y Select “View Returns Filed Per PTIN;”
y Complete Form 14157, Complaint: Tax Return Preparer, to report
excessive use or misuse of PTIN.
If you have a Centralized Authorization File (CAF) number, make sure
you keep your authorizations up to date. Remove authorizations for
taxpayers who are no longer your clients. (See “Withdrawal of
Representation” in Publication 947, Practice Before the IRS and Power
of Attorney.)
Recognize Phishing Scams
All employees in your office must be educated on the dangers of
phishing scams. These scams can result in cybercriminals taking over
your computer or accounts to steal client data.
y A common way cybercriminals steal data is by using phishing scams.
An even more successful tactic is called spear phishing, where the
thief specifically targets you or your firm, perhaps seeing your email
address from the office website.
y The thief may pose as your tax software provider, your data storage
provider, the IRS or even a prospective client. The thief may pose as
your bank or as a professional colleague whose email was
compromised. See Don’t Take the Bait.
y Thieves may hijack your email account to send spam emails under
your name, tricking colleagues and clients into disclosing information.
y Generally, phishing or spear phishing emails have an urgent subject
line. Example: Update Your Account Now. The objective is to entice
you to open a link or an attachment.
• Link: The link may take you to a fake web page designed to look
like a familiar website. Example: IRS e-Services. Again, there will
be a call to action, such as “Click here NOW.” You may be asked
to enter your username and password for an account, but you
actually are disclosing your credentials to thieves.
• Attachment: The attachment may contain computer code
calledmalware that can infect your computer and network
systems. A common malware is keystroke tracking, which allows
the criminal to see the words you type on your device, eventually
9
|
|
SAFEGUARDING TAXPAYER DATA
disclosing your username and password to various accounts. In
turn, this gives them access to your tax software provider, bank or
encrypted client files..
y A legitimate business will never email and request personal or
sensitive information be sent to them via email, unless through a
secured mail service.
Guard Against Phishing Emails
Educated employees are the key to avoiding phishing scams, but these
simple steps also can help protect against stolen data:
y Use separate personal and business email accounts; protect email
accounts with strong passwords and two-factor authentication if
available.
y Install an anti-phishing tool bar to help identify known phishing sites.
Anti-phishing tools may be included in security software products.
y Use security software to help protect systems from malware and scan
emails for viruses.
y Never open or download attachments from unknown senders,
including potential clients; make contact first by phone, for example.
y Send only password-protected and encrypted documents if you must
share files with clients via email or use Secure File Transfer Protocol
(SFTP) to transmit files instead of email.
y Do not respond to suspicious or unknown emails; if IRS-related,
forward to phishing@irs.gov.
Be Safe on the Internet
Data security takes an ongoing awareness about the threats posed
from a variety of sources, including browsing the Internet. Here are
some general steps for staying safe while using the Internet or
protecting your website.
y Keep your web browser software up to date so that it has the latest
security features.
y Scan files using your security software before downloading to your
computer.
y Delete web browser cache, temporary internet files, cookies and
browsing history on a regular schedule.
y Look for the “S” in “HTTPS” connections for Uniform Resource
Locator (URL) web addresses. The “S” stands for secure, e.g.,
https://www.irs.gov.
y Avoid accessing business emails or information from public wi-fi
connections.
y
10 Disable stored password feature offered by some operating systems.
|
|
SAFEGUARDING TAXPAYER DATA
y Enable your browser’s pop-up blocker. Do not call any number from
pop-ups claiming your computer has a virus or click on tools claiming
to delete viruses.
y Do not download files, software or applications from unknown
websites.
y Note if your browser homepage changes; it could be a sign of
malware or an intrusion. Review your last downloads and browser
settings, check to see if you have anything new in your toolbar.
Report and Respond
Report Data Loss to IRS/States
Tax practitioners should report data losses or thefts immediately to the
IRS so that appropriate precautions can be made to protect clients from
fraudulent returns being filed in their names. Here’s how to report data
thefts to the IRS:
y Contact the IRS and law enforcement:
• Internal Revenue Service, report client data theft to your local
stakeholder liaison.
• Federal Bureau of Investigation, your local office
(if directed by IRS).
• Local police – To file a police report on the data breach.
y Contact states in which you prepare state returns:
• Visit the Federation of Tax Administrators “Report a Data
Breach” to find state contact information.
y Contact experts:
• Security expert – to determine the cause and scope of the breach,
to stop the breach and to prevent further breaches from
occurring.
• Insurance company – to report the breach and to check if your
insurance policy covers data breach mitigation expenses.
For a complete checklist, see Data Theft Information for Tax
Professionals.
If you are a victim of a ransomware attack, please contact the FBI and
Cybersecurity and Infrastructure Security Agency (CISA) of the
Department of Homeland Security (DHS) in addition to the IRS.
11
|
|
SAFEGUARDING TAXPAYER DATA
Respond and Recover from
a Data Loss
The Federal Trade Commission offers assistance to businesses who
were victimized by data thefts and provides templates for letters that,
for example, notify clients that a data loss has occurred. Here are some
basic suggestions on how to recover from a data theft:
y Update your IRS Stakeholder Liaison with developments; IRS
telephone assistors cannot accept third-party reports of identity theft.
y Review FTC’s Data Breach Response: A Guide for Business for helpful
guidance in notifying clients and tips for responding and recovering.
y Determine how the intrusion or theft occurred and make any required
fixes before resuming tax preparation activities and being issued a
new Electronic Filing Identification Number (EFIN).
y Develop a continuity plan.
y Make full backups of all business data and files. If you weren’t doing.
• A routine backup means you will have a copy of your data. A data
loss or ransomware attack (as well as a hurricane or flood) will not
destroy all your files.
• Encrypt backed up files.
• Consider a monthly backup schedule, or more often during the
filing season.
• Backup files after completing a routine system scan.
• Use an external hard drive or cloud storage; encrypt files prior to
uploading to.
Consult with your professional insurance provider about data theft
protection.
• Insurance firms can help preparers recover from a theft.
• Insurance firms may help provide security experts to analyze
protections or detect intrusions.
12
|
|
SAFEGUARDING TAXPAYER DATA
Comply with the FTC
Safeguards Rule
Understand the FTC Safeguards Rule
Under the Safeguards Rule, financial institutions must protect the
consumer information they collect. The Gramm-Leach-Bliley (GLB) Act
requires companies defined under the law as “financial institutions” to
ensure the security and confidentiality of this type of information. The
“financial institutions” definition includes professional tax preparers.
As part of its implementation of the GLB Act, the Federal Trade
Commission issued the Safeguards Rule, which requires financial
institutions under FTC jurisdiction to have measures in place to keep
customer information secure. The Safeguards Rule requires companies
to develop a written information security plan that describes their
program to protect customer information. See Publication 5708 for
information on creating a written information security plan.
Comply with the FTC Safeguards Rule
According to the FTC, the required information security plan must be
appropriate to the company’s size and complexity, the nature and scope
of its activities and the sensitivity of the customer information it handles.
As part of its plan, each company must:
y Designate a qualified individual responsible for overseeing and
implementing your information security program and enforcing your
information security program;
y implement Multi-factor Authentication. Implement for anyone
accessing customer information on your system. The FTC Safeguards
Rule requires at least two of these following authentication factors: a
knowledge factor (for example a password), a possession factor (for
example, a token), and an inherence factor (for example biometric
information). This is required for all companies regardless of size.
y identify and assess the risks to customer information in each relevant
area of the company’s operation, and evaluate the effectiveness of the
current safeguards for controlling these risks;
y design and implement a safeguards program, and regularly monitor
and test it;
y select service providers that can maintain appropriate safeguards,
make sure your contract requires them to maintain safeguards, and
oversee their handling of customer information; and
y evaluate and adjust the program in light of relevant circumstances,
including changes in the firm’s business or operations, or the results
of security testing and monitoring.
y provide security awareness training and schedule regular refreshers.
The requirements are designed to be flexible. Companies should
13 implement safeguards appropriate to their own circumstances.
|
|
SAFEGUARDING TAXPAYER DATA
Checklist for Creating Plan
TThe Safeguards Rule requires companies to assess and address the
risks to customer information in all areas of their operation, including
three areas that are particularly important to information security:
Employee Management and Training; Information Systems; and
Detecting and Managing System Failures.
Not each of these recommendations will apply to circumstances found
in tax preparer offices, but they still provide the building blocks for the
creation of a security plan and reinforce IRS recommendations that tax
professionals establish strong security protocols. Depending on the
nature of their business operations, firms should consider implementing
the following practices:
ONGOING DONE N/A Employee Management
and Training
n n n n nn The success of your information security plan depends largely on the employees
who implement it. Consider these steps:
n n n n n n Check references or doing background checks before hiring employees who will
have access to customer information.
n n n n n n Ask every new employee to sign an agreement to follow your company’s
confidentiality and security standards for handling customer information.
n n n n n n Limit access to customer information to employees who have a business reason to
see it. For example, give employees who respond to customer inquiries access to
customer files, but only to the extent they need it to do their jobs.
n n n n n n Control access to sensitive information by requiring employees to use “strong”
passwords that must be changed on a regular basis. (Tough-to-crack passwords
require the use of at least six characters, upper- and lower-case letters, and a
combination of letters, numbers, and symbols.) (IRS suggestion: passwords should
be a minimum of eight characters, the NIST standard. Prevent password sharing;
ensure each employee with access to taxpayer accounts uses a unique password.)
n n n n n n Require multi-factor authentication for anyone accessing customer information on
your system.
n n n n n n Use password-activated screen savers to lock employee computers after a period
of inactivity.
n n n n n n Develop policies for appropriate use and protection of laptops, PDAs, cell phones,
or other mobile devices. For example, make sure employees store these devices
in a secure place when not in use. Also, consider that customer information in
encrypted files will be better protected in case of theft of such a device.
n n n n n n Train employees to take basic steps to maintain the security, confidentiality, and
integrity of customer information, including:
n n n n n n • Locking rooms and file cabinets where records are kept;
n n n n n n • Not sharing or openly posting employee passwords in work areas;
14
|
|
SAFEGUARDING TAXPAYER DATA
ONGOING DONE N/A
n n n n nn • Encrypting sensitive customer information when it is transmitted electronically via
public networks;
n n n n n n • Referring calls or other requests for customer information to designated individuals
who have been trained in how your company safeguards personal data; and
n n n n n n • Reporting suspicious attempts to obtain customer information to designated
personnel.
n n n n n n Regularly remind all employees of your company’s policy — and the legal
requirement — to keep customer information secure and confidential. For example,
consider posting reminders about their responsibility for security in areas where
customer information is stored, like file rooms.
n n n n n n Develop policies for employees who telecommute. For example, consider
whether or how employees should be allowed to keep or access customer data
at home. Also, require employees who use personal computers to store or access
customer data to use protections against viruses, spyware, and other unauthorized
intrusions.
n n n n n n Impose disciplinary measures for security policy violations.
n n n n n n Prevent terminated employees from accessing customer information by
immediately deactivating their passwords and user names and taking other
appropriate measures.
n n n n n n (IRS Suggestion: Add labels to documents to signify importance, such as
“Sensitive” or “For Official Business” to further secure paper documents.)
Information Systems
Information systems include network and software design, and information
processing, storage, transmission, retrieval, and disposal. Here are some FTC
suggestions on maintaining security throughout the life cycle of customer
information, from data entry to data disposal:
n n n n n n Know where sensitive customer information is stored and store it securely. Make
sure only authorized employees have access. For example:
n n n n n n • Ensure that storage areas are protected against destruction or damage from
physical hazards, like fire or floods.
n n n n n n • Store records in a room or cabinet that is locked when unattended.
• When customer information is stored on a server or other computer, ensure
that the computer is accessible only with a “strong” password and is kept in a
physically secure area. (IRS Suggestion: If using a cloud storage service, use
a strong password, multi-factor authentication options and beware of thieves
posing as providers.)
n n n n n n • Where possible, avoid storing sensitive customer data on a computer with an
Internet connection.
n n n n n n • Maintain secure backup records and keep archived data secure by storing it off-
line and in a physically-secure area.
1515
|
|
SAFEGUARDING TAXPAYER DATA
ONGOING DONE N/A
n n n n nn • Maintain a careful inventory of your company’s computers and any other
equipment on which customer information may be stored.
Take steps to ensure the secure transmission of customer information. For
example:
n n n n n n • When you transmit credit card information or other sensitive financial data, use a
Secure Sockets Layer (SSL) or other secure connection, so that the information
is protected in transit. (IRS Suggestion: Transport Layer Security 1.1 or 1.2 is
newer and more secure.)
n n n n n n • If you collect information online directly from customers, make secure transmission
automatic. Caution customers against transmitting sensitive data, like account
numbers, via email or in response to an unsolicited email or pop-up message.
n n n n n n • If you must transmit sensitive data by email over the Internet, be sure to encrypt
the data. (IRS Suggestion: Rather than using email, transmit files via Secure File
Transfer Protocol (SFTP), successor to File Transfer Protocol (FTP)).
n n n n n n Dispose of customer information in a secure way and, where applicable, consistent
with the FTC’s Disposal Rule. For example:
n n n n n n • Consider designating or hiring a records retention manager to supervise the
disposal of records containing customer information. If you hire an outside
disposal company, conduct due diligence beforehand by checking references or
requiring that the company be certified by a recognized industry group.
n n n n n n • Burn, pulverize, or shred papers containing customer information so that the
information cannot be read or reconstructed.
n n n n n n • Destroy or erase data when disposing of computers, disks, CDs, magnetic
tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or
hardware containing customer information.
Detecting and Managing
System Failures
Effective security management requires your company to deter, detect, and defend
against security breaches. That means taking reasonable steps to prevent attacks,
quickly diagnosing a security incident, and having a plan in place for responding
effectively. Consider implementing the following procedures:
n n n n n n Monitor the websites of your software vendors and read relevant industry
publications for news about emerging threats and available defenses.
n n n n n n Maintain up-to-date and appropriate programs and controls to prevent
unauthorized access to customer information. Be sure to:
n n n n n n • check with software vendors regularly to get and install patches that resolve
software vulnerabilities;
n n n n n n • use anti-virus and anti-spyware software that updates automatically;
1616
|
|
SAFEGUARDING TAXPAYER DATA
ONGOING DONE N/A
n n n n nn • maintain up-to-date firewalls, particularly if you use a broadband Internet
connection or allow employees to connect to your network from home or other
off-site locations;
n n n n n n • regularly ensure that ports not used for your business are closed; and
n n n n n n • promptly pass along information and instructions to employees regarding any
new security risks or possible breaches.
Use appropriate oversight or audit procedures to detect the improper disclosure or
theft of customer information. It’s wise to:
n n n n n n • keep logs of activity on your network and monitor them for signs of unauthorized
access to customer information;
n n n n n n • use an up-to-date intrusion detection system to alert you of attacks;
n n n n n n • monitor both in- and out-bound transfers of information for indications of a
compromise, such as unexpectedly large amounts of data being transmitted from
your system to an unknown user; and
n n n n n n • insert a dummy account into each of your customer lists and monitor the account
to detect any unauthorized contacts or charges.
Take steps to preserve the security, confidentiality, and integrity of customer
information in the event of a breach. If a breach occurs:
n n n n n n • take immediate action to secure any information that has or may have been
compromised. For example, if a computer connected to the Internet is
compromised, disconnect the computer from the Internet;
n n n n n n • preserve and review files or programs that may reveal how the breach occurred;
and
n n n n n n • if feasible and appropriate, bring in security professionals to help assess the
breach as soon as possible.
Consider notifying consumers, law enforcement, and/or businesses in the event of
a security breach. For example:
n n n n n n • notify consumers if their personal information is subject to a breach that poses a
significant risk of identity theft or related harm;
n n n n n n • notify law enforcement if the breach may involve criminal activity or there is
evidence that the breach has resulted in identity theft or related harm;
n n n n n n • notify the credit bureaus and other businesses that may be affected by the
breach. See Information Compromise and the Risk of Identity Theft: Guidance for
n n n n n n Your Business; and
n n n n n n • check to see if breach notification is required under applicable state law.
n n n n n n • (IRS suggestions: Practitioners who experience a data loss should contact the
IRS and the states. Also, consider having a technical support contract in place,
so that hardware events can be fixed within a reasonable time and with minimal
disruption to business availability.)
1717
|
|
SAFEGUARDING TAXPAYER DATA
Glossary
Adware
Computer advertising software that may or may not monitor computer use to
target ads.
Confidentiality
Restrictions placed on information access and disclosure, including means for
protecting personal privacy and proprietary information.
Denial of Service
An attack that prevents or impairs the authorized use of networks, systems or
applications by exhausting resources.
Encrypt
To convert plain text to unintelligible text using a cryptographic algorithm.
Information Security
The process that ensures the protection of information and information systems
from unauthorized access, use, disclosure, disruption, modification or destruction.
Intrusion Detection
The act of detecting actions that attempt to compromise the confidentiality,
integrity or availability of a resource.
Keylogging
The action of recording (logging) the keys struck on a keyboard, typically
covertly, so that the person using the keyboard is unaware that their actions are
being monitored. Often secretly downloaded by malware, keylogging enables the
theft of usernames and passwords among other things.
Malware
Refers to malicious software (malware) programs designed to damage or
perform other unwanted actions on a computer system. Examples of malware
are viruses, worms, Trojan horses, and spyware.
Management Safeguards
The security safeguards or countermeasures for an information system that
focus on the management of risk and the management of information system
security.
Multi-factor Authentication
A security system that requires returning users to enter more than just creden-
tials (username and password) to access an account or device, such as
two-factor or three-factor authentication. Example: e-Services is protected by
IRS Secure Access, a two-factor authentication process that requires returning
users to enter their credentials and a security code sent as text to a mobile
phone. Tax professionals should always use the highest multifactor authentica-
tion available.
Operational Safeguards
Security for an information system that is primarily implemented and executed
by people rather than by a system.
Phishing
An attempt by an individual or group to solicit personal information from
unsuspecting users by employing social engineering techniques. Phishing emails
are crafted to appear as if they have been sent from a legitimate organization or
known individual. These emails often attempt to entice users to click on a link
that will take the user to a fraudulent website that appears legitimate.
18
|
|
SAFEGUARDING TAXPAYER DATA
Ransomware
A type of malicious software, or malware, designed to block access to a
computer system until a ransom is paid. Ransomware is typically spread through
phishing emails or by unknowingly visiting an infected website.
Risk
The likelihood that the unwanted impact of an incident will be realized.
Risk Assessment
The process of identifying risks and determining the probability of occurrence,
the resulting impact and additional security controls that would mitigate this
impact.
Risk Management
The process of managing risks through risk assessment; cost-benefit analysis;
the selection, implementation, and assessment of security controls; and the
formal authorization to operate the system. The process includes consideration
of effectiveness, efficiency and constraints due to laws, directives, policies, or
regulations.
Safeguard
Protective measures prescribed to meet the security requirements specified for
an information system. Safeguards may include security features, management
constraints, personnel security and security of physical structures, areas, and
devices.
Security Controls
Safeguards designed to protect the confidentiality, integrity and availability of a
system and its information.
Security Plan
Formal document that provides an overview of the security requirements for the
information system and describes the security controls in place or planned for
meeting those requirements.
Spear Phishing
Phishing attempts directed at specific individuals or companies; attackers may
gather personal information about their target to increase their probability of
success. This technique is by far the most successful on the Internet today,
accounting for 91% of attacks
Spyware
Software installed into an information system to gather information on individuals
or organizations without their knowledge.
Social Engineering
The manipulation of people into performing actions such as deviating from
standard security practices or divulging confidential information that give
attackers access to systems or confidential information.
Technical Safeguards
Controls for a system that are primarily implemented and executed by the
information system through mechanisms contained in the hardware, software or
firmware components of the system.
Threat
Any circumstance or event with the potential to adversely impact operations,
assets or individuals through an information system via unauthorized access,
destruction, disclosure, modification of information and/or denial of service.
19
|
|
SAFEGUARDING TAXPAYER DATA
Trojan Horse
A computer program used to attack a computer system by secretly allowing,
among other things, unauthorized access or alteration of data or software.
Virus
A computer program used to compromise a computer system by performing
functions that may be destructive. A virus may alter other programs to include a
copy of itself and execute when the host program or other executable compo-
nent is executed.
Vulnerability
Weakness in a system through procedures, internal controls or implementation
that could be exploited or triggered by a threat source.
Worm
A computer program used to compromise a computer system by impacting
performance. A worm can travel from computer to computer across network
connections replicating itself.
20
|
|
SAFEGUARDING TAXPAYER DATA
NOTE: The Internal Revenue Service prepared this guide as an
outreach educational effort for all tax preparers, transmitters, and
software developers. If you have any comments or suggestions for
future updates, please send an e-mail to:
Safeguard.data.tp@irs.gov
Publication 4557 (Rev. 6-2024) Catalog Number 48905Y Department of the Treasury Internal Revenue Service www.irs.gov
|