The IRS recently reported (IR-2017-176) a 30% decline in confirmed identity theft returns from 2016 to 2017 and a 40% reduction in taxpayer self-reported identity theft (http://bit.ly/2xQTuR4). Still, the heavy reliance on technology for data processing, which requires the use of employer identification numbers and Social Security numbers, creates the opportunity for identity theft. As taxpayers and businesses await the consequences of the Equifax data breach that occurred in May–July 2017 (and was reported in September), CPAs can avail themselves of practical, proactive resources to assist taxpayers, companies, and their own firms to create strong defenses against information thieves. Two great places to start are the Taxing Subjects blog and the Federal Trade Commission’s Business Center.
Taxing Subjects
Taxing Subjects is a free blog published by popular tax preparation software provider Drake Software at https://taxingsubjects.com. The blog focuses on tax industry news, software, and technology, with an emphasis on information that is important to tax professionals. Topics related to information security, tax scams, identity theft, and IRS policies and procedures are regularly addressed. The content-rich articles are well worth the attention of busy CPAs, as they pull together resources that do not necessarily turn up on other blog and news sites.
“Where to Start in Cybersecurity” (Aug. 30, 2017) identifies two interesting resources that may be new to readers (http://bit.ly/2xReNSM). IRS Publication 4557, Safeguarding Taxpayer Data – A Guide for Your Business(http://bit.ly/2fQs84K) is a downloadable 20-page booklet that includes tips for starting the process of securing taxpayer data, such as assigning an individual to be responsible for safeguards, making a list of storage locations, and creating a written plan. The PDF contains seven checklists, including administrative activities, information systems security, and media security. It also provides references to laws and regulations, and standards and best practices.
Small Business Information Security: The Fundamentals (http://bit.ly/2l2jmZ1), published by the National Institute of Standards and Technology (NIST), is a 54-page reference book on basic security for information systems and networks. It explains how to deploy an information program, provides steps to improve information security, and contains examples of best practices. Appendix D offers useful worksheets for identifying business risks, and Appendix E lists sample policy and procedure statements.
A related Taxing Subjects article, “Make Data Security an Everyday Priority” (Sept. 12, 2017, http://bit.ly/2yVwfdB) introduces the IRS’s “Don’t Take the Bait” campaign, and includes a link to a handy two-page online safety guide (http://bit.ly/2yBRhNv) that can be laminated and placed by every computer in the office.
“Life After Data Theft: Steps for Tax Pros” (Sept. 19, 2017, http://bit.ly/2xShFUb) discusses the Equifax data breach on an individual level and answers the question of what accountants should do if their offices are hacked. The article states that the first step is to create an Excel CSV (comma-separated values) document of affected taxpayer names and Social Security numbers. Then contact the local IRS stakeholder liaison, furnish the IRS with the encrypted Excel file, and work through the liaison to access other offices of the IRS, including the Criminal Investigation Division. While this is very good advice, the most efficient initial response may be to contact the firm’s insurance company, which can provide specific guidance for the firm’s circumstances. It may also be necessary to notify the Federal Bureau of Investigation, the Secret Service, local police, and the state attorney general (see the Sidebar for web-site information). At some point, affected clients will need to be informed, but this should only be done after certain preparatory steps have been taken.
FTC Business Center
The Federal Trade Commission (FTC) Business Center (https://www.ftc.gov/tips-advice/business-center) provides information for small businesses on marketing and finance, as well as privacy and security topics. The FTC plays a role in protecting small businesses from scams and cybersecurity threats, including making available some very useful resources for information security. The most on-point materials are under the privacy and security sections of the website.
The Data Security main page (http://bit.ly/2imvdQV) serves as an alphabetical table of contents and is a good place to begin exploring FTC articles, guidebooks, and videos. One example is “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business” (http://bit.ly/2yzWi8R), which discusses how organizations can put into practice a written identity theft prevention program that aids in identifying suspicious patterns, preventing occurrences, and minimizing damage. The Red Flags Rule from the Fair and Accurate Credit Transaction Act of 2003 specifically applies to financial institutions and some creditors, but the article’s listing of common red flags should be very helpful to tax accountants, as well as any businesses that obtain or retain personal information.
The FTC’s guidebooks are available online and can also be downloaded in PDF format or ordered in bulk quantities for free (including shipping). Some articles include links to related resources, websites, and videos. Start with Security: A Guide for Business(June 2015, http://bit.ly/2yAiKyM) is a 14-page document that provides 10 very practical and specific suggestions, including not collecting unnecessary personal information, retaining information only as long as needed, and not using personal information when it is not needed. The article also contains links to 10 short videos covering the steps. The “Stick with Security” business blog sequence (http://bit.ly/2yBHYNw) expands on the 10 suggestions and provides examples for each recommended action.
Data Security Resources
AICPA Cybersecurity Resource Center
Better Business Bureau
https://www.bbb.org/council/for-businesses/cybersecurity/
Equifax Cybersecurity Incident
Federal Bureau of Investigation Field Offices
https://www.fbi.gov/contact-us/field-offices
Federal Trade Commission: Identity Theft
IRS: Don’t Take the Bait
https://www.irs.gov/e-file-providers/dont-take-the-bait
IRS: Protect Your Clients, Protect Yourself
https://www.irs.gov/tax-professionals/protect-your-clients-protect-yourself
IRS: Stakeholder Liaison Local Contacts
https://www.irs.gov/businesses/small-businesses-self-employed/stakeholder-liaison-local-contacts-1
National Association of Attorneys General Contact List
http://www.naag.org/naag/attorneys-general/whos-my-ag.php
National Institute of Business Technology Computer Security Resource Center
Secret Service Field Office Locator
Data Breach Response: A Guide for Business (September 2016, http://bit.ly/2gd2po2) recommends assembling a team of experts (including independent forensic investigators and legal counsel), removing information improperly posted to the organization’s website, and notifying law enforcement and affected individuals and businesses (the article provides a model letter for this purpose). Protecting Personal Information: A Guide for Business (October 2016, http://bit.ly/2yzYFZa) covers five principles for an effective data security plan: 1) take stock, 2) scale down, 3) lock it, 4) pitch it, and 5) plan ahead. The topics are addressed in bullet-point format, with specific recommendations that are straightforward and easy to understand.