Practical Data Security Resources

“Where to Start in Cybersecurity” (Aug. 30, 2017) identifies two interesting resources that may be new to readers (http://bit.ly/2xReNSM). IRS Publication 4557, Safeguarding Taxpayer Data – A Guide for Your Business(http://bit.ly/2fQs84K) is a downloadable 20-page booklet that includes tips for starting the process of securing taxpayer data, such as assigning an individual to be responsible for safeguards, making a list of storage locations, and creating a written plan. The PDF contains seven checklists, including administrative activities, information systems security, and media security. It also provides references to laws and regulations, and standards and best practices.

Small Business Information Security: The Fundamentals (http://bit.ly/2l2jmZ1), published by the National Institute of Standards and Technology (NIST), is a 54-page reference book on basic security for information systems and networks. It explains how to deploy an information program, provides steps to improve information security, and contains examples of best practices. Appendix D offers useful worksheets for identifying business risks, and Appendix E lists sample policy and procedure statements.

A related Taxing Subjects article, “Make Data Security an Everyday Priority” (Sept. 12, 2017, http://bit.ly/2yVwfdB) introduces the IRS’s “Don’t Take the Bait” campaign, and includes a link to a handy two-page online safety guide (http://bit.ly/2yBRhNv) that can be laminated and placed by every computer in the office.

“Life After Data Theft: Steps for Tax Pros” (Sept. 19, 2017, http://bit.ly/2xShFUb) discusses the Equifax data breach on an individual level and answers the question of what accountants should do if their offices are hacked. The article states that the first step is to create an Excel CSV (comma-separated values) document of affected taxpayer names and Social Security numbers. Then contact the local IRS stakeholder liaison, furnish the IRS with the encrypted Excel file, and work through the liaison to access other offices of the IRS, including the Criminal Investigation Division. While this is very good advice, the most efficient initial response may be to contact the firm’s insurance company, which can provide specific guidance for the firm’s circumstances. It may also be necessary to notify the Federal Bureau of Investigation, the Secret Service, local police, and the state attorney general (see the Sidebar for web-site information). At some point, affected clients will need to be informed, but this should only be done after certain preparatory steps have been taken.

FTC Business Center

The Federal Trade Commission (FTC) Business Center (https://www.ftc.gov/tips-advice/business-center) provides information for small businesses on marketing and finance, as well as privacy and security topics. The FTC plays a role in protecting small businesses from scams and cybersecurity threats, including making available some very useful resources for information security. The most on-point materials are under the privacy and security sections of the website.

The Data Security main page (http://bit.ly/2imvdQV) serves as an alphabetical table of contents and is a good place to begin exploring FTC articles, guidebooks, and videos. One example is “Fighting Identity Theft with the Red Flags Rule: A How-To Guide for Business” (http://bit.ly/2yzWi8R), which discusses how organizations can put into practice a written identity theft prevention program that aids in identifying suspicious patterns, preventing occurrences, and minimizing damage. The Red Flags Rule from the Fair and Accurate Credit Transaction Act of 2003 specifically applies to financial institutions and some creditors, but the article’s listing of common red flags should be very helpful to tax accountants, as well as any businesses that obtain or retain personal information.