The FTC Requires: CPAs, EAs, Tax Preparers and other Finance Professionals to have a written information security plan.
Protecting clients’ sensitive data is probably the hottest topic these days, for anybody handling client’s sensitive data. Daily reports hit the news of data breaches.
According to a safeguards rule, tax preparers must implement security plans to protect client data. Failure to do so may result in a Federal Trade Commission investigation.
The Financial Services Modernization Act of 1999, has been around some time but many practitioners are unaware they are actually required to develop a written security plan that fully describes how their firm is prepared to protect clients’ nonpublic personal information. Recently, this has become a significant concern and moved to the forefront of enforcement.
The IRS, mindful to the confusion in the profession, has boosted its efforts to remind practitioners of their responsibility, and have issued several recent email alerts to the community.
In mid-October 2019, when practitioners were starting to renew their PTINs (Preparer Tax Identification Numbers) they noticed a statement on their data security responsibilities added to the renewal process. Practitioners were instructed to check a box to confirm their awareness of their responsibility to have a data security plan and to provide data and system security.
Federal law now requires all Tax Preparers to develop and implement an information security plan (ISP) to create effective administrative, technical and physical safeguards for the protection of client information. This ISP sets forth procedures for evaluating and addressing the electronic and physical methods of accessing, collecting, storing, using, transmitting and protecting client information.
As part of the ISP, the internal and external risks to the security, confidentiality and integrity of client information that could result in the unauthorized disclosure, misuse, alteration, destruction or other compromise of such information and ruled the following safeguards should be implemented for controlling of these risks:
- Data loss prevention (DLP): This describes how data is controlled, recorded and monitored as it moves through the organization both internally and externally.
- Encryption: Anything that stores, transmits or accesses client data must be encrypted.
- Multifactor authentication (MFA): The use of two or more authentications such as pin/password/biometric/token are always used.
- Encryption: Anything that stores, transmits or accesses client data must be encrypted.
- Least amount of access: The least amount of access is given to specific client files/folders and environments.
- Network access restrictions: This describes the use of firewalls and a virtual private network (VPN) to ensure only managed and controlled devices/environments have access to client data.
Design and implementation of safeguards program: The risk assessment and safeguard control policies described above, shall apply to all methods of handling or disposing of client information, whether in electronic, paper or other forms. The representative will, on a regular basis, implement safeguards to control the risks identified through such assessments and regularly test or otherwise monitor the effectiveness of such safeguards in relevant areas of the firm’s operations, including:
- Information systems: The representative will assess the risks to financial information associated with the firm’s information systems, including network and software design, information processing and the storage, transmission, and disposal of financial information. The representative will coordinate with relevant departments, as appropriate, to assess the following procedures should include listing out of relevant procedures offering recommendations.
- Employee management and training: The representative will evaluate the effectiveness of the firm’s procedures and practices relating to access and use of client information. This evaluation will include assessing the effectiveness of the firm’s current policies and procedures in coordination with relevant departments, as appropriate, as well as adequate training of employees. Procedures should include listing out of relevant procedures offering recommendations.
- Detecting and managing system failures: The representative will evaluate procedures and methods of deterring, detecting, preventing and responding to attacks or other system failures and existing network access and security policies and procedures, as well as procedures for coordinating responses to network attacks and developing incident response teams and policies. The representative may elect to delegate the responsibility for monitoring and participating in the dissemination of information related to the reporting of known security attacks and other threats to the integrity of networks utilized by the firm and will coordinate with relevant departments, as appropriate. Procedures include should include listing out of relevant procedures offering recommendations
Protocols to select service providers that can maintain appropriate safeguards: The representative shall coordinate with those responsible for the third-party service procurement activities to raise awareness of, and to institute methods for, selecting and retaining only those service providers that maintain appropriate safeguards for client information. The representative will also oversee the handling of client information by third-party service providers as follows.
Examples: Find a local service provider; check the references of the potential service provider; provide the potential service provider a copy of the ISP and request a review of the ISP by the potential service provider; obtain a copy of the potential service provider’s ISP as it relates to client data; confirm the potential service provider has experience with the firm’s type of practice; inquire if the potential service provider has the experience to support the firm’s hardware and software, and check for the potential service provider’s certifications and partnerships with major manufacturers.
Procedures for the evaluation and periodic adjustment of the ISP: The representative will evaluate and adjust the ISP based on the risk identification and assessment activities undertaken pursuant to the ISP, as well as any material changes to the firm’s operations or other circumstances that may have a material impact on the ISP as follows.
List all relevant procedures. Examples: Designate an unrelated party to evaluate security risks periodically; schedule and perform semiannual meetings with service provider personnel and regularly discuss staff experiences with the service provider for any security concern.
Also, as part of a business’s ISP, it must:
- Designate one or more employees to coordinate its ISP.
- Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.
- Design and implement a safeguards program and regularly monitor and test it.
- Select service providers that can maintain appropriate safeguards, make sure the contracts with the service providers require them to maintain safeguards and oversee their handling of customer information.
- Evaluate and adjust the plan considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
The firm should publish its privacy statement on its website. The firm is required to develop written information and have a security plan that describes how their firm is prepared to protect its clients’ nonpublic personal information. Practitioners, by checking a box, have already confirmed their awareness of their responsibility to have a data security plan and to provide data and security protections for all taxpayer information. It is a given.
If you need help putting such a data protection plan together and implementing it, Infostream can help with that.