The Internal Revenue Service and its Security Summit partners want to remind tax professionals they should report data theft immediately to the IRS and follow an established process for helping the IRS protect their clients.
If notified promptly, the IRS can help stop fraudulent tax returns from being filed in clients’ names, thereby avoiding refund delays and other problems for the affected tax professional. But this action requires the cooperation of the tax professional with the IRS, it stated in a news release.
The IRS, state tax agencies and the private-sector tax industry are calling on all tax professionals to pause this summer and review their security measures and make appropriate changes. Acting as the Security Summit, the partners created a special “Taxes-Security-Together” checklist to help tax professionals with this review. Fraudulent returns using stolen tax data are harder to detect.
“Our objective is to get every tax professional to stop and think about client data security. The ‘Taxes-Security-Together’ Checklist is intended as a starting point, spelling out the basic steps necessary to start a security review,” said Chuck Rettig, IRS Commissioner in the news release. Practitioners are the first line of defense against organized criminal syndicates running these identity theft scams. Despite our progress, this is no time to let down our guard in the tax community. We need your help.”
Create a Plan
Creating a data theft recovery plan is the fifth and final action item in this summer’s Security Summit series. Previous checklist topics included: deploying the “Security Six” safeguards, creating a written data security plan, educating yourself on phishing scams and recognizing the signs of data theft.
Rather than wait for an emergency, tax professionals should consider creating a data theft recovery plan in advance and make calling the IRS an immediate action item. Having an action plan can save valuable time and protect your clients and yourself. Should a tax professional experience a data compromise – whether by cybercriminals, theft or just an accident – there are certain basic steps to take. The IRS states in the release these include:
Contacting the IRS and Law Enforcement:
- Internal Revenue Service. Report client data theft to local IRS Stakeholder Liaisons, who will notify IRS Criminal Investigation and others within the agency on the tax professional’s behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names, helping your firm and your clients.
- Federal Bureau of Investigation, local office (if directed).
- Secret Service, local office (if directed).
Contacting States Where Tax Professionals Prepare State Returns:
- State revenue agencies. Any breach of personal information could have an effect on the victim’s tax accounts with the state revenue agencies as well as the IRS. To help tax professionals find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special email address as a contact point: StateAlert@taxadmin.org.
- State Attorneys General for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches, so this notification process may involve multiple offices in some locations.
- Security expert. They can help determine the cause and scope of the breach as well as stop the breach and prevent further breaches from occurring.
- Insurance company. Not only to report the breach, but to check if the insurance policy covers data breach mitigation expenses.
Contacting Clients and Other Services:
- Federal Trade Commission for guidance for businesses. For more individualized guidance, contact the FTC at firstname.lastname@example.org.
- Credit / identity theft protection agency. Certain states require offering credit monitoring and identity theft protection to victims of identity theft.
- Credit bureaus. Notifying them if there is a compromise and your clients may seek their services.
- Clients. At a minimum, send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. Clients should complete IRS Form 14039, Identity Theft Affidavit, but only if their e-filed return is rejected because of a duplicate Social Security number or they are instructed to do so.
- Remember: IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Again, preparers should use their local IRS Stakeholder Liaison to report data loss.
The objective of the “Taxes-Security-Together” Checklist is to ensure all tax professionals, whether a one-person shop or a major firm, understand the risk posed by national and international criminal syndicates, take the appropriate steps to protect their clients and business and understand the laws around their obligation to secure that data, the IRS added in the new release.
“The number of tax professionals reporting data thefts to the IRS remains too high, and it puts tens of thousands of taxpayers at risk for identity theft,” Rettig said in the news release. “We hope tax professionals will use the Summit checklist as a starting point, not an end point, to protect their client’s data — and themselves. It’s not only a good business practice, it’s the law.”
The ability to share information about emerging threats is critical to the ability to combat identity theft and refund fraud. Thieves are constantly creating new scams to trick tax professionals and taxpayers into divulging sensitive information, the IRS stated via the news release.