In January the Nassau/Suffolk chapter MAP committee held a joint meeting with the NYSSCPA MAP committee to learn about IRS security rules. The highlight of the meeting was a conversation led by Robert Sick, CPA who shared with us his experience with an IRS e-file monitoring visit.
The following outline of rules was given to us by IRS representative, Linda Henson.
Managing Employees
- Check references prior to hiring employees who will have access to customer information
- Write a plan of how you will safeguard taxpayer information
- Develop procedures for reporting suspicious attempts to obtain customer information
- Train employees to take basic steps to maintain security, confidentiality and integrity of customer information
- Develop policies on appropriate use of laptops, PDAs, cell phones or other mobile devices
- Monitor, evaluate and adjust your security program as your business changes
- Impose disciplinary measures
Physical Safeguards
- Lock rooms and file cabinets
- Store archived data securely
- Promptly dispose of outdated customer information in a secure manner. Federal Trade Commission (FTC) created a disposal rule. Check out the FTC website for the rule.
- Shred printed customer information before throwing it in the trash
- Erase all data when disposing of computers, diskettes, magnetic tapes, hard drives or any other electronic media
- Securely dispose of information and hardware. If you give hardware to charities, remove all data files.
- Maintain a close inventory of your computers, so you know what employees have in their possessions
System Safeguards
- Don’t leave computers unattended without enabling password-activated screensavers
- Use strong passwords (at least 8 characters long)
- Don’t use the same password for every system
- Periodically change passwords and delete passwords after employees leave the organization
- Secure passwords. Do not post passwords on computers, bulletin boards or desks.
- Encrypt sensitive customer information when it is transmitted electronically over networks or stored online., Store encrypted electronic customer information on a secure server or media accessible only with a password or other security protections and located in a secure area.
- Maintain updated firewalls, anti-virus software, security patches, anti-spyware and anti-adware.
Security Breach
- If you have a data security breach affecting the confidentiality, integrity or availability of taxpayer data or the ability of the taxpayer to prepare or file a return, report the incident. An incident is a breach involving an unauthorized disclosure, misuse, modification or destruction of taxpayer data. Notify local law enforcement immediately before you notify customers. Local law enforcement can guide you on when and how to inform your customers.
- Notify customers and other business partners promptly if their nonpublic personal information is subject to loss, damage or unauthorized access. Follow instructions given by law enforcement and FTC.
- Be sure to take corrective actions to prevent future breaches or vulnerabilities.
Visit www.irs.gov for documents, guidance and useful information about how to safeguard taxpayer information. Publication 4557, Safeguarding Taxpayer Data, contains checklists of required steps to secure your office and systems, manage employees and avoid breaches.
Most of us have heard of the 21,000 IRS letters that went out to tax preparers regarding an IRS e-file monitoring visits. If you receive one of these letters, contact your malpractice insurance carrier or attorney first. Be sure that your records are in order and your office and computer security measures are in place. Let NCCPAP know that you will be visited. We can put you in contact with other CPAs who have been visited so that you will know what to expect.