How to Safeguard Taxpayer Data and Comply with IRS Publication 4557
Take simple, common sense steps to keep your business and client information safe.
As an accounting or CPA firm, you’re a serious target for fraud and targeted phishing. Criminals use the information and access at your firm for tax fraud, bank account information, W-2 fraud, and the resale of banking credentials.
The IRS has specific rules about handling and protecting taxpayer data, outlined in IRS Publication 4557, "Safeguarding Taxpayer Data." You need to take certain technical, procedural, and administrative precautions. The following is not exhaustive but should be considered fundamental.
Train Your People
Training for technology safety: scams, impersonations, and targeted phishing emails are highly likely for accounting and bookkeeping firms. All employees should be aware of these and know how to identify and respond when confronted.
If you have managed IT or technology providers, ask them if and how they’re helping you comply with the items in the technology section below. There are many elements of cybersecurity, and a misconfiguration or overlooked needle in the haystack is often the cause of a data breach.
Configure Your Technology
Generally speaking, businesses should use Windows Defender for Business (or Endpoint) or a business-grade product like Sentinel One. Small offices may use the built-in Windows Defender or Avast antivirus software.
Computers and phones keep themselves up to date automatically, but software like Quickbooks needs to be installed and restarted every time an update is released.
All online web accounts storing or processing sensitive information must use multi-factor authentication or two-step verification.
Online document sharing platforms like ShareFile or Box should also be configured securely. We’ve written about how these can be misused here and here.
All devices must use disk encryption, such as Windows Bitlocker or macOS FileVault. By default, common email providers use TLS encryption in transit.
All data should be backed up regularly and archived securely. Consider cloud storage plus solutions such as Microsoft 365 Backup or Dropsuite.
Secure your wireless networks with long and unique passwords as well.
Create Sensible Processes
Processes for two-person verification of filing or direct deposit information and changes should be in place.
The hard drive should be wiped or safely destroyed when devices are shelved or recycled.
Access to client information should be limited to those needing to know and view and edit permissions configured appropriately.
Regularly review and audit your e-file and e-services applications and Preparer Tax Identification Number (PTIN) accounts to match expected returns. If they don’t match, contact the IRS.
Review, audit, and remove power of attorney or authorizations for old or inactive clients regularly. Deactivate unused Electronic Filing Identification Numbers (EFINs).
Regularly review audit logs of sensitive activities in critical platforms to identify fraud or malicious activity.
Know how and to whom to report data breaches. Depending on the impact, you may need to contact
The IRS shares numerous scenarios that should give you or your clients pause.
Clients can’t file returns because they already have
Clients receive unexpected authentication letters from the IRS
Clients receive unexpected notices about their online account
You or clients receive unexpected email responses to messages you didn’t send
Write Down a Plan
Write this down in a written Information Security Plan (WISP), aka Information Security Policy. This is a requirement and gives the firm an official stance on safeguarding client information.