NEW MANDATORY WISP PER IRS LAW

WISP

The Law

The Gramm-Leach-Bliley Act (GLBA) is a U.S. law that requires financial institutions to protect customer data. In its implementation of the GLBA, the Federal Trade Commission (FTC) issued the Safeguards Rule to outline measures that are required to be in place to keep customer data safe. One requirement of the Safeguards Rule is implementing a WISP. Under the GLBA, tax and accounting professionals are considered financial institutions, regardless of size. Financial institutions subject to the Safeguards Rule include mortgage brokers, real estate appraisers, universities, nonbank lenders, and check cashing businesses. As a part of the plan, the FTC requires each firm to:

Requirements

·???????? Designate one or more employees to coordinate its information security program

·???????? Identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks

·???????? Design and implement a safeguards program, and regularly monitor and test it

·???????? Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information

·???????? Evaluate and adjust the program considering relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring

**IRS Publication 4557 Safeguarding Tax Payer Data

According to the FTC Safeguards Rule, tax return preparers must create and enact written information security plans to protect client data. Failure to do so may result in an FTC investigation.

Online providers also must follow the six security and privacy standards in Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns

Not taking necessary steps to implement or correct your security program may result in sanctions from the FTC. Failures that lead to an unauthorized disclosure may subject you to penalties under sections 7216 and/ or 6713 of the Internal Revenue Code (I.R.C.).

Providers with problems involving fraud and abuse may be suspended or expelled from participation in IRS e-file, be assessed preparer and other civil penalties or be subject to legal action.

Protect Your Clients; Protect Yourself

Take Basic Security Steps

Review internal controls:

?

? Install anti-malware/anti-virus security software on all devices (laptops, desktops, routers, tablets and phones) and keep software set to automatically update.

? Use strong passwords of eight or more characters, use different passwords for each account, use special and alphanumeric characters, use phrases, password protect wireless devices and use a password manager program.

? Encrypt all sensitive files/emails, especially those with the taxpayer’s personally identifiable information, and use strong password protections.

? Back up sensitive data to a safe and secure external source not connected fulltime to a network.

? Make a final review of return information – especially direct deposit information - prior to e-filing.

? Wipe clean or destroy old computer hard drives and printers that contain sensitive data.

? Limit access to taxpayer data to individuals who need to know.

? Check e-File Applications and PTIN accounts weekly for total returns filed using EFINs and PTINs; deactivate unused EFINs.

? Withdraw from any outstanding authorizations (power of attorney/ tax information) for taxpayers who no longer are clients.

? Report any suspected data theft or data loss immediately to the appropriate IRS Stakeholder Liaison.

? Stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.

? Educate clients about the availability of the Identity Protection PIN for taxpayers

?

How do I send my tax documents securely?

Never send information that you want to keep private as plain text in the body of your email message.

?

1. Use an Encrypted Email Service. While leading email providers like Gmail and Yahoo claim to secure their emails, they are also notorious for mishandling data. ...
2. Encrypt Your Email. ...
3. Encrypt Email Attachments. ...
4. Password Protect the File. ...
5. Use an Online Fax Service.

Here are some ways to encrypt an email:?

·???????? Microsoft Outlook

1.????? Compose your message

2.????? Click File > Properties

3.????? Click Security Settings

4.????? Select the Encrypt message contents and attachments check box

5.????? Compose your message, and then click Send

6.????? To send a password protected email, look to the “Options” section, and find the “Permission” dropdown

7.????? Choose Encrypt-Only or Sign and Encrypt from the permission menu

·???????? Gmail

1.????? Select the Accounts tab

2.????? Next to Send mail as, select Edit info

3.????? The Edit email address and encryption settings window appears

4.????? To password protect an email, use the “Confidential Mode” feature

?

Use Security Software

A fundamental step to data security is the installation and use of security software on your computers. Here are the various types of security software you need and their purpose:

?

? Anti-virus – prevents bad software, such as malware, from causing damage to a computer.

? Anti-spyware – prevents unauthorized software from stealing information that is on a computer or processed through the system.

? Firewall – blocks unwanted connections.

? Drive Encryption – protects information from being read on computers, tablets, laptops and smart phones if they are lost, stolen or improperly discarded.

?

Create Strong Passwords

It is critical that all tax practitioners establish strong, unique passwords for all accounts, whether it’s to access a device, tax software products, cloud storage, wireless networks or encryption technology.

?

Here’s how to get started:

·???????? Use a minimum of eight characters; consider minimum of 16 characters for an administrator’s password.

·???????? Use a combination of letters, numbers and symbols, i.e., ABC, 123, !@#.

·???????? Avoid personal information or common passwords; opt for phrases.

·???????? Change default/temporary passwords that come with accounts or devices, including printers.

·???????? Do not reuse passwords, e.g., changing Bgood!17 to Bgood!18 is not good enough;

·???????? Use unique usernames and passwords for accounts and devices.

·???????? Do not use your email address as your username if that is an option.

·???????? Do not disclose your passwords to anyone for any reason;

?

Do not overlook a critical step to protecting accounts:

Multi-factor authentication.

·????????? This simple feature can protect your accounts even if your username and password are stolen.

?

Reporting of Security Incidents

?Authorized IRS e-file Providers of individual income tax returns must report security incidents to the IRS as soon as possible but not later than the next business day after confirmation of the incident. For the purposes of this standard, an event that can result in an unauthorized disclosure, misuse, modification, or destruction of taxpayer information (e.g., breach) must be considered a reportable security incident.

Contacting the IRS and law enforcement:

• Internal Revenue Service, report client data theft to your local stakeholder liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
• Federal Bureau of Investigation, your local office.
• Secret Service, your local office (if directed).
• Local police – To file a police report on the data breach.

Contacting states in which you prepare state returns:

• Any breach of personal information could have an effect on the victim's tax accounts with the states as well as the IRS. Get information on how to report victim information to state tax agencies. Visit the Federation of Tax Administrators "Report a Data Breach" to find state contact information.
• State Attorneys General?for each state in which you prepare returns.? Most states require that the attorney general be notified of data breaches.? This notification process may involve multiple offices.

Contacting clients and other services:

• Clients – Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. (Clients should complete IRS Form 14039, Identity Theft Affidavit, only if they receive a notice/letter from the IRS or their e-filed return is rejected because of a duplicate Social Security number.)

• Federal Trade Commission If you would like more individualized guidance, you may contact the FTC at?[email protected]
• Credit / ID theft protection agency- certain states require offering credit monitoring / ID theft protection to victims of ID theft.
• Credit bureaus – to notify them if there is a compromise and clients may seek their services. Equifax Credit Information Services - Consumer Fraud Division P.O. Box 105496 Atlanta, Georgia 30348-5496 Tel: (800) 997-2493 www.equifax.com Experian P.O. Box 2104 Allen, Texas 75013-2104 Tel: (888) EXPERIAN (397-3742) www.experian.com Trans Union Fraud Victim Assistance Dept. P.O. Box 390 Springfield, PA 19064-0390 Tel: (800) 680-7289 www.transunion.com

Secure Wireless Networks

? Change default administrative password of your wireless router; use a strong, unique password.

? Reduce the power (wireless range) so you are not broadcasting further than you need. Log into your router to WLAN settings, advanced settings and look for Transmit (TX) power. The lower the number the lower the power.

? Change the name of your router (Service Set Identifier - SSID) to something that is not personally identifying (i.e., BobsTaxService), and disable the SSID broadcast so that it cannot be seen by those who have no need to use your network.

? Use Wi-Fi Protected Access 3 (WPA-3).

? Do not use Wired-Equivalent Privacy (WEP) to connect your computers to the router; WEP is not considered secure.

? Do not use a public wi-fi (for example, at a coffee café or airport) to access business email or sensitive documents

·???????? Use of multi-factor authentication (discussed earlier) and a secure Virtual Private Network (VPN) should be minimum standards for remote access to the firm’s office network.

·???????? A VPN provides a secure, encrypted tunnel to transmit data between a teleworking employee and the company network.

?

Protect Stored Client Data

? Backup encrypted copies of client data to external hard drives (USBs, CDs, DVDs) or use cloud storage; keep external drives in a secure location; encrypt data before uploading to the cloud. This is your best protection against ransomware attacks.

? Use drive encryption to lock files and all devices; encrypted files require a password to open

·???????? Delete all information from devices, hard drives, USBs (flash drives), printers, tablets or phones before disposing of devices; some security software include a “shredder” that electronically destroys stored files

·???????? Physically destroy hard drives, tapes, USBs, CDs, tablets or phones by crushing, shredding or burning; shred or burn all documents containing taxpayer information before throwing away.

?

Spot Data Theft

Here are some common clues to data theft:

? Client e-filed tax returns begin to reject because returns with their Social Security numbers were already filed.

? Clients who haven’t filed tax returns begin to receive authentication letters (5071C, 4883C, 5747C) from the IRS.

? Clients who haven’t filed tax returns receive refunds.

? Clients receive tax transcripts they did not request.

? Clients who created an IRS online services account receive an IRS notice that their account was accessed or

·???????? IRS emails stating their account has been disabled; or,

·???????? clients receive an IRS notice that an IRS online account was created in their names.

? Network computers running slower than normal or computers turning themselves on

?

Monitor PTINs

For PTIN totals:

? Access your online PTIN account;

? Select “View Returns Filed Per PTIN;”

? Complete Form 14157, Complaint: Tax Return Preparer, to report excessive use or misuse of PTIN.

?

If you have a Centralized Authorization File (CAF) number, make sure you keep your authorizations up to date.

·???????? Remove authorizations for taxpayers who are no longer your clients.

·?????? (See “Withdrawal of Representation” in Publication 947, Practice Before the IRS and Power of Attorney

?

?

Be Safe on the Internet

? Keep your web browser software up to date so that it has the latest security features.

? Scan files using your security software before downloading to your computer.

? Delete web browser cache, temporary internet files, cookies and browsing history on a regular schedule.

? Look for the “S” in “HTTPS” connections for Uniform Resource Locator (URL) web addresses. The “S” stands for secure, e.g., https://www.irs.gov.

? Avoid accessing business emails or information from public wi-fi connections.

? Disable stored password feature offered by some operating systems.

? Enable your browser’s pop-up blocker. Do not call any number from SAFEGUARDING TAXPAYER DATA 11 pop-ups claiming your computer has a virus or click on tools claiming to delete viruses.

? Do not download files, software or applications from unknown websites.

? Note if your browser homepage changes; it could be a sign of malware or an intrusion. Review your last downloads and browser settings, check to see if you have anything new in your toolbar

?

Recognize Phishing Scams

·???????? The thief may pose as your tax software provider, your data storage provider, the IRS or even a prospective client. The thief may pose as your bank or as a professional colleague whose email was compromised. See Don’t Take the Bait.

? Generally, phishing or spear phishing emails have an urgent subject line. Example: Update Your Account Now. The objective is to entice you to open a link or an attachment.

? Link: The link may take you to a fake web page designed to look like a familiar website. Example: IRS e-Services. Again, there will be a call to action, such as “Click here NOW.” You may be asked to enter your username and password for an account, but you actually are disclosing your credentials to thieves

·???????? Install an anti-phishing tool bar to help identify known phishing sites. Anti-phishing tools may be included in security software products.

? Use security software to help protect systems from malware and scan emails for viruses.

? Never open or download attachments from unknown senders, including potential clients; make contact first by phone, for example.

? Send only password-protected and encrypted documents if you must share files with clients via email or use Secure File Transfer Protocol (SFTP) to transmit files instead of email.

? Do not respond to suspicious or unknown emails; if IRS-related, forward to [email protected].

?

Checklist for Creating Plan

Management and Training

·???????? Check references or doing background checks before hiring employees who will have access to customer information

·???????? Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information.

·???????? Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs.

·???????? Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.) (IRS suggestion: passwords should be a minimum of eight characters, the NIST standard.

·???????? Use password-activated screen savers to lock employee computers after a period of inactivity

·???????? Develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices. For example, make sure employees store these devices in a secure place when not in use. Also, consider that customer information in encrypted files will be better protected in case of theft of such a device

·???????? maintain the security, confidentiality, and integrity of customer information, including Locking rooms and file cabinets where records are kept;

????????? Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and

·???????? Impose disciplinary measures for security policy violations.

·???????? Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures. (IRS Suggestion: Deactivate access prior to termination.)

·???????? Store records in a room or cabinet that is locked when unattended.

????????? When customer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically secure area. (IRS Suggestion: If using a cloud storage service, use a strong password, multi-factor authentication options and beware of thieves posing as providers.)

·???????? When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit. (IRS Suggestion: Transport Layer Security 1.3 is newer and more secure.)

????????? Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed.

·???????? Monitor the websites of your software vendors and read relevant industry publications for news about emerging threats and available defenses.

???????? monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and

Filing Season Start Dates:

Business tax returns: January 12, 2023

Individual tax returns: January 23, 2023

?