Keeping client data secure: How's your cybersecurity immunity?

• Author: Odom, Michael T.

Not a single day goes by without an email or text tempting a tax practitioner to follow a link or respond in such a way that will allow a nefarious scammer to infiltrate the practitioner's computer, network, or cellphone. The author's standard operating procedure is to mark such an email as junk and immediately delete it without previewing, opening, or forwarding it. As the partner overseeing information technology and risk management, the author takes seriously the responsibility to educate staff regarding the importance of protecting client data and personally identifiable information.

In 2015, the IRS, state tax agencies, tax preparation firms, software developers, payroll and tax financial product processors, tax professional organizations, and financial institutions created the Security Summit to combat identity theft and protect taxpayers from refund fraud. The IRS and the Security Summit partners have for the last six years conducted awareness campaigns urging tax professionals to take actions to prevent data theft from their offices.

The 2021 campaign is titled "Boost Security Immunity: Fight Against Identity Theft." Per the IRS campaign webpage, data thefts reported by tax professionals to the IRS have continued to rise, from 124 in 2019, to 211 in 2020, and to 222 in 2021 as of June 30. Not only have these thefts affected taxpayers negatively, but they can also threaten a tax practitioner's business. Therefore, all practitioners need to take this issue seriously and be on the alert to identify any suspicious activity.

This year's campaign focuses on five things tax professionals can do to boost their security immunity.

Protect tax preparation and other software accounts

If you have not already done so, you should implement multifactor authentication immediately. Multifactor authentication provides greater security because it adds another layer of verification to access an account or computer, in addition to the username and password, such as sending a security code to a mobile phone, using a personal identification number (PIN), or using a biometric feature such as face recognition or a fingerprint (see IRS News Release IR-2021-155). Usernames can be stolen and passwords can be broken, but without the additional feature, a thief cannot access the account. Many who reported data theft to the IRS in 2020 indicated they did not use multifactor authentication, which could have prevented the data breach.

Tax software providers already offer multifactor authentication free, and most have already mandated its use with their tax preparation products, whether installed on an office computer or used in the cloud. But multifactor authentication is not just for tax preparation software. It should be used wherever available, such as when accessing web-based email accounts or client...