The IRS and its Security Summit partners urge all professional tax preparers to review their data security protections and document them in writing. In fact, CPAs and other paid tax return preparers are required by law to have in place a written information security plan to protect client data. The Gramm-Leach-Bliley (GLB) Act of 1999, PL. 106-102, gives the Federal Trade Commission (FTC) authority to regulate information safeguard protocols for various types of businesses that are "significantly engaged" in providing financial products or services, which include professional tax preparers.
This "safeguards rule" requires companies to develop a written information security plan describing the company's policies and procedures for protecting customer information. The plan must be appropriate to the company's size, activities, and complexity and to the sensitivity of the customer information it collects and uses. The client records and information that CPA tax practitioners routinely collect and store is, of course, among those clients' most sensitive personal and business data. Tax preparation firms' plans must:
* Designate one or more employees to coordinate the firm's information security program;
* Identify and assess the risks to customer information in each relevant area of the firm's operation and evaluate the effectiveness of the current safeguards for controlling these risks;
* Design and implement a safeguards program and regularly monitor and test it;
* If a firm uses outside service providers that handle or have contact with client information, ensure that those providers can also maintain appropriate safeguards; and
* Evaluate and adjust the program in light of relevant circumstances, including changes in the firm's business or operations, or the results of security testing and monitoring.
The FTC notes that companies must consider unique risks arising from their business practices, including when their employees access or process customer information from outside the company's primary business locations or outside its computer networks. With the growing prevalence among tax firms of allowing return preparers to work on client tax returns remotely from home or other locations via a virtual private network connection or shared use of web access, tax firms offering this option should make sure their safeguards program and written security plan reflect this mode of operation.
For more details and tips on policies and practices for...