All tax professionals should be aware that they, too, are targets of cybercriminals seeking access to client data in order to file fraudulent tax returns for refunds. Are you prepared? Protect your clients and protect yourself by taking a few critical steps. The IRS recommends tax professionals use Publication 4557, Safeguarding Taxpayer Data PDF, as a guide for conducting a review of your current security measures and to create or update your security plan. It is critical you assess your current security precautions and address any weaknesses. The IRS also recommends tax professionals create a Written Information Security Plan or WISP to outline the steps you would take in the event of a data theft. The plan PDF was a collaborative effort between the IRS, software and tax professionals to aide in documenting necessary actions in the event of a data breach, this will save valuable time should the worst occur. The “Protect Your Clients; Protect Yourself” campaign to raise awareness among tax professionals is an initiative of the Security Summit, a joint project by the IRS, states and the tax community to combat identity theft. Because of the sensitive client data held by tax professionals, cybercriminals increasingly are targeting the tax preparation community. All tax professionals must take appropriate steps to protect their clients’ data and protect their businesses. Important: Always use robust security software for all computers and devices, and routinely perform deep scans often to identify any malware/virus infections. Use strong password to access computers and client files. Learn to recognize and avoid phishing email schemes. Should you experience a data compromise – whether by cybercriminals, theft or accident – there are certain basic steps you should take. For a comprehensive list of security actions, consult a security professional. Preliminary steps include: Contacting the IRS and law enforcement: Internal Revenue Service, report client data theft to your local IRS stakeholder liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns from being filed using your clients’ personal information. Federal Bureau of Investigation, your local office. Secret Service, your local office (if directed). Local police – To file a police report on the data breach. File a report with the FTC if you have 500 or more people that have been affected. Contacting states in which you prepare state returns: Any breach of personal information could have an effect on the victim's tax accounts with the states as well as the IRS. Get information on how to report a data breach to state tax agencies. Visit the Federation of Tax Administrators Report a Data Breach to find state contact information. Determine if you need to contact the state attorney general for each state in which you prepare returns. Most states require that the attorney general be notified of data breaches. This notification process may involve multiple offices. Contacting experts: Security expert – to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring. Insurance company – to report the breach and to check if your insurance policy covers data breach mitigation expenses. Contacting clients and other services: Federal Trade Commission If you would like more individualized guidance, you may contact the FTC at idt-brt@ftc.gov. Credit/ID theft protection agency – certain states require offering credit monitoring/ID theft protection to victims of ID theft. Credit bureaus – to notify them if there is a compromise and clients may seek their services. Equifax Credit Information Services - Consumer Fraud Division P.O. Box 105496 Atlanta, Georgia 30348-5496 Tel: 800-997-2493 www.equifax.com Experian P.O. Box 2104 Allen, Texas 75013-2104 Tel: 888-EXPERIAN (888-397-3742) www.experian.com Trans Union Fraud Victim Assistance Dept. P.O. Box 390 Springfield, PA 19064-0390 Tel: 800-680-7289 www.transunion.com Clients – Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing. (Clients should complete IRS Form 14039, Identity Theft Affidavit, only if they receive a notice/letter from the IRS or their e-filed return is rejected because of a duplicate Social Security number.) IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Preparers and representatives should use their local IRS stakeholder liaison to report tax-related identity theft. Other resources: Publication 4557, Safeguarding Taxpayer Data PDF Publication 5293, Data Security Resource Guide for Tax Professionals PDF Security Summit Identity theft information for tax preparers Identity Theft Central Taxpayers and Tax Pros: Beware of these common tax scams Security Summit urges tax pros to watch out for identity theft red flags What to do after a tax professional data compromise Transcript