Whether it is tax season or not, cybercriminals always have their sights on one of their most lucrative targets ‑ CPA and tax preparation firms‑ because they store, send, and receive Personally Identifiable Information (PII) for a living. The good news for their clients is that these firms are required, by law, to have a written data security plan in place. However, this can and should be emulated by all organizations and not just tax professionals.

In this article, I will review what needs to be included in this plan and perhaps more importantly, why this plan applies to all business types.

IRS Publication 4557

Initially published in 2019, the IRS Publication 4557, otherwise known as the Safeguarding Taxpayer Data Guide, was released to raise awareness on cyber threats to CPA firms and serve as a guide to tax return preparers who want some high-level direction on how they can start to become compliant. The majority of the publication is centered around basic cyber best practices, including things like using security software, creating strong passwords, securing wireless networks, and recognizing phishing emails. The remainder of the guide addresses the FTC Safeguards Rule which requires companies to develop a written information security plan. Here’s our podcast episode with more on the FTC Safeguards Rule and IRS Requirements.

FTC Standards for Safeguarding Customer Information

The written information security plan is required to contain administrative, technical, and physical safeguards that are appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of any customer information at issue. As part of its plan, each company must:

  • Designate one or more qualified individuals to coordinate its information security program and report reqularly to the governing body
  • Base the plan on a written risk assessment that seeks to identify and assess the risks to customer information and evaluate the effectiveness of the current safeguards for controlling these risks. These risk assessments should continue to be performed periodically.
  • Design and implement a safeguards program to control risks identified via assessment, and regularly monitor and test it.
  • Select service providers that can regularly test or monitor thesafeguards, and conduct periodic penetration testing and vulnerability assessments.
  • Implement policies and procedures to ensure that personnel are able to enact your information security program, including but not limited to, security awareness training, updates, and verification that key personnel are abreast of changing infosec threats and countermeasures.
  • Oversee service providers to make sure that they are maintaining the same safeguards for customer information.
  • Evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
  • Establish a written Incident Response Plan (IRP).

All Title IV institutions of higher education (those that process U.S. federal student aid) have to comply with these standards.

If you read on the internet that if your business has records of less than 5000 consumers, then FTC Safeguards does not apply, that is incorrect and misinformation. FTC Safeguards rule applies to most businesses regardless of the number of records they have. The <5000 consumer records only means that SOME of the safeguards do not apply, while the majority still do.

The deadline for educational institutions and others governed by the Safeguards Rule to comply with it was June 9, 2023.

Safeguards Rule expanded

In October 2021, in response to widespread data breaches and cyberattacks, the FTC expanded the Safeguards Rule to include non-banking institutions such as CPA firms, mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security system to keep their customers’ information safe. One thing is clear, the FTC is aware of the current threat landscape and will continue to adjust their rulings to address the risk. I believe eventually this will be further expanded to any industry which collects and stores any customer’s PII. The reality is that a cybercriminal is after PII, and they do not care who they target in order to obtain that data.

How this all applies to you

There are a few different pieces to take into consideration when it comes to IRS Publication 4557. For tax preparation firms, Publication 4557 also includes a Safeguards Rule checklist provided by the FTC. This checklist contains 50 items and will likely be overwhelming for the uninitiated to go through. CPA firms (and other types of businesses as outlined in the section above) can become compliant and make themselves safer by selecting an appropriate cybersecurity service provider such as QPC Security to address the Safeguards Rule.

If your business falls outside of the industries mentioned above, consider the implications of working with a CPA firm that is not following the FTC’s Safeguards Rule. Check out our podcast episode on best practices when working with tax preparers. If the CPA firm is not following the law, then what does that say about their overall business practices? Are you willing to risk your data, and potentially your business, by working with a firm that does not take your data privacy and security seriously?

And, what about your own business? What security practices, plans, and protocols do you have in place to protect the privacy and security of your customer's data? Just as you would expect a bank or your CPA firm to protect your data, your customers have the same expectations. Get a written security plan in place. Go through the Safeguards Rule checklist. I guarantee that the checklist items apply to you and your business.

Combating today's cybercriminals requires everyone to work together. Every business plays a role in data security and should continue to assess, improve, and document their processes to keep client data safe.For more information on making your business cyber secure, call us today at 262-553-6510 or contact us here.