Every tax preparer needs a data security plan. That isn’t just my opinion. According to a July 2019 IRS announcement, “all ‘professional tax preparers’ must create a written data security plan.”
The IRS cites the Safeguards Rule of the Federal Trade Commission (FTC) as the authority behind this ultimatum.
However, that’s not the only incentive for compliance. The IRS also reveals that tax preparers need a data security plan to stay out of hot water as an Authorized IRS e-file Provider.
Bottom line: If you lack a documented data security plan, it’s time to make one.
Untangling Data Security Plan Compliance
If you’re a CPA or tax preparer, I know you’re already burdened with plenty of compliance requirements.
And when your expertise is in taxes, creating a data security plan probably has not been your primary concern. So I will help you untangle an important section of the FTC’s Safeguards Rule. And I’ll explain what to include when writing out your plan.
This article isn’t meant to be an exhaustive resource on the topic (or legal advice—I’m not a lawyer). However, you should come away with greater clarity on complying with the IRS and the FTC.
To help us navigate the Safeguards Rule, we’re going to cover 16 CFR 314.4 from the Electronic Code of Federal Regulations (e-CFR) because the IRS references this part of the Safeguards Rule when describing what your plan should include.
In this section, the FTC provides five key “elements” for compliance, which we’re going to look at in order below.
Important Note: The Safeguards Rule uses the phrase “information security program.” However, if you look at the IRS publication, the IRS appears to prefer the term “data security plan.” For this article, I’ll be using the IRS’s terminology.
1. The Safeguards Rule Requires Employee Involvement
The first “element” that the Safeguards Rule stipulates for your firm is employee involvement. In a nutshell, the FTC wants at least one employee to be responsible for your data security plan.
When you’re drafting your data security plan, explain which staff member will provide oversight. I’d name the employee who has the greatest responsibility for your IT infrastructure or data assets.
2. The Safeguards Rule Requires an Inventory of Risks and an Assessment of Your Protections
The second requirement for your data security plan has two main parts.
First, the FTC wants you to identify risks that could harm your clients’ information.
The FTC actually makes pinpointing your risks easy by giving three areas in your business where you’ll see threats. I’ve summarized these below:
- Your employees
- Your IT infrastructure
- Your technology and cybersecurity protections
Second, the FTC wants you to evaluate how well your safeguards (e.g., firewall, data encryption, etc.) address those risks.
As you write out your plan, create headings for those three areas I’ve listed above. Write down your risks, the safeguards you have, and any evidence you can provide that these safeguards are doing their job.
3. The Safeguards Rule Requires Monitored Protections
The next stipulation from the FTC’s Safeguards Rule is pretty straightforward.
In a nutshell, the FTC wants safeguards for your data security risks that are monitored for their performance.
In light of this, ensure your data security plan documents cybersecurity protections. You should also detail how your business (or your IT company) keeps tabs on firewalls, backups, and other cybersecurity measures.
4. The Safeguards Rule Requires Oversight of Vendors
If you’re a CPA firm, you depend on qualified vendors to run your business. In a single day, you might work in QuickBooks Online, ask your IT company for help, or share documents in OneDrive.
Not surprisingly, the next section of the FTC’s Safeguards Rule is about service providers.
Here’s the deal.
The FTC doesn’t want you to use just any vendor. The Safeguards Rule is clear that you should work with companies that uphold your commitment to your clients. The FTC also wants you to have contracts with vendors that guarantee this commitment.
In your data security plan, be sure to answer the following questions (these are based on the FTC’s Safeguards Rule):
- Why did you choose the vendor? Explain how you found the vendor. Prove that you’ve done your homework.
- Why are you continuing with the vendor? Explain why the company in question continues to be a qualified vendor. If you occasionally audit your vendors, that’s a fact worth mentioning.
- Why do you believe the vendor can safeguard your data? Give evidence that your vendors treat your information with the utmost care.
- Why can you trust your vendor? In your plan, offer proof that your contracts ensure data security. You might create an appendix that documents your service agreements.
5. The Safeguards Rule Requires Adaptation (As Needed)
Cybercrime doesn’t stand still.
The bad guys will continue to devise new schemes to steal information for their own benefit. The final requirement that we’re covering is about responding to changing data security needs.
Basically, the FTC wants you to adjust your data security plan as you get new information.
Based on the FTC’s guidelines, here are some examples of when you should review your plan:
- You’ve hired two new employees who work off premises. You probably need a way for these employees to securely access your network (think serverless networking). And implementing this might involve rewriting your data security plan accordingly.
- Your state passes a new cybersecurity law. Let’s say a wave of data breaches hits small businesses. In the aftermath of the cyberattacks, you might revise your plan’s risk inventory.
- Your IT provider tests a backup and discovers that your backup software has a glitch. At this point, you might need to find a new backup provider and update your plan’s vendor information.
As you write your data security plan, I’d list out various circumstances (including those given by the FTC) under which you will reevaluate your plan. You might also want to explain your process for evaluating any updates to your plan.
Getting Started on Your Data Security Plan
If you don’t have a data security plan, now is the time to get started—especially before tax season begins to crank up.
Don’t forget that the IRS is watching. According to Revenue Procedure 2007-40…
The Service will monitor Authorized IRS e-file Providers for compliance with the rules governing IRS e-file.
And breaking these IRS requirements has consequences. Here’s what the Procedure says about ignoring the Safeguards Rule…
Violation of the provisions of the Gramm-Leach-Bliley Act and the implementing rules and regulations promulgated by the Federal Trade Commission…are considered violations of this revenue procedure and may subject an Authorized IRS e-file Provider to penalties…or sanctions.
The IRS cares about your data security.
The FTC cares about your data security.
So should you.
For more information on Proactive IT’s assistance with IT compliance, go here. You can also call our office at 704-464-3075 if you have questions about protecting sensitive information.
About Steve Kennen
As an expert in information technology infrastructure management, cybersecurity, and cyber risk management practices for small businesses, Steve spearheads initiatives that keep his clients secure and their business operations running smoothly. His core message is that the details matter.