As the tax return filing process becomes increasingly digitized, accounting firms and CPAs are under constant pressure to update their practices to ensure that they are taking appropriate steps to protect their data from inadvertent disclosure or costly data breaches. Regardless of your firm’s size, you’ll need to have the right protections in place to not only protect clients’ data from being compromised, but also to avoid Federal Trade Commission sanctions under the FTC Safeguards Rule, which requires companies substantially engaged in selling financial products and services to use encryption and other critical measures to protect their business data.
In response to these concerns, the U.S. Internal Revenue Service (IRS) released IRS Publication 4557 to guide accountants and tax professionals on what best practices they should follow to protect their clients’ taxpayer data. While IRS Publication 4557 is not a regulation, it offers detailed guidance on what CPAs should do to properly address their internal data security procedures and adapt to emerging cybersecurity threats. Some of the steps that the publication specifically recommends include:
- Installing Security Software – The IRS specifically suggests using antivirus, firewall, and anti-spyware security software to monitor and protect your systems from potential cyberattacks. Drive encryption—which protects your computer or device data from unauthorized users through passwords or biometric data—should also be enabled.
- Incorporating Strong Passwords – Accountants are encouraged to use unique eight-minimum-character passwords that combine numbers, symbols, and special characters to mitigate data breach risks. E-mail addresses, common phrases, birth dates, manufacturer-issued, or previously-used passwords with your devices and accounts should be avoided. Multifactor authentication and secure password managers should also be implemented as an added layer of protection.
- Securing Your Internal Networks – In addition to devices, networks and network routers can also be manipulated to pilfer sensitive data. Firms can avoid this by customizing their router administrative passwords and using WPA-2 and AES-encrypted connections to access other devices and the Internet. The publication also suggests limiting your router’s wireless signal range to reduce the number of individuals who could try logging on to your network, and not referencing your business in your wireless network’s name.
- Using Top-Flight Data Protection Safeguards – Naturally, the IRS also wants accounting firms and e-file providers to implement key safeguards to ward off fraudulent tax return filings and other criminal activity. Restricting internet access connections to devices and systems containing taxpayer data, deleting sensitive data from devices prior to disposal, and physically destroying any computers and systems used to store taxpayer information can help with this.
Firms are also advised to watch out for phishing emails, monitor usage of their EFIN and PTIN numbers, and report data breaches and losses to relevant federal and state authorities. Accountants can also refer to the IRS’ FTC Safeguards Rule checklist for additional requirements relating to employee training and management, IT security, and systems failure monitoring.
Fortunately, you don’t need to substantially revamp your on-site IT infrastructure to ensure compliance. IRS Publication 4557 specifically recommends encrypted cloud storage for securely backing up taxpayer data. Abacus Private Cloud allows you to leverage three layers of physical, server, and data security to protect your taxpayers’ information—all while saving you $3,996 monthly compared to on-premises alternatives.