Learn More

Fill out the form for more information, or call 1-800-726-3339.


According to the Internal Revenue Service (IRS)’s most-recent statistics, more than 129 million tax returns filed in 2018 were performed using IRS e-file, representing roughly 88% of all returns filed so far this year.  As cybercriminals have ramped up their efforts to target accounting firms of all sizes, the IRS has stepped in to offer guidance on what authorized e-file providers for individual tax returns must do in order to protect their clients’ data, maintain their membership in the program, and avoid pertinent sanctions.  These steps are covered in IRS Publication 1345, which was released on January 1, 2010.  While the publication is not a technically a regulation, it outlines various best practices that accounting firms and CPAs must follow when collecting taxpayer information online and submitting individual tax returns in compliance with the Graham-Leach-Bliley Act (GLBA) and relevant FTC data privacy regulations.

IRS Publication 1345 covers a wide array of topics pertinent to e-file providers, including standards for processing electronic signatures, detecting fraudulent information, and implementing identity verification requirements. One of the first and primary subjects the guide addresses, however, is data security. IRS Publication 1345 sets forth six data security standards that all IRS e-file providers are required to follow, many of which address user controls and the measures accountants and firms should take to store sensitive taxpayer data at rest.  IRS e-File providers, for instance, will need to use active and valid extended validation SSL certificates when collecting sensitive tax data from individuals over the internet. In doing so, they must use SSL 3.0/TLS 1.0 certificates or later that feature at least 128-bit AES encryption / 1024-bit RSA encryption.  In addition, providers are required to hire an outside, U.S.-based vendor to run weekly, Payment Card Industry Data Security Standards (PCI DSS)-compliant vulnerability scans.  Results from these scans must be kept on file for at least one year, and must analyze all servers, applications, and systems that either directly store or are connected to databases that include taxpayer data. Businesses that rely on outside partners to host their taxpayers’ data should also ensure that their systems are both PCI DSS compliant and located in the United States.

In addition to these tech-focused requirements, IRS e-file participants who own or operate websites that clients use to submit their financial data to will need to compile and publish a written information privacy policy that describes how they’re going about protecting their clients’ data and in compliance with pertinent regulatory standards.  They’ll also need to appoint a Responsible Official to oversee the organization’s efforts to fulfill IRS e-file safeguard requirements, implement RECAPTCHA and user authentication tests to curb bot and spam-based activities, and timely report breaches and other security-related incidents to the IRS. Firms that fail to follow the publication’s guidelines could risk expulsion from the IRS e-file program, preparer and civil penalties, or even lawsuits.

Fortunately, you won’t need to invest heavily in on-site servers or a dedicated in-house technical team to comply with IRS Publication 1345. Using a managed cloud hosting platform that supports 2FA, dedicated IP addresses, 256-bit AES encryption, NIST-compliant information handling procedures, and SSL-A-rated data centers can help—all while saving you roughly $3,966 monthly compared to on-premises alternatives.

Contact us to see how Abacus Private Cloud can help you secure your clients’ e-file taxpayer data.