According to the Internal Revenue Service (IRS)’s most-recent statistics, more than 129 million tax returns filed in 2018 were performed using IRS e-file, representing roughly 88% of all returns filed so far this year. As cybercriminals have ramped up their efforts to target accounting firms of all sizes, the IRS has stepped in to offer guidance on what authorized e-file providers for individual tax returns must do in order to protect their clients’ data, maintain their membership in the program, and avoid pertinent sanctions. These steps are covered in IRS Publication 1345, which was released on January 1, 2010. While the publication is not a technically a regulation, it outlines various best practices that accounting firms and CPAs must follow when collecting taxpayer information online and submitting individual tax returns in compliance with the Graham-Leach-Bliley Act (GLBA) and relevant FTC data privacy regulations.
IRS Publication 1345 covers a wide array of topics pertinent to e-file providers, including standards for processing electronic signatures, detecting fraudulent information, and implementing identity verification requirements. One of the first and primary subjects the guide addresses, however, is data security. IRS Publication 1345 sets forth six data security standards that all IRS e-file providers are required to follow, many of which address user controls and the measures accountants and firms should take to store sensitive taxpayer data at rest. IRS e-File providers, for instance, will need to use active and valid extended validation SSL certificates when collecting sensitive tax data from individuals over the internet. In doing so, they must use SSL 3.0/TLS 1.0 certificates or later that feature at least 128-bit AES encryption / 1024-bit RSA encryption. In addition, providers are required to hire an outside, U.S.-based vendor to run weekly, Payment Card Industry Data Security Standards (PCI DSS)-compliant vulnerability scans. Results from these scans must be kept on file for at least one year, and must analyze all servers, applications, and systems that either directly store or are connected to databases that include taxpayer data. Businesses that rely on outside partners to host their taxpayers’ data should also ensure that their systems are both PCI DSS compliant and located in the United States.
Fortunately, you won’t need to invest heavily in on-site servers or a dedicated in-house technical team to comply with IRS Publication 1345. Using a managed cloud hosting platform that supports 2FA, dedicated IP addresses, 256-bit AES encryption, NIST-compliant information handling procedures, and SSL-A-rated data centers can help—all while saving you roughly $3,966 monthly compared to on-premises alternatives.