HSRDS Protections Mirror IRS Recommendations
Businesses and individuals that maintain, share, transmit, or store taxpayer data have a legal responsibility to have safeguards in place that protect client information. It is also essential to establish and maintain a data recovery plan in case of a breach or other unanticipated event.
The need for these safeguards has never been greater. Owing to the sensitive nature of client data held by tax professionals, cybercriminals increasingly are targeting the tax preparation community, using tactics that range from remote computer takeovers to phishing scams.
In response, the IRS expanded its “Protect Your Clients; Protect Yourself” public awareness campaign in July by issuing a guide – Publication 4557 – designed to help non-governmental businesses, organizations and individuals who handle taxpayer data to understand and meet their responsibility to safeguard client information.
The guide includes steps for establishing and maintaining safeguards, along with checklists, protocols for reporting incidents, a list of relevant laws and regulations, standards and best practices, and a glossary.
At HSRDS, we have always placed the highest premium on ensuring the security of all of our clients’ data. Our data protection infrastructure, strategy and protocols are state-of-the-art and reflect all IRS recommended steps and protocols.
The following are some of our key security procedures and protocols:
- Only authorized users have access to our tax software and data. That software is also secured by a secondary set of login credentials.
- Data stored in our document management system is kept in separate databases segmented by business unit, allowing only users from appropriate departments to access tax and accounting data.
- HSRDS maintains a document retention policy that follows IRS guidelines for how long taxpayer data should be kept. We utilize automated rules and processes to help us adhere to those policies.
- A secure portal is used to transfer sensitive information between us and our clients, ensuring that data is encrypted during the transfer.
- All firm laptops are encrypted. In the event a laptop is lost or stolen, data will remain secured and will be inaccessible to anyone who tries to gain access to it.
- Paper documents are put into secure shredding bins that are collected and shredded on a regular basis.
- All new hires receive a background check before being given access to any systems or data.
Critical protection steps that Publication 4557 recommends include:
- Assuring that taxpayer data, including data left on hardware and media, is never left unsecured
- Securely disposing of taxpayer information
- Requiring strong passwords (numbers, symbols, upper and lowercase) on all computers and tax software programs
- Requiring periodic password changes every 60-90 days
- Storing taxpayer data in secure systems and encrypting information when transmitting across networks
- Ensuring that email being sent or received that contains taxpayer data is encrypted and secure
- Making sure paper documents, computer disks, flash drives and other media are kept in a secure location and restricting access to authorized users only
- Using caution when allowing or granting remote access to internal networks containing sensitive data
- Terminating access to taxpayer information for anyone who is no longer employed by your business
- Creating security requirements for your entire staff regarding computer information systems, paper records and use of taxpayer data
- Providing periodic training to update staff members on any changes and ensuring compliance
- Protecting your facilities from unauthorized access and potential dangers
- Creating a plan on required steps to notify taxpayers should you be the victim of any data breach or theft
Additional considerations cited in Publication 4557:
- Complete a risk assessment to identify risk and potential impacts of unauthorized access
- Write and follow an Information Security plan
- Consider performing background checks and screen individuals before granting access to taxpayer information