Gregory J. Cook, EA, CPA
October 18, 2016
If you handle taxpayer information you may be subject to the Gramm-Leach Bliley Act (GLB Act) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. Whether or not you are subject to the GLB Act and the FTC Rules, you could benefit from implementing the general processes and best practices outlined in FTC information privacy and safeguards guidelines.
Financial institutions as defined by FTC include professional tax preparers, data processors, their affiliates and service providers who are significantly engaged in providing financial products or services. They must take the following steps to protect taxpayer information. Other businesses, organizations and individuals handling taxpayer information should also follow these steps because they represent best practices for all.
Take responsibility or assign an individual or individuals to be responsible for safeguards;
Assess the risks to taxpayer information in your office, including your operations, physical environment, computer systems and employees.
Make a list of all the locations where you keep taxpayer information (computers, filing cabinets, bags and boxes taxpayers may bring you);
Write a plan of how you will safeguard taxpayer information. Put appropriate safeguards in place;
Use only service providers who have policies in place to also maintain an adequate level of information protection; and
Monitor, evaluate and adjust your security program as your business or circumstances change.
The FTC has fact sheets and guidelines on privacy and safeguards for businesses on their website. In addition, you may seek outside professional help to assess your information security needs.
To safeguard taxpayer information, you must determine the appropriate security controls for your environment based on the size, complexity, nature and scope of your activities. Security controls are the management, operational and technical safeguards you use to protect the confidentiality, integrity and availability of your customers’ information.
Security is a 24/7 proposition. Here, I'm checking on the office from home during a brief power outage. We had zero down time.
6 Examples of Cook & Co. Security Controls are:
1) Auto-Locking Doors that restrict physical access to our Computer Servers.
2) Requiring passwords to restrict Virtual Access to Server Files which are only accessible within the building.
3) Encrypt electronically stored data.
4) Keep multiple, secured backups of data.
5) Shredding paper after it's scanned.
6) All email is encrypted.
Authorized IRS e-file providers that act as an online provider must follow these six security, privacy and business standards to better serve taxpayers and protect their individual income tax information collected, processed and stored.
All authorized IRS e-file providers who own or operate a website through which taxpayer information is collected, transmitted, processed or stored must register their uniform resource locator (URL).
For additional examples of security controls, see the National Institute of Standards and Technology (NIST) SP 800-53 publication listed on Wikipedia here, with a link to the 463 page document.
Greg Cook is an Enrolled Agent, licensed by the U.S. Treasury Department to represent taxpayers before all administrative levels of the Internal Revenue Service (IRS). He is also a Certified Public Accountant licensed by the states of Alabama and Tennessee.