By Stephen F. Mankowski, CPA, CGMA
Like last year when COVID-19 struck, CPAs are again facing a tax filing season with a very strong likelihood of continued teleworking. We had to adapt quickly in March 2020, and more than a few practitioners were hacked.
Because our practices deal with personal identifying information (PII), we are required to have a written data security plan. We can use IRS Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business, as a starting point. Publication 4557 provides a framework for creating a data security plan as well as the minimum required under National Institute of Standards and Technology standards. In addition, if you have not already done so, you should strongly consider a cybersecurity insurance policy. Cybersecurity was an issue in 2020 and will continue to be an issue in 2021.
Be proactive on cybersecurity within your firm. The Tax Professional Work Group of the IRS Security Summit issued a Taxes-Security-Together Checklist. Here are a few key security features for your consideration.
Deploy the “Security Six” Measures
- Activate antivirus software.
- Use a firewall.
- Opt for two-factor authentication when it is offered.
- Use backup software/services.
- Use drive encryption.
- Create and secure virtual private networks.
Create a Data Security Plan
- Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data.
- The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large.
- Tax professionals are asked to focus on key risk areas, including employee management and training, information systems, and detecting and managing system failures.
Educate Yourself and Be Alert to Email Scams
- Learn about spear phishing emails.
- Be on the lookout for ransomware threats within emails.
Recognize the Signs of Client’s Data Theft
- Do not dismiss IRS letters sent to clients about suspicious tax returns in their name.
- Be mindful of more tax returns filed with your practitioner Electronic Filing Identification Number than you submitted.
- Watch for clients receiving tax transcripts they did not request.
Create a Data Theft Recovery Plan
- Contact the local IRS stakeholder liaison immediately.
- Assist the IRS in protecting your clients’ accounts.
- Contract with a cybersecurity expert to help prevent and stop thefts.
In closing, I urge you to maintain some basic cyberhygiene as good security habits. For instance, never continue to use default password, especially on your routers, virtual private networks, etc. These simple codes are often an easy pathway for hackers to enter your system. Also, set up guest networks in your offices and homes. Guest networks allow access to Wi-Fi while providing an additional firewall to prevent access to your data. Companywide and at home, make sure all software is running the latest versions. These patches often fix bugs that could allow unwanted access to your systems. Finally – and I know I alluded to it above in the email scams section – be very careful when opening emails with attachments. This is especially important on mobile phones where the sender email address is often masked.
Stephen F. Mankowski, CPA, CGMA, is owner of Mankowski Associates CPA LLC in Hatboro. He can be reached at firstname.lastname@example.org.
Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.