1. PROTECTING TAX PAYER DATA
From the Perspective of the Tax Preparer.
[Safeguarding taxpayer data] is the legal responsibility of … individuals that receive, maintain, share,
transmit, or store taxpayer’s personal information. – IRS Pub 4557
Applicable Law and Regulations
GLBA (1999) Federal/Privacy and Security of personal banking information.
FTC Safeguards Rule Ensure security of customer records and information.
Financial Privacy Rule Requires Privacy Notices for how information is used.
IRS Procedure 2007-40 Requires e-file providers to have security systems in place to prevent unauthorized access to taxpayer
accounts and personal info.
General Security and Privacy Requirements
CREATE A SECURITY PLAN. List responsibilities and security controls
in each of the following areas:
• Physical environment (office, file cabinets, shredding)
• Operations (information flow, storage, transmission,
information requests)
• Systems (WiFi, router, shared network devices,
workstation, laptop)
• Outsourced Services (IT, storage, courier)
TEST CONTROLS ANNUALLY. Self assess the adequacy of controls.
• Use internet scanning services (e.g., Qualys FreeScan,
SecureCheq, Nexpose Community Edition).
• Review security plan for currency and adequacy
• Perform physical inspection
CREATE AND DISTRIBUTE REQUIRED DOCUMENTS. The following
documents are required
• Annual privacy notices (required by FTC privacy rule.
• Service contracts (ensure they require safeguards of your
customer data).
• Acceptable Use Policy (Required and prohibited behaviors
on IT resources)
• Create a contingency plan
ENSURE PHYSICAL SECURITY. Review the following controls:
• Secure all desks, photocopiers, mailboxes, trash cans,
and rooms with personal data stored.
• Remove taxpayer data from all media (e.g., thumb drives,
hard drives) prior to release or disposal.
• Authorize release of information
• Lock doors, cabinets, and drawers.
Getting Started
! Assess risks. Consider physical, operations, systems, and outsourced services.
! Create safeguard plan. List controls in each of the areas above.
! Carefully review outsourced services
! Revisit program annually.
dlandoll@lantego.com
(512) 633-8405
www.lantego.com
Experts Only
LOCKDOWN INFORMATION SYSTEM SECURITY. Ensure the following
controls in IT:
• Ensure authorized access only based on need-to-
know. (What passwords does your IT provider have?)
• Work with IT provider to create a contingency plan
(with annual testing).
• Backup files and systems. Regularly.
• Maintain system and application patches.
• Unique identifiers and strong authentication.
Password minimum strength and changes. Consider
2FA.
• Disable inactive accounts.
• Implement network security (firewall, network
segmentation, IDS)
• Encrypt transmissions (email and network
applications)
ANNUALLY CERTIFY YOUR SYSTEMS. Determine and accept risks
annually.
• Perform self-assessment.
• Determine risks.
• Mitigate or accept risks
• Document annual certification for use.
APPROPRIATELY REPORT INCIDENTS. Be prepared to report
incidents as required.
• Create incident response plan (identify incidents,
reporting requirements, responsible parties, and
reporting formats).
• See IRS Pub 5199
![PROTECTING TAX PAYER DATA
From the Perspective of the Tax Preparer.
[Safeguarding taxpayer data] is the legal responsibility of … individuals that receive, maintain, share,
transmit, or store taxpayer’s personal information. – IRS Pub 4557
Applicable Law and Regulations
GLBA (1999) Federal/Privacy and Security of personal banking information.
FTC Safeguards Rule Ensure security of customer records and information.
Financial Privacy Rule Requires Privacy Notices for how information is used.
IRS Procedure 2007-40 Requires e-file providers to have security systems in place to prevent unauthorized access to taxpayer
accounts and personal info.
General Security and Privacy Requirements
CREATE A SECURITY PLAN. List responsibilities and security controls
in each of the following areas:
• Physical environment (office, file cabinets, shredding)
• Operations (information flow, storage, transmission,
information requests)
• Systems (WiFi, router, shared network devices,
workstation, laptop)
• Outsourced Services (IT, storage, courier)
TEST CONTROLS ANNUALLY. Self assess the adequacy of controls.
• Use internet scanning services (e.g., Qualys FreeScan,
SecureCheq, Nexpose Community Edition).
• Review security plan for currency and adequacy
• Perform physical inspection
CREATE AND DISTRIBUTE REQUIRED DOCUMENTS. The following
documents are required
• Annual privacy notices (required by FTC privacy rule.
• Service contracts (ensure they require safeguards of your
customer data).
• Acceptable Use Policy (Required and prohibited behaviors
on IT resources)
• Create a contingency plan
ENSURE PHYSICAL SECURITY. Review the following controls:
• Secure all desks, photocopiers, mailboxes, trash cans,
and rooms with personal data stored.
• Remove taxpayer data from all media (e.g., thumb drives,
hard drives) prior to release or disposal.
• Authorize release of information
• Lock doors, cabinets, and drawers.
Getting Started
! Assess risks. Consider physical, operations, systems, and outsourced services.
! Create safeguard plan. List controls in each of the areas above.
! Carefully review outsourced services
! Revisit program annually.
dlandoll@lantego.com
(512) 633-8405
www.lantego.com
Experts Only
LOCKDOWN INFORMATION SYSTEM SECURITY. Ensure the following
controls in IT:
• Ensure authorized access only based on need-to-
know. (What passwords does your IT provider have?)
• Work with IT provider to create a contingency plan
(with annual testing).
• Backup files and systems. Regularly.
• Maintain system and application patches.
• Unique identifiers and strong authentication.
Password minimum strength and changes. Consider
2FA.
• Disable inactive accounts.
• Implement network security (firewall, network
segmentation, IDS)
• Encrypt transmissions (email and network
applications)
ANNUALLY CERTIFY YOUR SYSTEMS. Determine and accept risks
annually.
• Perform self-assessment.
• Determine risks.
• Mitigate or accept risks
• Document annual certification for use.
APPROPRIATELY REPORT INCIDENTS. Be prepared to report
incidents as required.
• Create incident response plan (identify incidents,
reporting requirements, responsible parties, and
reporting formats).
• See IRS Pub 5199](https://image.slidesharecdn.com/99fd5083-6450-4108-888f-21b61f34728b-160328201638/85/Tax-Preparers-Presentation-1-320.jpg)
