PROTECTINGTAXPAYERDATAFromthePerspectiveoftheTaxPreparer.

[Safeguardingtaxpayerdata]isthelegalresponsibilityof…individualsthatreceive,maintain,share,transmit,orstoretaxpayer’spersonalinformation.–IRSPub4557

Applicable Law and Regulations

GLBA (1999) Federal/Privacy and Security of personal banking information.

FTC Safeguards Rule Ensure security of customer records and information.

Financial Privacy Rule Requires Privacy Notices for how information is used.

IRS Procedure 2007-40 Requires e-file providers to have security systems in place to prevent unauthorized access to taxpayer

accounts and personal info.

GeneralSecurityandPrivacyRequirementsCREATE A SECURITY PLAN. List responsibilities and security controls in each of the following areas:

• Physical environment (office, file cabinets, shredding) • Operations (information flow, storage, transmission,

information requests) • Systems (WiFi, router, shared network devices,

workstation, laptop) • Outsourced Services (IT, storage, courier)

TEST CONTROLS ANNUALLY. Self assess the adequacy of controls.

• Use internet scanning services (e.g., Qualys FreeScan, SecureCheq, Nexpose Community Edition).

• Review security plan for currency and adequacy • Perform physical inspection

CREATE AND DISTRIBUTE REQUIRED DOCUMENTS. The following documents are required

• Annual privacy notices (required by FTC privacy rule. • Service contracts (ensure they require safeguards of your

customer data). • Acceptable Use Policy (Required and prohibited behaviors

on IT resources) • Create a contingency plan

ENSURE PHYSICAL SECURITY. Review the following controls:

• Secure all desks, photocopiers, mailboxes, trash cans, and rooms with personal data stored.

• Remove taxpayer data from all media (e.g., thumb drives, hard drives) prior to release or disposal.

• Authorize release of information • Lock doors, cabinets, and drawers.

GettingStarted

! Assess risks. Consider physical, operations, systems, and outsourced services. ! Create safeguard plan. List controls in each of the areas above. ! Carefully review outsourced services ! Revisit program annually.

dlandoll@lantego.com(512)633-8405www.lantego.com

ExpertsOnly

LOCKDOWN INFORMATION SYSTEM SECURITY. Ensure the following controls in IT:

• Ensure authorized access only based on need-to-know. (What passwords does your IT provider have?)

• Work with IT provider to create a contingency plan (with annual testing).

• Backup files and systems. Regularly. • Maintain system and application patches. • Unique identifiers and strong authentication.

Password minimum strength and changes. Consider 2FA.

• Disable inactive accounts. • Implement network security (firewall, network

segmentation, IDS) • Encrypt transmissions (email and network

applications)

ANNUALLY CERTIFY YOUR SYSTEMS. Determine and accept risks annually.

• Perform self-assessment. • Determine risks. • Mitigate or accept risks • Document annual certification for use.

APPROPRIATELY REPORT INCIDENTS. Be prepared to report incidents as required.

• Create incident response plan (identify incidents, reporting requirements, responsible parties, and reporting formats).

• See IRS Pub 5199