How To Protect Your Clients’ Data: A Summary of IRS Publication 4557

If you are a tax professional, you have a legal and ethical obligation to safeguard your clients’ personal and financial information. Data breaches can expose your clients to identity theft, fraud, and other risks. They can also damage your reputation and credibility as a trusted advisor.

The Internal Revenue Service (IRS) has issued Publication 4557, Safeguarding Taxpayer Data, to help you understand your responsibilities and provide guidance on how to create and implement a data security plan. This article will summarize the main points of this publication and offer some practical tips on how to protect your clients’ data.

What is Safeguarding Taxpayer Data?

Safeguarding taxpayer data means taking appropriate measures to ensure that the information you collect, store, transmit, and dispose of is secure from unauthorized access, use, disclosure, modification, or destruction. This includes not only electronic data, but also paper records, backup devices, and any other media that contain taxpayer data.

Taxpayer data includes any information that you obtain or use in the course of preparing or filing federal tax returns or providing other tax-related services for your clients. This may include:

• Name, address, Social Security number, date of birth, and other identifying information
• Income, expenses, deductions, credits, and other tax-related information
• Bank account numbers, routing numbers, credit card numbers, and other financial information
• Health insurance information, medical records, and other sensitive information

Why is Safeguarding Taxpayer Data Important?

Safeguarding taxpayer data is important for several reasons:

• It is required by law. The Federal Trade Commission (FTC) enforces the Safeguards Rule, which requires financial institutions to have a written information security plan that describes how they protect customer data. Tax professionals are considered financial institutions under this rule. The IRS also enforces the Internal Revenue Code (IRC) Section 7216, which prohibits the unauthorized use or disclosure of tax return information. Violating these laws can result in civil penalties, criminal prosecution, or both.
• It is required by professional standards. The IRS Circular 230, which governs the practice of tax professionals before the IRS, requires practitioners to exercise due diligence in preparing or assisting in the preparation of tax returns and other documents. This includes taking reasonable steps to protect the confidentiality of client information. The American Institute of Certified Public Accountants (AICPA), the National Association of Enrolled Agents (NAEA), and other professional organizations also have ethical codes that require members to safeguard client data.
• It is good for business. Protecting your clients’ data can help you build trust and loyalty with your existing clients and attract new ones. It can also help you avoid the costs and consequences of a data breach, such as legal fees, fines, lawsuits, lost revenue, reputational damage, and loss of clients.

How to Create and Implement a Written Information Security Plan?

A Written Information Security Plan (WISP) is a document that describes how you protect your clients’ data from potential threats. It should be based on a risk assessment that identifies the sources and types of data you handle, the potential vulnerabilities and threats to your data security,

and the safeguards you have in place or plan to implement.

The IRS Publication 4557 provides a checklist of six elements that should be included in your data security plan:

1. Designate one or more individuals to coordinate your data security program
2. Identify and assess the risks to customer information in each relevant area of your operation
3. Design and implement a safeguards program and regularly monitor and test it
4. Select service providers that can maintain appropriate safeguards and oversee their handling of customer information
5. Evaluate and adjust your program in light of relevant circumstances such as changes in technology or business operations
6. Educate yourself and your employees about data security best practices

Some examples of safeguards that you can implement are:

• Use strong passwords and encryption for your devices and networks
• Install anti-virus software and firewalls on your computers and update them regularly. For additional security, consider the difference between antivirus and MDR. 
• Backup your data regularly and store it in a secure location
• Shred or destroy paper records that contain taxpayer data when they are no longer needed
• Limit access to taxpayer data to only those who need it for legitimate business purposes
• Train your employees on how to handle taxpayer data securely and report any suspicious activity
• Notify your clients promptly if you discover a data breach or suspect one has occurred. Consider a 24/7 monitored MDR solution. 

Where Can You Find More Information?

The IRS Publication 4557 is available online at https://www.irs.gov/pub/irs-pdf/p4557.pdf. 

An explanation of the FTC’s Safeguards Rule can be found at: FTC Safeguards Rule: What Your Business Needs to Know | Federal Trade Commission

Visit Watch Cloud Cyber Security to learn more about our portfolio of cybersecurity solutions designed for tax and accounting professionals.