I go to a lot of tax meetings and workshops and the IRS usually has a presence there contributing speakers and/or brochures or other printed media. At one event a few years ago, I picked up a brochure on creating a security plan to protect client data. Once home, I skimmed the material and put it aside for further study. It has never been seen since nor could I remember the pub number. I tried searching the IRS web site but I must not have been using the right keywords or looked deep enough in to the results. Until yesterday, when I found the new version on the IRS website.
Publication 4557 – Safeguarding Taxpayer Data (download) is a pub that every tax pro should have. As the brochure points out, tax preparation offices are subject to the Federal Trade Commission’s (FTC) Financial Privacy and Safeguarding rules. A tax office needs to take responsibility for taxpayer info in their office. The office should take a hard look at their current security system, create a security plan, and follow the plan. They should also regularly evaluate the plan and office and update the plan as necessary.
Pub 4557 helps the tax office evaluate their security with a very extensive checklist that covers not only computer and file security but employee issues and reporting requirements when there is a security breach. The pub also contains a list of resources for more info on privacy issues.
In very fortunate timing, the company who does my shredding left a poster when they emptied the bins today. While mostly a promotional piece, the poster had several statistics concerning data breaches and security. Two jumped out at me. First, 56% of the businesses in the US and Canada don’t have a secure method of document destruction. This leads right into the second statistic; 43% of all data breaches are physical methods like skimming and dumpster diving. We hear about the hackers breaking into a company’s computers and stealing confidential info on millions of people but we rarely think about low tech theft. A taxpayer’s credit and life can be affected just as easily from a document tossed out instead of shredded or burned or even left on a desk where it can been seen by someone else. And don’t forget how much damage an employee gossiping about a client with friends can cause. It might not result in identity theft but it can be damaging in other ways.
Privacy should be a major priority for all tax office. Please use this publication to create a plan for your office (or at least increase your awareness of the problem). We all handle too much sensitive information to leave it to luck.