No industry is immune to cybercrime and the financial consequences of a data breach can be devastating – costing roughly $1.5 trillion annually (Bromium cybersecurity report).

Small to midsized accounting firms are top targets of cybercrime because they have direct access to sensitive personal and financial information, and they typically don’t have the IT defenses that big firms employ.

Last year, three different tax-themed spam campaigns spoofing ADP and Paychex hit accounting firms with versions of TrickBot, a financial malware buried in a MS Excel file that silently infects devices, steals client banking credentials, and then perpetrates wire fraud from the device owner’s account. This malware gives cybercriminals total control of the device, and can spread to other computers on the network.

In May 2019, a similar malware hit Wolters Kluwer, the provider of tax accounting software and cloud services to the top 100 accounting firms and 90% of Fortune 500 companies. They had to shut their systems down for several days to regain control.

IRS Form W-12; Safeguarding Taxpayer Data

Now for 2020, the FTC Safeguards Rule requires every tax professional, whether you are a partner in a large firm or a sole practitioner, and every Authorized IRS e-File Provider, to create and enact security plans to protect client data.

The new IRS Form W-12: Paid Preparer Tax Identification Number (PTIN) for Application and Renewal now includes a legal requirement for data protection:

As a result, every accounting employee should be educated about security threats from Phishing schemes to ransomware.

AllConnected offers a comprehensive solution to safeguard your taxpayer data

Contact Us to learn more and get started with smartConnect + CPA.

Some tax prepares may say, “I comply because I have PC anti-virus and everything is in the cloud, from Office 365 to hosted Quickbooks.”

But that is not enough. Does your PC have encrypted drives? Does your Microsoft subscription provide archiving, and for how long?

Can you honestly certify that your firm is fully compliant based on all the rules in the FTC Safeguards Rule Guide?

Consider SmartConnect + CPA

AllConnected’s SmartConnect + CPA managed services provides a simple, complaint-ready solution for Accounting firms.

The following are included:

Information Safeguard Rules Documentation, Submission Plan, and Annual Report.
supportConnect Endpoint protection with managed anti-virus, managed phishing, managed patching, Cisco Umbrella DNS Management, Cisco DUO MFA
Microsoft Office 365 cloud backup
of SharePoint, OneDrive, and email
IT Security Awareness Training*
supportConnect Network protection with managed firewall, switch, and wireless. Cisco Meraki cloud managed performance with QoS for Microsoft Teams and LOB
Microsoft Office 365 E3 or E5 for compliance, security, and optional voice/phones
Helpdesk IT Remediation Support
2 calls per month included
supportConnect Server
protection and Backup if Needed
Annual Remote Technical Business Review and IS Planning Session

Optional

Private Cloud Application Hosting
Managed SIEM
Azure or Private Cloud Domain Controller Hosting

*To learn more about improving your “zero-trust” IT security policy, consider our: IT Security Awareness Training (in partnership with KnowBe4).

FTC Safeguards Rule Checklist

The following is the full FTC Safeguards Rule Checklist, in three tabs and color-coded to show how much is involved in the new data safeguard requirement, and how expansive our SmartConnect + CPA managed services are to protect your clients’ data:

Your responsibility
Fully covered by smartConnect + CPA managed services
Shared responsibility for full compliance

Click on any of the tabs below to see more:

The success of your information security plan depends largely on the employees who implement it. Consider these steps:

Check references or doing background checks before hiring employees who will have access to customer information.
Ask every new employee to sign an agreement to follow your company’s confidentiality and security standards for handling customer information.
Limit access to customer information to employees who have a business reason to see it. For example, give employees who respond to customer inquiries access to customer files, but only to the extent they need it to do their jobs.
Control access to sensitive information by requiring employees to use “strong” passwords that must be changed on a regular basis. (Tough-to-crack passwords require the use of at least six characters, upper- and lower-case letters, and a combination of letters, numbers, and symbols.) (IRS suggestion: passwords should be a minimum of eight characters.)
Use password-activated screen savers to lock employee computers after a period of inactivity.
Develop policies for appropriate use and protection of laptops, PDAs, cell phones, or other mobile devices. For example, make sure employees store these devices in a secure place when not in use. Also, consider that customer information in encrypted files will be better protected in case of theft of such a device.
Train employees to take basic steps to maintain the security, confidentiality, and integrity of customer information, including:
Locking rooms and file cabinets where records are kept;
Not sharing or openly posting employee passwords in work areas;
Encrypting sensitive customer information when it is transmitted electronically via public networks;
Referring calls or other requests for customer information to designated individuals who have been trained in how your company safeguards personal data; and
Reporting suspicious attempts to obtain customer information to designated personnel.
Regularly remind all employees of your company’s policy — and the legal requirement — to keep customer information secure and confidential. For example, consider posting reminders about their responsibility for security in areas where customer information is stored, like file rooms.
Develop policies for employees who telecommute. For example, consider whether or how employees should be allowed to keep or access customer data at home. Also, require employees who use personal computers to store or access customer data to use protections against viruses, spyware, and other unauthorized intrusions.
Impose disciplinary measures for security policy violations.
Prevent terminated employees from accessing customer information by immediately deactivating their passwords and user names and taking other appropriate measures.
(IRS Suggestion: Add labels to documents to signify importance, such as “Sensitive” or “For Official Business” to further secure paper documents.)

Know where sensitive customer information is stored and store it securely. Make sure only authorized employees have access. For example:

Ensure that storage areas are protected against destruction or damage from physical hazards, like fire or floods.
Store records in a room or cabinet that is locked when unattended.
When customer information is stored on a server or other computer, ensure that the computer is accessible only with a “strong” password and is kept in a physically-secure area.
Where possible, avoid storing sensitive customer data on a computer with an Internet connection.
Maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure area.
Maintain a careful inventory of your company’s computers and any other equipment on which customer information may be stored.
Take steps to ensure the secure transmission of customer information. For example:
When you transmit credit card information or other sensitive financial data, use a Secure Sockets Layer (SSL) or other secure connection, so that the information is protected in transit. (IRS Suggestion: Transport Layer Security 1.1 or 1.2 is newer and more secure.)
If you collect information online directly from customers, make secure transmission automatic. Caution customers against transmitting sensitive data, like account numbers, via email or in response to an unsolicited email or pop-up message.
If you must transmit sensitive data by email over the Internet, be sure to encrypt the data.
Dispose of customer information in a secure way and, where applicable, consistent with the FTC’s Disposal Rule. For example:
Consider designating or hiring a records retention manager to supervise the disposal of records containing customer information. If you hire an outside disposal company, conduct due diligence beforehand by checking references or requiring that the company be certified by a recognized industry group.
Burn, pulverize, or shred papers containing customer information so that the information cannot be read or reconstructed.
Destroy or erase data when disposing of computers, disks, CDs, magnetic tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or hardware containing customer information.

Information systems include network and software design, and information processing, storage, transmission, retrieval, and disposal. Here are some FTC suggestions on maintaining security throughout the life cycle of customer information, from data entry to data disposal:

Monitor the websites of your software vendors and read relevant industry publications for news about emerging threats and available defenses.
Maintain up-to-date and appropriate programs and controls to prevent unauthorized access to customer information. Be sure to:
Check with software vendors regularly to get and install patches that resolve software vulnerabilities;
Use anti-virus and anti-spyware software that updates automatically;
Maintain up-to-date firewalls, particularly if you use a broadband Internet connection or allow employees to connect to your network from home or other off-site locations;
Regularly ensure that ports not used for your business are closed; and
Promptly pass along information and instructions to employees regarding any new security risks or possible breaches.
Use appropriate oversight or audit procedures to detect the improper disclosure or theft of customer information. It’s wise to:
Keep logs of activity on your network and monitor them for signs of unauthorized access to customer information;
Use an up-to-date intrusion detection system to alert you of attacks;
Monitor both in- and out-bound transfers of information for indications of a compromise, such as unexpectedly large amounts of data being transmitted from your system to an unknown user; and
Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
Take steps to preserve the security, confidentiality, and integrity of customer information in the event of a breach. If a breach occurs:
Take immediate action to secure any information that has or may have been compromised. For example, if a computer connected to the Internet is compromised, disconnect the computer from the Internet;
Preserve and review files or programs that may reveal how the breach occurred; and
If feasible and appropriate, bring in security professionals to help assess the breach as soon as possible.
Consider notifying consumers, law enforcement, and/or businesses in the event of a security breach. For example:
Notify consumers if their personal information is subject to a breach that poses a significant risk of identity theft or related harm;
Notify law enforcement if the breach may involve criminal activity or there is evidence that the breach has resulted in identity theft or related harm;
Notify the credit bureaus and other businesses that may be affected by the breach. See Information Compromise and the Risk of Identity Theft: Guidance for Your Business; and
Check to see if breach notification is required under applicable state law.
(IRS suggestions: Practitioners who experience a data loss should contact the IRS and the states. Also, consider having a technical support contract in place, so that hardware events can be fixed within a reasonable time and with minimal disruption to business availability.)

Contact Us About Securing Your Business and Client Data

Make sure you comply with the new IRS data safeguard requirements before your next license renewal. Start a conversation with us today:

  • This field is for validation purposes and should be left unchanged.
IRS Form W-12; Safeguarding Taxpayer Data