Tips for tax preparers on how to create a data security plan

IRS Tax Tip 2018-151, September 27, 2018

The IRS reminds tax preparers that protecting taxpayer information isn’t just good for their clients and good for business – it’s also the law. The Federal Trade Commission’s Safeguards Rule requires that tax preparers create and enact security plans.

Although the IRS and its partners in the Security Summit are making progress against tax-related identity theft, cybercriminals continue to evolve. In fact, data thefts at tax professionals’ offices are on the rise. Thieves use stolen data from tax preparers to create fraudulent returns that are harder to detect.

Creating a security plan can help businesses – such as tax preparers – protect their offices against tax-related identity theft. Preparers should also remember that failing to create a plan may result in an FTC investigation. Here are some things tax preparers should know about putting together such a plan:

  • The FTC-required information security plan must be appropriate to the company’s size and complexity. A business should also consider the sensitivity of the customer information it handles.
  • A business should designate one or more employees to coordinate its information security program.
  • A preparer should identify and assess the risks to customer information.
  • They should also review and evaluate the effectiveness of the current safeguards for controlling any risks to data.
  • After designing and implementing a safeguards program, the business should regularly monitor and test it.
  • A business should select service providers that can maintain appropriate safeguards.
  • When signing a contract with a service provider, the business should make sure the contract requires the provider to maintain safeguards and oversee their handling of customer information.
  • A business should regularly evaluate and adjust the program as time goes on. This includes things like changes in the firm’s business or operations, and the results of security testing.
  • The FTC says the requirements are designed to be flexible so that companies can implement safeguards appropriate to their own circumstances.
  • Publication 4557,  Safeguarding Taxpayer Data, has information about critical security measures that all tax professionals should put in place.
  • Publication 4557 also includes a checklist of items to include in a data security plan.
  • The IRS may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40. node/48886 This sets the rules for tax professionals participating as an Authorized IRS e-file Provider.

The IRS and its partners in the Security Summit are reminding preparers about creating a security plan as part of the Tax Security 101 awareness initiative. The goal is to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.

More Information:

*This message was distributed from IRS Tax Tips. For more information on federal taxes please visit