IRS News Release IR-2018-150: Tax Security 101 – Security Summit outlines “Security Six” basic safeguards for tax professionals’ computers and email (July 17, 2018)
The IRS has issued a news release identifying six “must-have” areas for securing taxpayer data on computers. These areas, developed by the IRS and its Security Summit partners, are intended to help tax professionals protect their computers and email as well as safeguard sensitive taxpayer data. (“Security Summit” refers to a partnership between the IRS, state tax agencies, and private-industry tax professionals. The Security Summit is conducting an awareness campaign to provide tax professionals with information to better protect taxpayer data and to prevent the filing of fraudulent tax returns. This news release is the second in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.”)
The IRS highlights these protections:
Anti-virus software. Anti-virus software scans files or computer memory for certain patterns that may indicate the presence of malicious software (malware). Because new and updated malware is identified daily, it is important to install the latest updates and perform regular scans. Users should understand how anti-virus software operates, so they take appropriate action when suspicious patterns are detected.
Firewalls. Firewalls provide protection against outside attackers by shielding computers or networks from malicious or unnecessary network traffic and preventing malware from accessing the network. Firewalls can be configured to block data from certain locations or applications while allowing relevant and necessary data through. Firewalls primarily protect against malicious traffic and may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures will strengthen resistance to attacks.
Two-factor authentication. Two-factor authentication adds a layer of protection by requiring returning users to enter credentials (username and password) plus another piece of information, such as a security code texted to a mobile phone. IRS Secure Access now uses two-factor authentication to protect its online tools (see our Checkpoint article).
Backup software/services. In addition to recommending routinely backing up data to external sources, the Security Summit advocates encrypting the backup data.
Drive encryption. Users are also advised to consider drive-encryption software. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for any unauthorized person accessing the computer.
Data security plan. Tax professionals are reminded to have a data security plan, which the IRS says is a requirement for professional tax preparers.
EBIA Comment: The IRS notes that many of these steps are a good idea not just for tax professionals but for any taxpayer or small business. And while the recommendations will be familiar to those conversant with HIPAA privacy and security requirements, all plans, plan sponsors, service providers, and advisors can find value in the IRS’s explanations. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXVIII.C (“Safeguards (the ‘Mini-Security Rule’)”) and XXX (“Core Security Requirements”). See also EBIA’s Cafeteria Plans manual at Section XVI.E (“Electronic Administration”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded on 1/17/18).
Contributing Editors: EBIA Staff.