In an email from the Return Preparer Office, the IRS has provided tax professionals with information about how to report data breaches to the IRS.
Background. The Federal Trade Commission (FTC) has the authority to set data safeguard regulations for various entities, including professional tax return preparers. Tax preparers who efile must also follow the six security and privacy standards in Publication 1345, Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns.
The IRS has issued guidance for tax return preparers on ways to safeguard their client’s tax data from identity theft. (IRS Publication 4557, Safeguarding Taxpayer Data) Tax professionals who notice any signs of identity theft should contact their state’s IRS Stakeholder Liaison immediately. (IR 2018-177)
Contact the IRS. Once a tax preparer has identified a data breach, the tax preparer should contact IRS and law enforcement. A tax preparer should report any data breaches to their local IRS Stakeholder Liaison. The list of local IRS Stakeholder Liaisons can be found here.
The Stakeholder Liaison will notify the IRS Criminal Investigation division and others within the agency on the preparer’s behalf. If reported quickly, the IRS can take steps to block filing of fraudulent returns using the stolen data.
Contact local police. Tax preparers who have identified a data breach should also contact local police to file a report on the data breach. A police report will probably be needed to make an insurance claim if the preparer has data breach coverage. If directed by the IRS, the tax preparer should contact their local office of the FBI and the Secret Service.
Contact a security expert. Once a tax preparer has contacted the government, the preparer should contact a security expert to determine the cause and scope of the breach, stop the breach and prevent future breaches. If the preparer has insurance that covers data breaches, the preparer will need to report the breach to the insurance company to determine if the policy covers breach mitigation expenses.
Contact clients, credit services, etc. Next, a tax preparer should contact clients and other services. The preparer should send letters to all clients to inform them of the breach after notifying law enforcement. A preparer may want to contact the FTC. The FTC has resources to help businesses victimized by data thefts, including providing resources on notifying clients that a data loss has occurred. In addition, the tax professional may want to contact an identity-theft protection service to see if free identity-theft protection is available to the clients.
Finally, tax professionals also will need to contact the credit bureaus about the data breach because the clients may seek credit monitoring.
References: For guidance for tax return preparers on safeguarding clients’ tax data from identity theft, see FTC 2d/FIN ¶T-10164.5.