Data Security Requirements for Tax Professionals

Client information is essential to the tax professional. Protecting that information is not only a vital aspect of your role in the lives of your clients, but it is also a requirement.
Scroll Down

Data Security Requirements for Tax Professionals

Client information is essential to the tax professional. Protecting that information is not only a vital aspect of your role in the lives of your clients, but it is also a requirement. The Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, was created to permit the Federal Trade Commission to control information safeguard tactics for businesses involved in providing financial products or services, including tax professionals. The GLBA requires you, as tax professionals, to implement written information security plans that detail how your firm is equipped to protect your clients’ personal information.

The Federal Trade Commission and the IRS have released information on best policies and practices for various aspects of data security including how to protect servers, maintain and monitor systems, handle access to systems, train employees, retain and dispose of records and manage a data breach. Wading through the security recommendations and requirements can result in network downtime and reduce your firm’s ability to function. According to a recent MarketWatch article, the average cost of downtime is an astounding $5,600/minute.

Crafting a Strong Information Security Plan is a Must for Your Firm

As tax professionals, “significantly engaged” in providing financial products or services, your firm is required to comply with various IRS rules and regulations with regard to the protection of sensitive client information. Tax professionals, by their nature, have access to a wealth of information that is often a target for wily cybercriminals. In 2019 alone, a report cited in Forbes magazine suggested that an astounding 67% of all data breaches occurred in the business sector. By crafting and implementing a strong information security plan, your firm can avoid becoming a statistic.

Writing an Effective Security Plan

The Gramm-Leach-Bliley Act (GLBA) requires each financial services business, like yours, to develop a written information security plan commensurate with the company’s size, the type of information received from clients, and the activities of the company after receiving the client information. Each plan must:

  • Appoint employee(s) to manage the information security program
  • Pinpoint and evaluate risks to client information
  • Assess the effectiveness of current systems
  • Create and execute appropriate safeguards
  • Test and monitor your internal safeguards
  • Choose a service provider to maintain the safeguards set forth in the plan
  • Confirm service provider is equipped to maintain appropriate safeguards
  • Reevaluate and adjust as time and conditions develop

The necessity of working in remote environments has provided an additional layer of risk your firm should consider, especially if employees are accessing and/or processing sensitive client information from remote locations or outside the company’s computer network. Your written internal safeguards plan should address this scenario. In a CPA Practice Advisor article, IRS Commissioner Chuck Rettig noted that it was “more important than ever to take appropriate security precautions, protect remote work sites, use two-factor authentication and plan ahead for all possibilities.”

Implementing a Checklist to Protect Your Clients

A written data security plan is only one way tax professionals are required to protect client information. The IRS has updated Publication 4557, Safeguarding Taxpayer Data and partnered with its Security Summit partners to create a “Taxes-Security-Together” checklist in order to ensure your firm is in compliance with all information security requirements. In addition to creating a written security plan, the checklist items suggest each tax professional should:

  • Install “Security Six” basic safeguards: Antivirus software, firewalls, two-factor authentication, backup software/services, drive encryption, and a data security plan
  • Learn about phishing scams
  • Discern the signs of client data theft
  • Create a data theft recovery plan

Your firm should be aware that inadequate safeguards could result in civil or criminal liability. In order to ensure your firm is protected in the event of data theft, it is recommended that you undertake a review of firm insurance policies.

Let the Infiniwiz Team Reduce Risk for Your Tax Firm

Cybercriminals have repeatedly proven that they are determined to gain access to sensitive client data stored by tax professionals. As an experienced managed IT services and cybersecurity firm based in Chicago, Illinois the team at Infiniwiz understands how important it is to establish compliance with IRS regulations for written security information plans and implement mitigation tactics to protect your clients’ sensitive information. If your tax firm needs to prepare a written information security plan or is struggling to navigate the recommended standards, we are here to take on the burden and replace time lost to navigating these complicated tasks.

Our team will assist you by taking proactive steps to protect sensitive client information by implementing certain strategies designed to ward off cyber theft. Contact the Infiniwiz team at (847) 350-7652 or visit us at to learn more about our recommended written information security plans and accompanying data security processes.