Publication 4557 (Rev. 5-2024)

A GUIDE FOR YOUR BUSINESS

Safeguarding

Taxpayer Data

SAFEGUARDING TAXPAYER DATA

Contents

Introduction

Safeguarding Taxpayer Data ............................ 3

Protect Your Clients; Protect Yourself

Take Basic Security Steps ..............................4

Use Security Software .....................................5

Create Strong Passwords ................................5

Secure Wireless Networks ..............................6

Protect Stored Client Data ..............................7

Be on Guard

Spot Data Theft................................................8

Monitor EFIN/PTIN ...........................................8

Recognize Phishing Scams .............................9

Guard Against Phishing Emails ...................... 10

Be Safe on the Internet .................................. 10

Report and Respond

Report Data Loss to IRS/States .....................11

Respond and Recover from a Data Loss .......12

Comply with the FTC Safeguards Rule

Understand the FTC Safeguards Rule............13

Comply with the FTC Safeguards Rule...........13

Checklist for Creating a Plan..........................14

Employee Management and Training..............14

Information Systems.......................................15

Detecting and Managing System Failures.......17

Glossary .......................................... 19

SAFEGUARDING TAXPAYER DATA

Introduction - Safeguarding

Taxpayer Data

Combatting today’s cybercriminals takes all of us working together. The

Internal Revenue Service works with state tax agencies and the tax

industry to fight these 21st century identity thieves. After forming the

Security Summit and enacting a series of safeguards, the partners are

making inroads. But, there’s more work to be done.

Data thefts at tax professionals’ offices are on the rise. As the Security

Summit makes progress, identity thieves need more taxpayer data to

file fraudulent tax returns. And they have placed tax practitioners firmly

in their sights. Data security is now a necessity for every tax

professional, whether a partner in a large firm or a sole practitioner, and

every Authorized IRS e-File Provider. Every employee, both professional

and administrative staff, should be educated about security threats and

safeguards. Everyone has a role to play in protecting taxpayer

information.

Protecting taxpayer data is the law. Federal law gives the Federal Trade

Commission authority to set data safeguard regulations for various

entities, including professional tax return preparers. According to the

FTC Safeguards Rule, tax return preparers must create and enact

security plans to protect client data. See Publication 5708 for

information on creating a written information security plan. Failure to do

so may result in an FTC investigation. Online providers also must follow

the six security and privacy standards in Publication 1345, Handbook

for Authorized IRS e-file Providers of Individual Income Tax Returns.

Protecting taxpayer data is good business. Data security can protect

your business as well as your clients. A theft may also mean a loss of

reputation, a loss of clients or a loss of money. Consider engaging

security professionals for assistance or check with your professional

liability carrier about data theft coverage.

This guide seeks to help tax professionals to:

y understand basic security steps and how to take them;

y recognize the signs of data theft and how to report data theft;

y respond and recover from a data loss;

y understand and comply with the FTC Safeguards Rule.

SAFEGUARDING TAXPAYER DATA

Protect Your Clients;

Protect Yourself

Take Basic Security Steps

Here are some basic security steps that tax professionals can take

today to make their clients’ data and their businesses safer:

y Learn to recognize phishing emails, especially those pretending to be

from the IRS, e-Services, a tax software provider or cloud storage

provider. Never open an embedded link or any attachment from a

suspicious email.

y Create a data security plan using IRS Publication 4557, Safeguarding

Taxpayer Data, and Small Business Information Security – The

Fundamentals, by the National Institute of Standards and Technology.

y Review internal controls:

• Install anti-malware/anti-virus security software on all devices

(laptops, desktops, routers, tablets and phones) and keep

software set to automatically update.

• Use strong passwords of 8 or more characters, use different

passwords for each account, use special and alphanumeric

characters, use phrases, password protect wireless devices and

consider a password manager program.

• Implement multi-factor authentication for anyone accessing

customer information on your system.

• Encrypt all sensitive files/emails, especially those with the

taxpayer’s personally identifiable information, and use strong

password protections.

• Back up sensitive data to a safe and secure external source not

connected fulltime to a network.

• Make a final review of return information – especially direct deposit

information - prior to e-filing.

• Wipe clean or destroy old computer hard drives and printers that

contain sensitive data.

• Limit access to taxpayer data to individuals who need to know.

• Check e-File Applications and PTIN accounts weekly for total

returns filed using EFINs and PTINs; deactivate unused EFINs.

• Withdraw from any outstanding authorizations (power of attorney/

tax information) for taxpayers who no longer are clients.

• Implement audit trails (audit logs) that records all activities that

occur. This includes who performed the activity, when it was

performed, and what changes were made.

SAFEGUARDING TAXPAYER DATA

• Implement a clean desk policy.

y Report any data theft or data loss to the appropriate IRS Stakeholder

Liaison.

y Stay connected to the IRS through subscriptions to e-News for Tax

Professionals, QuickAlerts and Social Media.

y Educate clients about the availability of the Identity Protection PIN for

taxpayers.

y Review FTC’s security tips at Cybersecurity for Small Business and

Protecting Personal Information: A Guide for Business

Use Security Software

y A fundamental step to data security is the installation and use of

security software on your computers. Here are the various types of

security software you need and their purpose:

y Anti-virus – prevents bad software, such as malware, from causing

damage to a computer.

y Anti-spyware – prevents unauthorized software from stealing

information that is on a computer or processed through the system.

y Firewall – blocks unwanted connections.

y Drive Encryption – protects information from being read on

computers, tablets, laptops and smart phones if they are lost, stolen

or improperly discarded.

Both Windows and Mac operating systems come with factory-installed

security software and with encryption technology. Both operating

systems also come with built-in firewall protection, which you should

enable unless your anti-virus software includes a firewall feature. Or,

you also may separately purchase security software that offers a suite

of protections.

For product recommendations, check with colleagues, professional

associations or, for those who have data theft insurance protection, the

insurance carrier. Never select “security software” from a pop-up

advertisement while surfing the web. Download security software only

from the chosen vendor’s site.

Set security software to update automatically. This step is critical to

ensuring the software has the latest protections against emerging

threats. For additional safety, ensure that your internet browser (Google,

MS EDGE, Firefox, Safari, etc.) is set to update automatically so that it

remains secure.

SAFEGUARDING TAXPAYER DATA

Create Strong Passwords

It is critical that all tax practitioners establish strong, unique passwords

for all accounts, whether it’s to access a device, tax software products,

cloud storage, wireless networks or encryption technology. Here’s how

to get started:

y Use a minimum of eight characters; consider minimum of 16

characters for an administrator’s password.

y Use a combination of letters, numbers and symbols, i.e., ABC, 123,

!@#.

y Avoid personal information or common passwords; opt for phrases.

y Change default/temporary passwords that come with accounts or

devices, including printers.

y Do not reuse passwords, e.g., changing Bgood!17 to Bgood!18 is not

good enough; use unique usernames and passwords for accounts

and devices.

y Do not use your email address as your username if that is an option.

y Do not disclose your passwords to anyone for any reason; do not

share password among employees. Each individual with access to

client accounts should have a unique password. Use a password

manager program to track passwords, but protect it with a strong

password.

Do not overlook a critical step to protecting accounts: Multi-factor

authentication. This simple feature can protect your accounts even if

your username and password are stolen. Tax software products for both

taxpayers and tax professionals now offer multi-factor authentication.

Use the most secure option available, not only for your tax software, but

other products such as email accounts and storage provider accounts.

An example of multi-factor authentication: you must enter your

credentials (username and password) plus a security code sent as a

text to your mobile phone before you can access an account.

If hosting your own website, also consider some other form of

multifactor authentication to further increase your login security.

Secure Wireless Networks

Failing to protect your wireless network makes the network or data

vulnerable to attack or interception by cybercriminals. Thieves could be

stealing your data without your knowledge. If you can, do not use

wireless networks for computers or devices that process, display, or

print client information. If you must use wireless, you can take these

protective steps with setting up your router or review your router’s

manual to make changes. Here are basic steps::

y Change default administrative password of your wireless router; use a

strong, unique password.

SAFEGUARDING TAXPAYER DATA

y Reduce the power (wireless range) so you are not broadcasting

further than you need. Log into your router to WLAN settings,

advanced settings and look for Transmit (TX) power. The lower the

number the lower the power.

y Change the name of your router (Service Set Identifier - SSID) to

something that is not personally identifying (i.e., BobsTaxService),

and disable the SSID broadcast so that it cannot be seen by those

who have no need to use your network.

y Use Wi-Fi Protected Access 3 (WPA-3).

y Do not use Wired-Equivalent Privacy (WEP) to connect your

computers to the router; WEP is not considered secure.

y Do not use a public wi-fi (for example, at a coffee café or airport) to

access business email or sensitive documents

Use of multi-factor authentication (discussed earlier) and a secure

Virtual Private Network (VPN) should be minimum standards for remote

access to the firm’s office network. A VPN provides a secure, encrypted

tunnel to transmit data between a teleworking employee and the

company network. Search for “Best VPNs” to find a legitimate vendor.

Some firms issue laptops to teleworking employees in order to control

the IT environment..

Protect Stored Client Data

Cybercriminals work hard through various tactics to penetrate your

network or trick you into disclosing passwords. They may steal the

data, hold the data for ransom or use your own computers to complete

and file fraudulent tax returns. Here are a few basic steps to protect

client data stored on your systems:

y Backup encrypted copies of client data to external hard drives

(USBs, CDs, DVDs) or use cloud storage; keep external drives in a

secure location; encrypt data before uploading to the cloud. This is

your best protection against ransomware attacks.

y Use drive encryption to lock files and all devices; encrypted files

require a password to open.

y Avoid attaching USB drives and external drives with client data to

public computers.

y Avoid installing unnecessary software or applications to the business

network; avoid offers for “free” software, especially security software,

which is often a ruse by criminals; download software or applications

only from official sites.

y Perform an inventory of devices where client tax data are stored, i.e.,

laptops, smart phones, tablets, external hard drives, etc.; inventory

software used to process or send tax data, i.e., operating

systems,browsers, applications, tax software, web sites, etc.

SAFEGUARDING TAXPAYER DATA

y Limit or disable internet access capabilities for devices that have

stored taxpayer data.

y Delete all information from devices, hard drives, USBs (flash drives),

printers, tablets or phones before disposing of devices; some security

software include a “shredder” that electronically destroys stored files.

y Physically destroy hard drives, tapes, USBs, CDs, tablets or phones

by crushing, shredding or burning; shred or burn all documents

containing taxpayer information before throwing away.

Be on Guard

Spot Data Theft

You or your firm may be a victim and not even know it. Here are some

common clues to data theft:

y Client e-filed tax returns begin to reject because returns with their

Social Security numbers were already filed.

y Clients who haven’t filed tax returns begin to receive authentication

letters (5071C, 4883C, 5747C) from the IRS.

y Clients who haven’t filed tax returns receive refunds.

y Clients receive tax transcripts they did not request.

y Clients who created an IRS online services account receive an IRS

notice that their account was accessed or IRS emails stating their

account has been disabled; or, clients receive an IRS notice that an

IRS online account was created in their names.

y The number of returns filed with tax practitioner’s Electronic Filing

Identification Number (EFIN or Preparer Tax Identification Number

(PTIN)) exceeds number of returns you actually filed.

y Tax professionals or clients responding to emails that practitioner did

not send.

y Network computers running slower than normal or computers turning

themselves on.l.

y Computer cursors moving or changing numbers without touching the

keyboard.

y Network computers locking out tax practitioners.

Monitor EFIN/PTINs

You can obtain a weekly report of the number of tax returns filed with

your Electronic Filing Identification Number or your Preparer Tax

Identification Number. Only those preparers who are attorneys, CPAs,

enrolled agents or Annual Filing Season Program participants and who

file 50 or more returns may obtain PTIN information. Weekly checks will

help flag any abuses. Here’s how:

SAFEGUARDING TAXPAYER DATA

For EFIN totals:

y Access your e-Services account and your EFIN application;

y Select “EFIN Status” from the application;

y Contact the IRS e-help Desk if the return totals exceed the number of

returns you filed.

For PTIN totals:

y Access your online PTIN account;

y Select “View Returns Filed Per PTIN;”

y Complete Form 14157, Complaint: Tax Return Preparer, to report

excessive use or misuse of PTIN.

If you have a Centralized Authorization File (CAF) number, make sure

you keep your authorizations up to date. Remove authorizations for

taxpayers who are no longer your clients. (See “Withdrawal of

Representation” in Publication 947, Practice Before the IRS and Power

of Attorney.)

Recognize Phishing Scams

All employees in your office must be educated on the dangers of

phishing scams. These scams can result in cybercriminals taking over

your computer or accounts to steal client data.

y A common way cybercriminals steal data is by using phishing scams.

An even more successful tactic is called spear phishing, where the

thief specifically targets you or your firm, perhaps seeing your email

address from the office website.

y The thief may pose as your tax software provider, your data storage

provider, the IRS or even a prospective client. The thief may pose as

your bank or as a professional colleague whose email was

compromised. See Don’t Take the Bait.

y Thieves may hijack your email account to send spam emails under

your name, tricking colleagues and clients into disclosing information.

y Generally, phishing or spear phishing emails have an urgent subject

line. Example: Update Your Account Now. The objective is to entice

you to open a link or an attachment.

• Link: The link may take you to a fake web page designed to look

like a familiar website. Example: IRS e-Services. Again, there will

be a call to action, such as “Click here NOW.” You may be asked

to enter your username and password for an account, but you

actually are disclosing your credentials to thieves.

• Attachment: The attachment may contain computer code

calledmalware that can infect your computer and network

systems. A common malware is keystroke tracking, which allows

the criminal to see the words you type on your device, eventually

SAFEGUARDING TAXPAYER DATA

disclosing your username and password to various accounts. In

turn, this gives them access to your tax software provider, bank or

encrypted client files..

y A legitimate business will never email and request personal or

sensitive information be sent to them via email, unless through a

secured mail service.

Guard Against Phishing Emails

Educated employees are the key to avoiding phishing scams, but these

simple steps also can help protect against stolen data:

y Use separate personal and business email accounts; protect email

accounts with strong passwords and two-factor authentication if

available.

y Install an anti-phishing tool bar to help identify known phishing sites.

Anti-phishing tools may be included in security software products.

y Use security software to help protect systems from malware and scan

emails for viruses.

y Never open or download attachments from unknown senders,

including potential clients; make contact first by phone, for example.

y Send only password-protected and encrypted documents if you must

share files with clients via email or use Secure File Transfer Protocol

(SFTP) to transmit files instead of email.

y Do not respond to suspicious or unknown emails; if IRS-related,

forward to [email protected].

Be Safe on the Internet

Data security takes an ongoing awareness about the threats posed

from a variety of sources, including browsing the Internet. Here are

some general steps for staying safe while using the Internet or

protecting your website.

y Keep your web browser software up to date so that it has the latest

security features.

y Scan files using your security software before downloading to your

computer.

y Delete web browser cache, temporary internet files, cookies and

browsing history on a regular schedule.

y Look for the “S” in “HTTPS” connections for Uniform Resource

Locator (URL) web addresses. The “S” stands for secure, e.g.,

https://www.irs.gov.

y Avoid accessing business emails or information from public wi-fi

connections.

y Disable stored password feature offered by some operating systems.

SAFEGUARDING TAXPAYER DATA

y Enable your browser’s pop-up blocker. Do not call any number from

pop-ups claiming your computer has a virus or click on tools claiming

to delete viruses.

y Do not download files, software or applications from unknown

websites.

y Note if your browser homepage changes; it could be a sign of

malware or an intrusion. Review your last downloads and browser

settings, check to see if you have anything new in your toolbar.

Report and Respond

Report Data Loss to IRS/States

Tax practitioners should report data losses or thefts immediately to the

IRS so that appropriate precautions can be made to protect clients from

fraudulent returns being filed in their names. Here’s how to report data

thefts to the IRS:

y Contact the IRS and law enforcement:

• Internal Revenue Service, report client data theft to your local

stakeholder liaison.

• Federal Bureau of Investigation, your local office

(if directed by IRS).

• Local police – To file a police report on the data breach.

y Contact states in which you prepare state returns:

• Visit the Federation of Tax Administrators “Report a Data

Breach” to find state contact information.

y Contact experts:

• Security expert – to determine the cause and scope of the breach,

to stop the breach and to prevent further breaches from

occurring.

• Insurance company – to report the breach and to check if your

insurance policy covers data breach mitigation expenses.

For a complete checklist, see Data Theft Information for Tax

Professionals.

If you are a victim of a ransomware attack, please contact the FBI and

Cybersecurity and Infrastructure Security Agency (CISA) of the

Department of Homeland Security (DHS) in addition to the IRS.

SAFEGUARDING TAXPAYER DATA

Respond and Recover from

a Data Loss

The Federal Trade Commission offers assistance to businesses who

were victimized by data thefts and provides templates for letters that,

for example, notify clients that a data loss has occurred. Here are some

basic suggestions on how to recover from a data theft:

y Update your IRS Stakeholder Liaison with developments; IRS

telephone assistors cannot accept third-party reports of identity theft.

y Review FTC’s Data Breach Response: A Guide for Business for helpful

guidance in notifying clients and tips for responding and recovering.

y Determine how the intrusion or theft occurred and make any required

fixes before resuming tax preparation activities and being issued a

new Electronic Filing Identification Number (EFIN).

y Develop a continuity plan.

y Make full backups of all business data and files. If you weren’t doing.

• A routine backup means you will have a copy of your data. A data

loss or ransomware attack (as well as a hurricane or flood) will not

destroy all your files.

• Encrypt backed up files.

• Consider a monthly backup schedule, or more often during the

filing season.

• Backup files after completing a routine system scan.

• Use an external hard drive or cloud storage; encrypt files prior to

uploading to.

Consult with your professional insurance provider about data theft

protection.

• Insurance firms can help preparers recover from a theft.

• Insurance firms may help provide security experts to analyze

protections or detect intrusions.

SAFEGUARDING TAXPAYER DATA

Comply with the FTC

Safeguards Rule

Understand the FTC Safeguards Rule

Under the Safeguards Rule, financial institutions must protect the

consumer information they collect. The Gramm-Leach-Bliley (GLB) Act

requires companies defined under the law as “financial institutions” to

ensure the security and confidentiality of this type of information. The

“financial institutions” definition includes professional tax preparers.

As part of its implementation of the GLB Act, the Federal Trade

Commission issued the Safeguards Rule, which requires financial

institutions under FTC jurisdiction to have measures in place to keep

customer information secure. The

Safeguards Rule requires companies

to develop a written information security plan that describes their

program to protect customer information. See Publication 5708 for

information on creating a written information security plan.

Comply with the FTC Safeguards Rule

According to the FTC, the required information security plan must be

appropriate to the company’s size and complexity, the nature and scope

of its activities and the sensitivity of the customer information it handles.

As part of its plan, each company must:

y Designate a qualified individual responsible for overseeing and

implementing your information security program and enforcing your

information security program;

y implement Multi-factor Authentication. Implement for anyone

accessing customer information on your system. The FTC Safeguards

Rule requires at least two of these following authentication factors: a

knowledge factor (for example a password), a possession factor (for

example, a token), and an inherence factor (for example biometric

information). This is required for all companies regardless of size.

y identify and assess the risks to customer information in each relevant

area of the company’s operation, and evaluate the effectiveness of the

current safeguards for controlling these risks;

y design and implement a safeguards program, and regularly monitor

and test it;

y select service providers that can maintain appropriate safeguards,

make sure your contract requires them to maintain safeguards, and

oversee their handling of customer information; and

y evaluate and adjust the program in light of relevant circumstances,

including changes in the firm’s business or operations, or the results

of security testing and monitoring.

y provide security awareness training and schedule regular refreshers.

The requirements are designed to be flexible. Companies should

implement safeguards appropriate to their own circumstances.

SAFEGUARDING TAXPAYER DATA

ONGOING DONE N/A

 n n n n n n

Checklist for Creating Plan

TThe Safeguards Rule requires companies to assess and address the

risks to customer information in all areas of their operation, including

three areas that are particularly important to information security:

Employee Management and Training; Information Systems; and

Detecting and Managing System Failures.

Not each of these recommendations will apply to circumstances found

in tax preparer offices, but they still provide the building blocks for the

creation of a security plan and reinforce IRS recommendations that tax

professionals establish strong security protocols. Depending on the

nature of their business operations, firms should consider implementing

the following practices:

Employee Management

and Training

The success of your information security plan depends largely on the employees

who implement it. Consider these steps:

Check references or doing background checks before hiring employees who will

have access to customer information.

Ask every new employee to sign an agreement to follow your company’s

confidentiality and security standards for handling customer information.

Limit access to customer information to employees who have a business reason to

see it. For example, give employees who respond to customer inquiries access to

customer files, but only to the extent they need it to do their jobs.

Control access to sensitive information by requiring employees to use “strong”

passwords that must be changed on a regular basis. (Tough-to-crack passwords

require the use of at least six characters, upper- and lower-case letters, and a

combination of letters, numbers, and symbols.) (IRS suggestion: passwords should

be a minimum of eight characters, the NIST standard. Prevent password sharing;

ensure each employee with access to taxpayer accounts uses a unique password.)

Require multi-factor authentication for anyone accessing customer information on

your system.

Use password-activated screen savers to lock employee computers after a period

of inactivity.

Develop policies for appropriate use and protection of laptops, PDAs, cell phones,

or other mobile devices. For example, make sure employees store these devices

in a secure place when not in use. Also, consider that customer information in

encrypted files will be better protected in case of theft of such a device.

Train employees to take basic steps to maintain the security, confidentiality, and

integrity of customer information, including:

• Locking rooms and file cabinets where records are kept;

• Not sharing or openly posting employee passwords in work areas;

 n n n n n n

SAFEGUARDING TAXPAYER DATA

ONGOING DONE N/A

• Encrypting sensitive customer information when it is transmitted electronically via

public networks;

• Referring calls or other requests for customer information to designated individuals

who have been trained in how your company safeguards personal data; and

• Reporting suspicious attempts to obtain customer information to designated

personnel.

Regularly remind all employees of your company’s policy — and the legal

requirement — to keep customer information secure and confidential. For example,

consider posting reminders about their responsibility for security in areas where

customer information is stored, like file rooms.

Develop policies for employees who telecommute. For example, consider

whether or how employees should be allowed to keep or access customer data

at home. Also, require employees who use personal computers to store or access

customer data to use protections against viruses, spyware, and other unauthorized

intrusions.

Impose disciplinary measures for security policy violations.

Prevent terminated employees from accessing customer information by

immediately deactivating their passwords and user names and taking other

appropriate measures.

(IRS Suggestion: Add labels to documents to signify importance, such as

“Sensitive” or “For Official Business” to further secure paper documents.)

Information Systems

Information systems include network and software design, and information

processing, storage, transmission, retrieval, and disposal. Here are some FTC

suggestions on maintaining security throughout the life cycle of customer

information, from data entry to data disposal:

Know where sensitive customer information is stored and store it securely. Make

sure only authorized employees have access. For example:

• Ensure that storage areas are protected against destruction or damage from

physical hazards, like fire or floods.

• Store records in a room or cabinet that is locked when unattended.

• When customer information is stored on a server or other computer, ensure

that the computer is accessible only with a “strong” password and is kept in a

physically secure area. (IRS Suggestion: If using a cloud storage service, use

a strong password, multi-factor authentication options and beware of thieves

posing as providers.)

• Where possible, avoid storing sensitive customer data on a computer with an

Internet connection.

• Maintain secure backup records and keep archived data secure by storing it off

line and in a physically-secure area.

 n n n n n n

SAFEGUARDING TAXPAYER DATA

ONGOING DONE N/A

• Maintain a careful inventory of your company’s computers and any other

equipment on which customer information may be stored.

Take steps to ensure the secure transmission of customer information. For

example:

• When you transmit credit card information or other sensitive financial data, use a

Secure Sockets Layer (SSL) or other secure connection, so that the information

is protected in transit. (IRS Suggestion: Transport Layer Security 1.1 or 1.2 is

newer and more secure.)

• If you collect information online directly from customers, make secure transmission

automatic. Caution customers against transmitting sensitive data, like account

numbers, via email or in response to an unsolicited email or pop-up message.

• If you must transmit sensitive data by email over the Internet, be sure to encrypt

the data. (IRS Suggestion: Rather than using email, transmit files via Secure File

Transfer Protocol (SFTP), successor to File Transfer Protocol (FTP)).

Dispose of customer information in a secure way and, where applicable, consistent

with the FTC’s Disposal Rule. For example:

• Consider designating or hiring a records retention manager to supervise the

disposal of records containing customer information. If you hire an outside

disposal company, conduct due diligence beforehand by checking references or

requiring that the company be certified by a recognized industry group.

• Burn, pulverize, or shred papers containing customer information so that the

information cannot be read or reconstructed.

• Destroy or erase data when disposing of computers, disks, CDs, magnetic

tapes, hard drives, laptops, PDAs, cell phones, or any other electronic media or

hardware containing customer information.

Detecting and Managing

System Failures

Effective security management requires your company to deter, detect, and defend

against security breaches. That means taking reasonable steps to prevent attacks,

quickly diagnosing a security incident, and having a plan in place for responding

effectively. Consider implementing the following procedures:

Monitor the websites of your software vendors and read relevant industry

publications for news about emerging threats and available defenses.

Maintain up-to-date and appropriate programs and controls to prevent

unauthorized access to customer information. Be sure to:

• check with software vendors regularly to get and install patches that resolve

software vulnerabilities;

• use anti-virus and anti-spyware software that updates automatically;

 n n n n n n

SAFEGUARDING TAXPAYER DATA

ONGOING DONE N/A

• maintain up-to-date firewalls, particularly if you use a broadband Internet

connection or allow employees to connect to your network from home or other

off-site locations;

• regularly ensure that ports not used for your business are closed; and

• promptly pass along information and instructions to employees regarding any

new security risks or possible breaches.

Use appropriate oversight or audit procedures to detect the improper disclosure or

theft of customer information. It’s wise to:

• keep logs of activity on your network and monitor them for signs of unauthorized

access to customer information;

• use an up-to-date intrusion detection system to alert you of attacks;

• monitor both in- and out-bound transfers of information for indications of a

compromise, such as unexpectedly large amounts of data being transmitted from

your system to an unknown user; and

• insert a dummy account into each of your customer lists and monitor the account

to detect any unauthorized contacts or charges.

Take steps to preserve the security, confidentiality, and integrity of customer

information in the event of a breach. If a breach occurs:

• take immediate action to secure any information that has or may have been

compromised. For example, if a computer connected to the Internet is

compromised, disconnect the computer from the Internet;

• preserve and review files or programs that may reveal how the breach occurred;

and

• if feasible and appropriate, bring in security professionals to help assess the

breach as soon as possible.

Consider notifying consumers, law enforcement, and/or businesses in the event of

a security breach. For example:

• notify consumers if their personal information is subject to a breach that poses a

significant risk of identity theft or related harm;

• notify law enforcement if the breach may involve criminal activity or there is

evidence that the breach has resulted in identity theft or related harm;

• notify the credit bureaus and other businesses that may be affected by the

breach. See Information Compromise and the Risk of Identity Theft: Guidance for

Your Business; and

• check to see if breach notification is required under applicable state law.

• (IRS suggestions: Practitioners who experience a data loss should contact the

IRS and the states. Also, consider having a technical support contract in place,

so that hardware events can be fixed within a reasonable time and with minimal

disruption to business availability.)

 n n n n n n

SAFEGUARDING TAXPAYER DATA

Glossary

Adware

Computer advertising software that may or may not monitor computer use to

target ads.

Confidentiality

Restrictions placed on information access and disclosure, including means for

protecting personal privacy and proprietary information.

Denial of Service

An attack that prevents or impairs the authorized use of networks, systems or

applications by exhausting resources.

Encrypt

To convert plain text to unintelligible text using a cryptographic algorithm.

Information Security

The process that ensures the protection of information and information systems

from unauthorized access, use, disclosure, disruption, modification or destruction.

Intrusion Detection

The act of detecting actions that attempt to compromise the confidentiality,

integrity or availability of a resource.

Keylogging

The action of recording (logging) the keys struck on a keyboard, typically

covertly, so that the person using the keyboard is unaware that their actions are

being monitored. Often secretly downloaded by malware, keylogging enables the

theft of usernames and passwords among other things.

Malware

Refers to malicious software (malware) programs designed to damage or

perform other unwanted actions on a computer system. Examples of malware

are viruses, worms, Trojan horses, and spyware.

Management Safeguards

The security safeguards or countermeasures for an information system that

focus on the management of risk and the management of information system

security.

Multi-factor Authentication

A security system that requires returning users to enter more than just creden-

tials (username and password) to access an account or device, such as

two-factor or three-factor authentication. Example: e-Services is protected by

IRS Secure Access, a two-factor authentication process that requires returning

users to enter their credentials and a security code sent as text to a mobile

phone. Tax professionals should always use the highest multifactor authentica-

tion available.

Operational Safeguards

Security for an information system that is primarily implemented and executed

by people rather than by a system.

Phishing

An attempt by an individual or group to solicit personal information from

unsuspecting users by employing social engineering techniques. Phishing emails

are crafted to appear as if they have been sent from a legitimate organization or

known individual. These emails often attempt to entice users to click on a link

that will take the user to a fraudulent website that appears legitimate.

SAFEGUARDING TAXPAYER DATA

Ransomware

A type of malicious software, or malware, designed to block access to a

computer system until a ransom is paid. Ransomware is typically spread through

phishing emails or by unknowingly visiting an infected website.

Risk

The likelihood that the unwanted impact of an incident will be realized.

Risk Assessment

The process of identifying risks and determining the probability of occurrence,

the resulting impact and additional security controls that would mitigate this

impact.

Risk Management

The process of managing risks through risk assessment; cost-benefit analysis;

the selection, implementation, and assessment of security controls; and the

formal authorization to operate the system. The process includes consideration

of effectiveness, efficiency and constraints due to laws, directives, policies, or

regulations.

Safeguard

Protective measures prescribed to meet the security requirements specified for

an information system. Safeguards may include security features, management

constraints, personnel security and security of physical structures, areas, and

devices.

Security Controls

Safeguards designed to protect the confidentiality, integrity and availability of a

system and its information.

Security Plan

Formal document that provides an overview of the security requirements for the

information system and describes the security controls in place or planned for

meeting those requirements.

Spear Phishing

Phishing attempts directed at specific individuals or companies; attackers may

gather personal information about their target to increase their probability of

success. This technique is by far the most successful on the Internet today,

accounting for 91% of attacks

Spyware

Software installed into an information system to gather information on individuals

or organizations without their knowledge.

Social Engineering

The manipulation of people into performing actions such as deviating from

standard security practices or divulging confidential information that give

attackers access to systems or confidential information.

Technical Safeguards

Controls for a system that are primarily implemented and executed by the

information system through mechanisms contained in the hardware, software or

firmware components of the system.

Threat

Any circumstance or event with the potential to adversely impact operations,

assets or individuals through an information system via unauthorized access,

destruction, disclosure, modification of information and/or denial of service.

SAFEGUARDING TAXPAYER DATA

Trojan Horse

A computer program used to attack a computer system by secretly allowing,

among other things, unauthorized access or alteration of data or software.

Virus

A computer program used to compromise a computer system by performing

functions that may be destructive. A virus may alter other programs to include a

copy of itself and execute when the host program or other executable compo-

nent is executed.

Vulnerability

Weakness in a system through procedures, internal controls or implementation

that could be exploited or triggered by a threat source.

Worm

A computer program used to compromise a computer system by impacting

performance. A worm can travel from computer to computer across network

connections replicating itself.

SAFEGUARDING TAXPAYER DATA

NOTE: The Internal Revenue Service prepared this guide as an

outreach educational effort for all tax preparers, transmitters, and

software developers. If you have any comments or suggestions for

future updates, please send an e-mail to:

[email protected]

Publication 4557 (Rev. 6-2024) Catalog Number 48905Y Department of the Treasury Internal Revenue Service www.irs.gov