Safeguarding confidential client information: AICPA and IRS guidance

Recently it has become fairly common to see news headlines related to data leakages or cyberattacks. Additionally, over the past several years there have been numerous reports of data breaches at a variety of businesses, including retailers, health care providers, and even tax return preparers. It seems as if data leakages are occurring at an alarmingly increasing rate, targeting all types of businesses and industries, including some taxing authorities. These incidents raise many concerns for tax professionals.

Clients entrust their tax return preparers with significant amounts of confidential information, including sensitive data such as names, addresses, birthdates, and Social Security numbers, that are necessary to prepare tax returns. Tax return preparers may also obtain confidential information about business clients, such as merger and acquisition data. In any case, the information that has been entrusted to tax professionals and return preparers can be used by others for nefarious reasons, such as identity theft. This naturally raises the question of what tax preparers should be doing to adequately safeguard the confidential information that is obtained when serving their clients.

Professional standards impose obligations on members in public practice to protect confidential client data. For example, the AICPA Code of Professional Conduct (AICPA Code) Rule 1.700.001, Confidential Client Information Rule (the Rule), states that a member in public practice shall not disclose any confidential client information without the client’s specific consent. In the case of an unauthorized data breach, in determining whether there has been a violation of the Rule, consideration might be given to whether the member had processes and procedures in place to ensure that client data were secure and that these processes were kept current, communicated to the firm’s professionals, and enforced.

In addition, certain statutory provisions impose criminal penalties if a tax return preparer discloses information to third parties without the taxpayer’s consent. Sec. 7216 provides the following:

(A) General rule: Any person who is engaged in the business of preparing, or providing services in connection with the preparation of, returns of the tax imposed by chapter 1, or any person who for compensation prepares any such return for any other person, and who knowingly or recklessly— (1) discloses any information furnished to him for, or in connection with, the preparation of any such return, or (2) uses any such information for any purpose other than to prepare, or assist in preparing, any such return,

shall be guilty of a misdemeanor, and, upon conviction thereof, shall be fined not more than $1,000, or imprisoned not more than 1 year, or both together with the costs of prosecution.

According to the statute, disclosure without consent does not need to be intentional; the penalties can apply if the disclosure occurs recklessly. This further supports the importance of having adequate safeguards in place to mitigate the risk of leakage.

Safeguard considerations

The guidance in the AICPA Code and in the Internal Revenue Code is largely silent on what safeguards should be deployed by tax professionals to adequately protect confidential client information; however, both the IRS and the AICPA have issued commentary on the subject. The AICPA formerly provided a Privacy Checklist for CPA Firms, and the IRS has issued Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business. Both documents set forth steps and actions the tax professional (or his or her firm) might consider taking to protect client data and mitigate significant threats.

Here are some practical items for tax professionals to consider as privacy best practices (based on the former AICPA Privacy Checklist for CPA Firms):

1. Notice: Provide notice about your privacy policies and procedures and identify the purposes for which personal information is collected, used, retained, and disclosed.
2. Security for privacy: Protect personal information against unauthorized access (both physical and logical).
3. Management: Define, document, communicate, and assign accountability for your privacy policies and procedures.
4. Disclosure to third parties: Disclose personal information to third parties only for the purposes identified in the notice and with the individual taxpayer’s implicit or explicit consent.
5. Use and retention: Limit the use of personal information to the purposes identified in the notice and to which the individual taxpayer has provided implicit or explicit consent. Retain personal information only for as long as is necessary to fulfill the stated purposes.

Security for privacy (item 2 on the list) should encompass many considerations, including employee information, client tax information, transmitting client data, computer security, servers, computers connected to the internet, wireless transmissions, remote access, credit card information, and computer backups. Some of the best practices include securing and restricting access to clients’ (and employees’) information to employees who have a business reason to access it, including password-protecting electronic files with this type of information. Some other best practices included in the AICPA checklist include securing any hard copy documents in a location where visitors do not have access, encrypting and password-protecting attachments with client information when transmitting them via email, or when mailing client-related documents, sending them either by certified mail or by a carrier that requires the recipient’s signature.

The AICPA checklist recommends as a best practice that all computers be password-protected with a strong password of at least eight characters, including numbers, letters, and special characters. With today’s mobile workforce, another best practice is to develop policies for employees who work remotely to govern whether or how they are allowed to keep or access client data outside the office.

An additional best practice for protecting client data is the development of a firm record retention and destruction policy. This provides for the proper destruction at the end of the information’s useful life (i.e., the retention period) and mitigates any further risk of leakage. According to the AICPA checklist, hard copy paper documents should be shredded, and electronic information should be deleted and written over so that it is unrecoverable.

One final best practice enumerated in the AICPA checklist is training employees on the importance of keeping client information secure in and out of the office. Once the policies and procedures are developed, all employees need to be educated on them so they can comply properly.

Similar to the AICPA checklist, Publication 4557, which was issued last year, contains considerations for protecting client data. This publication was intended as a guide to help individuals and businesses “that handle taxpayer data to understand and meet their responsibility to safeguard this information.” Many of the suggestions within this publication are the same as those in the AICPA Privacy Checklist. The publication defines “taxpayer data” as any information obtained or used in the preparation of a tax return—and it is not limited to personally identifiable information. According to the publication, a tax return preparer should determine the appropriate security controls for his or her practice based on the nature and scope of the activities, as well as the practice’s size and complexity.

Publication 4557 list three categories of safeguards that a tax return preparer may use to protect a clients’ information: management, operational, and technical.

• Management safeguards: These include security safeguards or countermeasures for an information system that focus on the management of risk and the management of information system security.
• Operational safeguards: These include security controls for an information system that is primarily implemented and executed by people rather than a system.
• Technical safeguards: These include controls that are primarily implemented and executed through mechanisms contained in the hardware, software, or firmware components of the information system. These types of safeguards include encrypting data if they must be transferred via email or even across networks, or using a barrier device, such as a firewall, router, or gateway, to protect taxpayer information when systems are connected with the internet.

Publication 4557 also lists several items to consider to safeguard taxpayer data, including the following examples:

• Locking doors to restrict access to paper or electronic files;
• Requiring passwords to restrict access to computer files;
• Encrypting electronically stored taxpayer data;
• Keeping a backup of electronic data for recovery purposes;
• Shredding paper containing taxpayer information before discarding it;
• Not emailing unencrypted sensitive personal information.

Build safeguards

In today’s environment, it is critical as a tax professional to take proactive steps to protect clients’ data and mitigate substantial threats. Clients entrust their tax return preparers with significant amounts of data and expect them to be kept secure. A leakage of client data not only can impact client relationships, but also could result in professional standard or statutory sanctions for a tax return preparer. There is no one-size-fits all solution, so tax professionals and accounting firms alike should consider safeguards appropriate for their circumstances.