1. feature
  2. ADVERTISING SUPPLEMENT

Protecting taxpayer data (and where to even begin)

Featuring Jared Ballew, CEO, Vice President of Government Relations, Drake Software
Jared Ballew, CEO, Vice President of Government Relations, Drake Software
As the VP of Government Relations for Taxwell,™ Jared Ballew represents both Drake Software® and TaxAct® products as a tax administration professional with 21 years of experience. Ballew served as the 2023 chair of the Electronic Tax Administration Advisory Committee and is actively engaged in the Council for Electronic Revenue Communication Advancement and the IRS Security Summit, which he serves as a co-lead of its Tax Pro Working Group.

Q I’m not a cybersecurity expert. Is there a place I can go to learn more about my responsibilities to protect taxpayer data as a tax practitioner?

A IRS Publications 4557, 1345, and 5709 are foundational for safeguarding taxpayer data and great resources for you to start with — plus, they are all available on IRS.gov. The Federal Trade Commission (FTC) Data Breach Response Guide provides resources in case a breach occurs in your practice.

Q What are some of the areas I should look at to protect my office?

A Three areas are important to assess:

1. Administrative: Am I training my staff about protecting taxpayer data and the need for good cyber hygiene if they are connected to my network?

2. Technical: Am I protecting my email, which is the biggest front door cybercriminals use to get into any business?

3. Physical: Do I have access controls in place for electronic and paper data?

Q Are there any changes in the FTC Safeguards Rule that I need to pay attention to?

A Two new requirements have been added to the FTC Safeguards Rule over the past year that tax professionals should be aware of. As of June 9, 2023, the FTC requires multifactor authentication for any individual accessing any information system that has access to taxpayer data; and, starting on May 13, 2024, the Safeguards Rule requires covered financial institutions to report to the FTC security events affecting 500 or more people. Your report may be made public. If law enforcement has requested a delay in making this report public, you can make that request known through your electronic submission.

Q Are there any good examples of a written information security plan (WISP) that I can use as a free resource?

A The IRS Security Summit created Publication 5708 to assist you in creating your WISP, which is a plan that helps you identify actions to take in the event of a security incident, data loss, or theft. The publication includes an outline of required elements, a sample template, and sample policy attachments. Publication 5708 allows you to draw from its templates so that you don’t have to start from scratch. Remember that creating a WISP is more than checking a box to satisfy a legal requirement — your documented plan must be in place, practiced by all in your office, and updated routinely.

Q What are a few areas to consider when creating a WISP?

A The following considerations should be addressed: Define objectives, purpose, and scope; identify responsible parties for overseeing security programs; assess risks; list inventory hardware and software used; document safety measures in place; and draft an implementation clause.

Sponsored by:
 

drake-software-tta-640

Drake Software, founded in 1977, provides software solutions to over 77,000 tax and accounting firms. Drake Software is consistently recognized for excellence in quality, customer support, reliability, and product innovation.