In News Release IR-2018-175 warned tax professionals that a failure to prepare a written data security represents a violation of the FTC’s Safeguards Rules and the that the IRS may treat a violation of the FTC Safeguards Rule as a violation of the standards for authorized IRS e-file providers under Revenue Procedure 2007-40.

The IRS Electronic Tax Administration Advisory Committee (ETAAC) members noted in June that they believe fewer than half of all tax professionals are aware of the FTC rule and have written plans in compliance with the rule.

The news release describes the FTC rule as follows:

The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. According to the FTC, each company, as part of its plan, must:

·       designate one or more employees to coordinate its information security program;

·       identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;

·       design and implement a safeguards program and regularly monitor and test it;

·       select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and

·       evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

The FTC says the requirements are designed to be flexible so that companies can implement safeguards appropriate to their own circumstances. The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operations.

The new release also reminds professionals of the following IRC and IRS rules related to protecting taxpayer data:

IRS Publication 3112 - IRS e-File Application and Participation, states: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers. Providers must be diligent in recognizing fraud and abuse, reporting it to the IRS, and preventing it when possible. Providers must also cooperate with the IRS’ investigations by making available to the IRS upon request information and documents related to returns with potential fraud or abuse.

IRC, Section 7216 - This provision imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses information furnished to them in connection with the preparation of an income tax return.

IRC, Section 6713 - This provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.

Rev. Proc. 2007-40 - This procedure requires authorized IRS e-file providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure.

The news release also provides a link to a page maintained by the Federation of Tax Administrators that provides information on the state agencies to contact to report data security incidents.