IRS Discusses Data Security Issues Facing Tax Professionals
Information regarding methods being used to perpetrate tax refund frauds using preparer’s systems were discussed by IRS representatives at the New England IRS Representation Conference in North Haven, Connecticut, per a report published in Tax Notes Today Federal.[1]
One method, described by Margaret Romaniello, area manager, IRS stakeholder liaison division, is for intruders on the network to modify bank account information on returns that are awaiting transmission to the IRS for electronic filing. The refund would end up being deposited somewhere other than where the taxpayer intended it to be deposited, such as a Green Dot prepaid debit card in the words of Romaniello.
When the client signs the authorization to send the returns, the now modified return would be the one actually forwarded by the preparer to the taxing agency. The fraud would likely go unnoticed until and unless the client begins to ask why their refund has not appeared in their bank account.[2]
The article also described information provided by David Lyons, a tax professional who suffered a data breech in 2013. He noted that he had to deal with multiple state level rules regarding what a firm must do in the case of a data breech. He notes that each state will have unique rules on credit monitoring services that may be required to be provided to affected individuals. David, like many professionals, had clients scattered across the United States—in his case in 40 different states.[3]
He also noted that the requirement to provide monitoring services is not limited to direct clients of the firm—information in his files that held personally identifiable information about non-clients also required him to provide monitoring for those individuals.[4] Why would a firm have such information? There are numerous reasons such as:
Information on employees of clients where the firm is involved with payroll processing;
Information obtained by the firm about employees, vendors and customers of the client when the firm also performs auditing and other attest services;
Information on partners, shareholders and beneficiaries when the firm prepares a tax return for a partnership, S corporation, trust or estate for which K-1s are prepared; and
Many other cases where information related to non-clients is obtained from the client to perform professional services.
Quite often it is not possible to say for sure that such data was not accessed by the outside party—so the firm must operate under the assumption that such data was obtained by the unauthorized parties.
Surprisingly, David did not suffer a large loss of clients, stating that less than 10 clients left his firm due to the breach. But that didn’t mean there was no cost to David—he notes that his firm had to spend about $500,000 over six years to deal with the effects of the breach.[5]
Tax preparers should have noticed that when they went to renew their PTIN for the upcoming tax season they were required to answer a new question. Question 11 on Form W-12 and the electronic equivalent on the IRS website asks the applicant to check a box agreeing with the following statement:
As a paid tax return preparer, I am aware of my legal obligation to have a data security plan and to provide data and system security protections for all taxpayer information. Check the box to confirm you are aware of this responsibility.[6]
The article contained the following warning issued by Ms. Romaniello:
“If you become a victim because the security systems aren’t what they should be and it’s determined that you are liable, one of the things that the IRS will say to you is ‘Look at your PTIN application,’” Romaniello said.[7]
Those expected precautions can be found on the IRS website in the “Security Six” list.[8] The six items listed are:
Anti-virus software;
Firewalls;
Two-factor authentication;
Backup software or services;
Drive encryption; and
Virtual private network.[9]
[1] Nathan J. Richman, “Tax Hackers Coming Up With New Traps for the Unwary,” Tax Notes Today, November 22, 2019, 2019 TNTF 227-5, https://www.taxnotes.com/tax-notes-today-federal/tax-system-administration/tax-hackers-coming-new-traps-unwary/2019/11/22/2b52x (subscription required)
[2] Nathan J. Richman, “Tax Hackers Coming Up With New Traps for the Unwary,” Tax Notes Today, November 22, 2019
[3] Nathan J. Richman, “Tax Hackers Coming Up With New Traps for the Unwary,” Tax Notes Today, November 22, 2019
[4] Nathan J. Richman, “Tax Hackers Coming Up With New Traps for the Unwary,” Tax Notes Today, November 22, 2019
[5] Nathan J. Richman, “Tax Hackers Coming Up With New Traps for the Unwary,” Tax Notes Today, November 22, 2019
[6] Form W-12, 2019, Question 11, page 2, https://www.irs.gov/pub/irs-pdf/fw12.pdf (retrieved November 22, 2019)
[7] Nathan J. Richman, “Tax Hackers Coming Up With New Traps for the Unwary,” Tax Notes Today, November 22, 2019
[8] “Tax pros: Follow the “Security Six” steps to help protect taxpayer data,” IRS Website, August 27, 2019, https://www.irs.gov/newsroom/tax-pros-follow-the-security-six-steps-to-help-protect-taxpayer-data (retrieved November 22, 2019)
[9] “Tax pros: Follow the “Security Six” steps to help protect taxpayer data,” IRS Website, August 27, 2019