The Complete Guide for IRS Publication 4557 – Safeguarding Taxpayer Data

Background to the IRS Publication 4557

Data Thefts Are on the Rise in the Tax Industry.

Identity thieves have placed tax practitioners on their radar, and data security is now a necessity for every tax professional, whether a partner in a large firm or a sole practitioner. Education about security threats and data safeguards is imperative for client safety and data protection. 

What is Taxpayer Identity Theft?

According to the IRS document, “Taxpayer Guide to Identity Theft,” an identity theft tax refund scam “occurs when someone uses your personal [identifying] information [PII] such as your name, Social Security number [SSN], or other identifying information, without your permission, to commit fraud or other crimes.” The scam usually occurs when “an identity thief uses a legitimate taxpayer’s identity to file a fraudulent tax return and claim a refund. Generally, the identity thief will use a stolen SSN to file a forged tax return and attempt to get a fraudulent refund early in the filing season.” 

 “It’s one of the most lucrative ways that thieves can monetize our identity credentials,” said Eva Velasquez, president of the California-based Identity Theft Resource Center.

 “This method of fraud is so attractive because it’s so easy to perpetrate,” Velasquez said in an interview with CNBC.”

“These thieves don’t really have to have a high skill set in hacking or know how to code or even really understand how all of those mechanisms work.”

Purpose of IRS Publication 4557: Safeguarding Taxpayer Data

The IRS Publication 4557 was released to raise awareness of cyber threats to accounting firms and serve as a guide to tax return preparers who want targeted direction on how they can start to become compliant with relevant FTC Safeguard Rules. 

The majority of the publication is centered around basic cyber best practices, including elementary instructions like using security software, enforcing strong password rules, secure practices for wireless networks, and being on guard for phishing emails. The fact that the IRS feels the need to dedicate such a significant portion of the publication explaining basic safety measures may shed light on their level of confidence in the average CPA firm’s ability to protect their client data.

The publication also explains the FTC Safeguard rules and provides a checklist to assess your state of compliance with this federal mandate. According to the FTC Safeguards Rule, tax return preparers must create and enact written information security plans to protect client data. Noncompliance may result in an FTC investigation.

The IRS 4557 Publication seeks to help tax professionals: 

• Understand basic security concepts that apply to the tax industry and how to act on them
• Be on guard for signs of data theft and how to respond and report data theft
• Have a written strategy to respond and recover from a data breach
• Gain a thorough understanding of the need for the FTC Safeguards Rule

The IRS Publication 4557 sample plan addresses general cyber hygiene practices for accounting firms, as well as a detailed compliance guidebook for the FTC Safeguard Rules. We will guide you through both of these sections.

Part 1 of IRS Publication 4557: Take Basic Security Steps

Here are some basic security steps that tax professionals can take today to make their clients’ data and their businesses safer:

• Learn to recognize phishing emails, especially those pretending to be from the IRS, e-Services, a tax software provider, a new or existing client, or a cloud storage provider. Never open an embedded link or any attachment from a suspicious email.
• Create a written information security plan using IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security – The Fundamentals (NISTIR 7621r1), by the National Institute of Standards and Technology.
• Review internal controls:

• Install anti-malware/anti-virus security software on all devices and keep the software set to automatically update.
• Use strong passwords of eight or more characters, use different passwords for each account, use special and alphanumeric characters, use phrases, password-protect wireless devices, and use a password manager program.
• Encrypt all sensitive files/emails, especially those with the taxpayer’s personally identifiable information, and use strong password protections
• Back up sensitive data to a safe and secure external source not connected full-time to a network.
• Make a final review of return information – especially direct deposit information – before e-filing. 
• Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
• Limit access to taxpayer data to individuals who need to know.
• Check e-File Applications and PTIN accounts weekly for total returns filed using EFINs and PTINs; deactivate unused EFINs.
• Withdraw from any outstanding authorizations (power of attorney/ tax information) for taxpayers who no longer are clients.

• Report any suspected data theft or data loss immediately to the appropriate IRS Stakeholder Liaison. 
• Stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts, and Social Media.
• Educate clients about the availability of the Identity Protection PIN for taxpayers.
• Review FTC’s security tips at Cybersecurity for Small Business and Protecting Personal Information: A Guide for Business

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Start Free Trial Now

Start Free Trial Now

Learn more about how to be compliant with IRS Publication 4557
Click Here

Part 2 of the IRS Publication 4557: Understand the FTC  Safeguards Rule

Background to the FTC Safeguards Rule

Protecting Taxpayer Data is Mandated by the Law. Federal law designates the Federal Trade Commission as the authority to set data safeguard regulations for various entities, including professional tax return preparers. 

The purpose of the FTC Rules is to strengthen the data security safeguards that covered companies must put in place to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The rules are based on the Gramm-Leach-Bliley Act. The main directive of the Safeguards Rule is for companies to develop a written information security plan.

Last month, The FTC announced that it will be extending the deadline for companies to comply with some changes the agency implemented to strengthen the data security safeguards financial institutions must put in place to protect their customers’ personal information. The deadline for complying with some of the updated requirements of the Safeguards Rule is now extended to June 9, 2023.

What are the Requirements of the FTC Safeguards Rules?

Under the Safeguards Rule, financial institutions must protect the consumer information they collect. 

The Gramm-Leach-Bliley (GLB) Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. The “financial institutions” definition includes professional tax preparers.

As part of its implementation of the GLB Act, the Federal Trade Commission issued the Safeguards Rule, which requires financial institutions under FTC jurisdiction to have measures in place to keep customer information secure.

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information.

Compliance with the FTC  Safeguards Rule

According to the FTC and IRS Publication 4557, the information security plan must be commensurate with the company’s size and complexity and the sensitivity level of the customer information it handles.

As part of its plan, each company must:

• designate one or more employees to coordinate its information security program
• identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks
• design and implement a safeguards program, and regularly monitor and test it
• select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, oversee their handling of customer information; and
• evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Checklist Included

The IRS Publication 4557 includes a detailed checklist to track compliance with the FTC Safeguards Rules.  Not each of the controls and recommendations will apply to every tax preparer, but the list provides a foundation for the written security plan required by the FTC. 

Ace the IRS Publication 4557 Requirements with Centraleyes

The Centraleyes platform now supports the IRS Publication 4557 framework for easy implementation and compliance with the FTC Safeguard Rules. 

Try it out!