Many accounting firms in the Treasure Valley area and beyond have taken advantage of online tax preparation tools. Online tax prep allows them to reach more clients and deliver tax help more efficiently, especially for those unable to visit an office.
But the online world means dealing with constant cybersecurity threats and those in the financial industry are particularly big targets.
While the average cost of a data breach in the US for all industries is $8.2 million, the cost for the financial sector is $13 million. This is due to the sensitive financial data that’s handled by those in the industry.
The large risk to accounting offices when it comes to cybersecurity is the reason why many of them use managed security services to automate IT safeguards and keep their network continually monitored.
Due to the potential risks involved with the type of information contained in digital tax forms, the IRS has put together rules that online providers of individual tax returns have to comply with.
What are the Data Security Obligations Under IRS Publication 1345?
Any accounting firm that provides online tax preparation services for individuals is subject to the rules contained in IRS Publication 1345 Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns.
This handbook includes six key standards designed to protect against a breach of information as well as things such as bulk filing of fraudulent income tax returns.
The requirements include a mix of website and procedural safeguards to protect the online tax filing process.
1. Extended Validation SSL Certificate
The SSL certificate is a specific data file attached to a website that allows secure connections. Sites will have a padlock icon next to the address and the URL will begin with “https://” to show that there is SSL installed on the site.
Online providers for of individual tax returns need to have on their site:
- A valid Extended SSL Certificate using SSL 3.0 / TLS 1.0 or later
- Minimum of 1024-bit RSA / 128-bit AES
2. External Vulnerability Scan
Vulnerability scans test a system for any potential breach vulnerabilities. The IRS requirement is to ensure that the payment system of a site is in compliance with Payment Card Industry Data Security Standards (PCIDSS).
The vulnerability scan must:
- Be conducted by an independent certified third-party vendor
- Be performed weekly
- If systems are hosted elsewhere, ensure their host complies with PCIDSS requirements
3. Information Privacy and Safeguard Policies
Those providers that are Authorized IRS e-file Providers OR that own or operate a website through which taxpayer information is collected, transmitted, processed or stored, need to ensure the privacy of that information.
Privacy safeguards that these types of accounting firms and tax preparers need to have in place include:
- A written information privacy and safeguard policy
- The policy must include this statement, “we maintain physical, electronic
- and procedural safeguards that comply with applicable law and federal standards.”
- Compliance with the written policy must be certified by a privacy seal vendor
4. Protection Against Bulk Filing of Fraudulent Income Tax Returns
Often hackers can use automated scripts to do bulk filing of fake income tax returns. This rule puts the burden of safeguarding against that on the firm that is making online filing available.
The rule doesn’t give specific actions to take, stating only that providers shall implement effective technologies to protect their website.
One of the safeguards that could be used to prevent automated bulk filing is a captcha on the filing form.
5. Public Domain Name Registration
The domain name you use for the website has certain parameters that must be followed to ensure protection.
- The website domain registrar must be located in the United States
- The domain registrar must be accredited by ICANN
- The domain name must be locked
- You cannot do a private registration, the domain registration must be public
6. Reporting of Security Incidents
If you have a security breach or hack of your website that collects, transmits, or stores taxpayer information, the IRS wants to know about it and has reporting requirements that tax preparers need to adhere to.
These reporting requirements include:
- Security incidents have to be reported to the IRS no later than one business day after confirmation of the incident.
- Reportable incidents are those that can result in unauthorized disclosure, misuse, modification, or destruction of taxpayer information.
- If the online provider’s website is the proximate cause of the incident, they must cease collecting taxpayer information on the site immediately until the issue is resolved.
Is Your Website Properly Prepared to Secure Taxpayer Data?
Today’s websites have multiple moving parts and are an important part of an accounting firm’s overall cybersecurity plan. Ensure yours is properly protected by working with the security experts at Connect2Geek.
Schedule a free security consultation today! Call 208-468-4323 or reach out online.