Act fast after discovering a data breach

Anyone can be a target of cybercriminals and scammers. Unfortunately, tax professionals can seem like the big fish in a sea of potential targets because of how much financial data they use to conduct their business. Even a careful, prepared tax pro may fall victim to a crime. If that happens, there are several key things you should do to protect your clients and their businesses.

Client data

It is vitally important that tax professionals inform all their clients of a breach and encourage them to apply to the IRS for an Identity Protection Personal Identification Number (IP PIN). The Electronic Tax Administration Advisory Committee called the IP PIN “the number one security tool currently available to taxpayers from the IRS.”

Preparers should work with law enforcement to determine when it’s best to send an individual letter to all potential victims to inform them of a breach.

How to report a data breach

If you know your firm’s data has been compromised, here is what you should do:

• Contact the IRS. Report client data theft to your local IRS Stakeholder Liaison. The liaison will notify IRS Criminal Investigation and others within the agency on your behalf. If reported quickly, the IRS can take steps to block fraudulent returns in clients’ names.
• Call local police. You should contact police to file a report on the data breach.
• File a complaint with the FBI’s Internet Crime Complaint Center.
• File a report with the nearest office of the Secret Service.
• To help you find where to report data security incidents at the state level, the Federation of Tax Administrators has created a special page with state-by-state listings.
• Contact your attorneys general for each state in which you prepare returns.

Help from other experts

• Security expert. You should consult an expert who can help determine the cause and scope of the breach to stop the breach and prevent further breaches from occurring.
• Insurance company. You should report the breach to your insurance company, and check if the insurance policy covers data breach mitigation expenses; in fact, you should know this regardless of a data breach.
• Federal Trade Commission. You can go to the FTC for guidance. For more individualized guidance, email the FTC.
• Credit and identity theft protection agency. Consider your options for the future. In addition, certain states require that preparers offer credit monitoring and identity theft protection to victims of identity theft.
• Credit bureaus. Notify the bureaus if there is a compromise.

Review security measures used to protect client data

Data protection is key in helping avoid data breaches. To help protect you and your firm, the IRS, state tax agencies, and the tax industry partners who make up the Security Summit created a Taxes-Security-Together Checklist. Whether a sole proprietor or a partner in a large firm, everyone can take several relatively simple steps to protect their clients and business data.