WASHINGTON – The Internal Revenue Service and its Security Summit partners today urged all tax professionals to use strong passwords to protect accounts from cyberthieves and to consider encryption for all sensitive data.
Strong password and encryption protocols should be standard features of any data security plan that must be created by all professional tax return preparers. The Electronic Tax Administration Advisory Committee (ETAAC) noted in its recent annual report to Congress that many tax pros do not have data security plans that are required by the Federal Trade Commission.
This is the third in a series called “Protect Your Clients; Protect Yourself: Tax Security 101.” The Security Summit awareness campaign is intended to provide tax professionals with the basic information they need to better protect taxpayer data and to help prevent the filing of fraudulent tax returns.
Although the Security Summit is making progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices is on the rise. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.
In recent months, cybersecurity experts’ recommendations on what constitutes a strong password has changed. They now suggest that people use word phrases that are easy to remember rather than random letters, characters and numbers that cannot be easily recalled.
For example, experts use to suggest something like “PXro#)30” but now suggest a phrase like “SomethingYouCanRemember@30.” By using a phrase, you don’t have to write down your password and expose it to more risk. Also, people may be more willing to use strong, longer passwords if it’s a phrase rather than random characters.
It is critical that all tax practitioners establish strong, unique passwords for all accounts, whether it’s to access a device, tax software products, cloud storage, wireless networks or encryption technology. Here’s how to get started:
Whenever it is an option for a password-protected account, users also should opt for a multi-factor authentication process. Many email providers now offer customers two-factor authentication protections to access email accounts. Tax professionals should always use this option to prevent their accounts from being taken over by cybercriminals and putting their clients and colleagues at risk.
Two-factor authentication helps by adding an extra layer of protection. Often two-factor authentication means the returning user must enter credentials (username and password) plus another step such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal your username and password, but it’s highly unlikely they also would have your mobile phone to receive a security code and complete the process.
Some providers of tax software products for tax professionals offer two-factor or even three-factor authentication. Tax practitioners should use the most secure option available, not only for tax software, but other products such as email accounts and storage provider accounts. Those hosting their own website should also consider some other form of multi-factor authentication to further increase login security.
Password-protected data encryption is also critical to protecting client information. Cybercriminals work hard through various tactics to penetrate networks or trick users into disclosing passwords. They may steal the data, hold the data for ransom or use tax professionals’ computers to complete and file fraudulent tax returns.
Basic steps for encrypting client data
Here are a few basic steps about encryption and protecting client data stored on computer systems:
In addition to these steps, the Security Summit reminds all professional tax preparers to have a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Tax professionals can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals, QuickAlerts and Social Media.