The Internal Revenue Service has
All professional tax preparers are required by law to create and implement a data security plan, but the agency said that some continue to struggle with developing one. The document is meant to address the problems these professionals face, particularly smaller practitioners, in protecting client data and information. The sample plan is seen by the IRS as a starting point to address risk considerations and take action in the event of a security incident, not the final word.
"Tax professionals play a critical role in our nation's tax system," said Carol Campbell, director of the IRS Return Preparer Office and co-lead of the Security Summit tax professional group, in a statement. "But for many tax professionals, it is difficult to know where to start when developing a security plan. The summit members worked together on this guide to walk tax pros through the many considerations needed to create a written information security plan to protect their businesses and their clients, as well as comply with federal law."
The IRS urged preparers to be mindful that a security plan should be appropriate to a company's size, scope of activities, complexity and the sensitivity of the customer data it handles, and warned against thinking there is a one-size-fits-all written information security plan. For example, a sole practitioner can use a more abbreviated and simplified plan than a 10-partner accounting firm, which is reflected in the new sample plan from the Security Summit group.
Once completed, tax professionals should keep their written information security plan in a format that others can easily read, such as PDF or Word. Making the plan available to employees for training purposes is encouraged. Storing a copy offsite or in the cloud is a recommended best practice in the event of a natural disaster.