IRS tax filing data protection guidelines
As individuals and corporations work to meet the federal and state tax filing deadline of April 15, Utimaco urged consumers and businesses to exercise caution when sharing and filing sensitive data.
According to the Better Business Bureau, more than half of America’s 120 million taxpayers use an outside tax preparer. However, only two states (California and Oregon) regulate individual preparers. Additionally, before turning over sensitive information, most consumers and small to medium businesses do not ask what security precautions the tax preparer takes to keep their data safe.
Prior to submitting data to any third-party tax preparer, Utimaco recommends taking the following precautions:
- Ask the tax preparer if their organization allows employees to store information on laptops, mobile devices or removable media. If so, ask if they also use encryption technology to protect the data stored on such devices if they are lost or stolen.
- Ask if databases are protected. Tax preparation companies will maintain databases of customers past and present, including Social Security Numbers, in order to track possible errors their preparers might have made. This stored data must be protected for as long as it is stored.
- Ask what happens to your information once you provide it. There has been some controversy over whether or not the IRS provides explicit provisions restricting what third-party providers participating in electronic filing could do with taxpayer information once they possess it, including sharing information with other parties.
- Ask if your tax preparation will be outsourced. Companies are required to proactively inform customers if their services are outsourced. Failure to proactively inform consumers not only violates ethical guidelines, but could put your data at risk.
- If your tax preparer does plan to outsource services, ask what steps have been taken to safeguard the privacy of their clients. Has the other company agreed to set data protection practices, such as limiting the ability to print or save information to removable media?
- Ask if the company met the requirements of the Gramm-Leach-Bliley Act of 1999. In addition to requiring firms to design, implement, and maintain safeguards to protect customer information, this law states that companies must give their customers a privacy notice that explains the firms’ information-collection and -sharing practices and supplies customers with an opt-out right, to limit the sharing of their information.