All firms, or people, in the United States who prepare tax returns fall under the provisions of the Graham-Leach-Bliley Act and are required to insure privacy of client data. The FTC Safeguards rule and IRS 4557 guidelines detail additional laws and guidelines that must be met.
Failure to have, and implement, a Written Information Security Plan (WISP) which details your process to meet these requirements can result in fines starting at $10,000.
Do you prepare any Tax Returns?
All tax preparers are required by the FTC Safeguards rule, IRS IRM Part 10, Chapter 5, The Gramm-Leach-Bliley Act, and IRS 4557 guidelines to have in place a Written Data Security Plan which outlines the protocols and processes which protect customer information and guard against data breaches.
The fines start at $10,000 if you are not in compliance
100% Free Consultation: Connect with us and get a free Data Security consultation!
Suitable for potential super-startups and brand revamps for companies.
Suitable for Individuals / Work from Home.
INCLUDES ALL ITEMS IN THE BASIC EVALUATION PACKAGE
INCLUDES ALL ITEMS IN THE BASIC EVALUATION PACKAGE PLUS:
INCLUDES ALL ITEMS IN THE BASIC EVALUATION PACKAGE PLUS:
Suitable for minor issues or follow-up training/troubleshooting.
Suitable for major issues, follow-up training/troubleshooting, or hardware failure.
The rapid evolution of technology has necessitated the establishment of advanced regulations for safeguarding customer data. In 2021, the Federal Trade Commission (FTC) updated the Standards for Safeguarding Customer Information, known as the Safeguards Rule (16 C.F.R. Part 314), under the Gramm-Leach-Bliley Act, P.L. 106-102. Although a final rule issued on Dec. 9, 2022 (86 Fed. Reg. 70272), retroactively took effect to Jan. 10, 2022, certain provisions' requirements (outlined below) were deferred and are set to be enforced from June 9, 2023.
Applicable to businesses heavily involved in providing financial services, including professional tax preparers and CPA firms, the revised rules offer more explicit guidance while adapting to current technology and emerging threats. Covered financial services institutions, encompassing even sole proprietors and small firms, are obligated to formulate, implement, and maintain a written information security plan. This plan must delineate how the business intends to safeguard and protect clients' nonpublic personal information, addressing administrative, technical, and physical safeguards across various mediums.
Tailored to each firm's size, complexity, and nature of activities, the information security plan aims to ensure the security and confidentiality of customer information, guard against anticipated threats, and prevent unauthorized access. Despite differences in scale, the plan's objectives remain consistent.
Outlined in Section 314.4 of the Safeguards Rule, the information security plan must include nine key elements:
For firms with information on at least 5,000 customers, a written risk assessment is mandatory, covering criteria for evaluating security risks, assessing information systems' confidentiality, integrity, and availability, and outlining risk mitigation strategies.
In this modern digital era, information security has taken a front seat in all business organizations. No profession is more sensitive to information breaches than Certified Public Accountants (CPA) who handle a vast range of financial data every day. Complying with the Safeguards Rule for information security is a non-negotiable mandate for CPA firms today.
ADDITIONAL DATA SECURITY RESPONSIBILITIES
In addition to the GLBA safeguards rule, tax practitioners should keep in mind other client data security responsibilities.
Sec. 7216 is a criminal provision that prohibits preparers from knowingly or recklessly disclosing or using tax return information. See the AICPA Tax Section's Sec. 7216 guidance and templates at aicpa.org to aid with compliance.
Treasury Circular No. 230, Regulations Governing Practice Before the IRS (31 C.F.R. Part 10), requires practitioners to exercise due diligence in preparing returns or other documents related to a federal tax matter. A violation could subject a practitioner to censure, suspension, or disbarment from practice before the IRS.
The AICPA Code of Professional Conduct addresses member responsibilities to keep client information confidential and secure.
In accordance with best business practices, including practices contained in the Privacy Management Framework (available at aicpa.org/IMTA), a firm should publish its privacy statement on its website.
Depending on a practitioner's focus areas, he or she may need to adhere to other privacy requirements such as those for health-related information.
As the IRS has noted, combating today's cybercriminals requires everyone to work together. Practitioners play a significant role in data security and should continue to assess, improve, and document their processes to keep client data safe.
For a simplified path to achieving FTC Safeguards Rule compliance, GilaPro offers a solution. By providing comprehensive visibility into your security posture and aligning it with rule requirements, GilaPro simplifies the integration of your current program with the FTC Safeguards framework. This highlights areas of compliance and identifies gaps that require remediation. Begin your journey toward full compliance today,
Email Us!