August 30, 2019
Here’s what tax professionals should know about creating a data security plan 

Tax pros must create a written security plan to protect their clients’ data. In fact, the law requires them to make this plan. 

Creating a data security plan is one part of the new Taxes-Security-Together Checklist. The IRS and its Security Summit partners created this checklist. It helps tax professionals protect sensitive data in their offices and on their computers.

Many tax preparers may not realize they are required under federal law to have a data security plan. Each plan should be tailored for each specific office. When creating it, the tax professional should take several factors into consideration. This includes things like the company’s size, the nature of its activities, and the sensitivity of its customer information.

Creating a plan
Tax professionals should make sure to do these things when writing and following their data security plans:

• Include the name of all information security program managers.
• Identify all risks to customer information.
• Evaluate risks and current safety measures.
• Design a program to protect data.
• Put the data protection program in place.
• Regularly monitor and test the program.

Selecting a service provider
Companies should have a written contract with their service provider. The provider must:

• Maintain appropriate safety measures. 
• Oversee the handling of customer information review. 
• Revise the security program as needed.

More information:

• Publication 4557, Safeguarding Taxpayer Data
• Small Business Information Security: The Fundamentals by the National Institute of Standards and Technology
• Publication 5293, Data Security Resource Guide for Tax Professionals

---

August 22, 2019
Security Summit warns of new IRS impersonation email scam; reminds taxpayers the IRS does not send unsolicited emails

IR-2019-145

WASHINGTON — The Internal Revenue Service and its Security Summit partners today warned taxpayers and tax professionals about a new IRS impersonation scam campaign spreading nationally on email. Remember: the IRS does not send unsolicited emails and never emails taxpayers about the status of refunds.

The IRS this week detected this new scam as taxpayers began notifying [email protected] about unsolicited emails from IRS imposters. The email subject line may vary, but recent examples use the phrase “Automatic Income Tax Reminder” or “Electronic Tax Return Reminder.”

The emails have links that show an IRS.gov-like website with details pretending to be  about the taxpayer’s refund, electronic return or tax account. The emails contain a "temporary password" or "one-time password" to "access" the files to submit the refund. But when taxpayers try to access these, it  turns out to be a malicious file. 

“The IRS does not send emails about your tax refund or sensitive financial information,” said IRS Commissioner Chuck Rettig. “This latest scheme is yet another reminder that tax scams are a year-round business for thieves. We urge you to be on-guard at all times.”

This new scam uses dozens of compromised websites and web addresses that pose as IRS.gov, making it a challenge to shut down. By infecting computers with malware, these imposters may gain control of the taxpayer’s computer or secretly download software that tracks every keystroke, eventually giving them passwords to sensitive accounts, such as financial accounts.

The IRS, state tax agencies and the tax industry, which work together in the Security Summit effort, have made progress in their efforts to fight stolen identity refund fraud. But people remain vulnerable to scams by IRS imposters sending fake emails or harrassing phone calls.

The IRS doesn't initiate contact with taxpayers by email, text messages or social media channels to request personal or financial information. This includes requests for PIN numbers, passwords or similar access information for credit cards, banks or other financial accounts.

The IRS also doesn’t call to demand immediate payment using a specific payment method such as a prepaid debit card, gift card or wire transfer. Generally, the IRS will first mail a bill to any taxpayer who owes taxes. See Report Phishing and Online Scams for more details.

---

August 14, 2019
IRS Automatically Waives Estimated Tax Penalty for Eligible 2018 Tax Filers 

IR-2019-144

WASHINGTON — The Internal Revenue Service is automatically waiving the estimated tax penalty for the more than 400,000 eligible taxpayers who already filed their 2018 federal income tax returns but did not claim the waiver.

The IRS will apply this waiver to tax accounts of all eligible taxpayers, so there is no need to contact the IRS to apply for or request the waiver. 

Earlier this year, the IRS lowered the usual 90% penalty threshold to 80% to help taxpayers whose withholding and estimated tax payments fell short of their total 2018 tax liability. The agency also removed the requirement that estimated tax payments be made in four equal installments, as long as they were all made by Jan. 15, 2019. The 90% threshold was initially lowered to 85% on Jan 16 and further lowered to 80% on March 22.

The automatic waiver applies to any individual taxpayer who paid at least 80% of their total tax liability through federal income tax withholding or quarterly estimated tax payments but did not claim the special waiver available to them when they filed their 2018 return earlier this year.

“The IRS is taking this step to help affected taxpayers,” said IRS Commissioner Chuck Rettig. “This waiver is designed to provide relief to any person who filed too early to take advantage of the waiver or was unaware of it when they filed.”

Refunds planned for eligible taxpayers who paid penalty

Over the next few months, the IRS will mail copies of notices CP 21 granting this relief to affected taxpayers. Any eligible taxpayer who already paid the penalty will also receive a refund check about three weeks after their CP21 notice regardless if they requested penalty relief. The agency emphasized that eligible taxpayers who have already filed a 2018 return do not need to request penalty relief, contact the IRS or take any other action to receive this relief.

For those yet to file, the IRS urges every eligible taxpayer to claim the waiver on their return. This includes those with tax-filing extensions due to run out on Oct. 15, 2019. The quickest and easiest way is to file electronically and take advantage of the waiver computation built into their tax software package. Those who choose to file on paper can fill out Form 2210 and attach it to their 2018 return. See the instructions to Form 2210 for details.

Because the U.S. tax system is pay-as-you-go, taxpayers are required by law to pay most of their tax obligation during the year, rather than at the end of the year. This can be done by having tax withheld from paychecks, pension payments or Social Security benefits, making estimated tax payments or a combination of these methods.

Like last year, the IRS urges everyone to do a “Paycheck Checkup” and review their withholding for 2019. This is especially important for anyone who faced an unexpected tax bill or a penalty when they filed this year. It’s also an important step for those who made withholding adjustments in 2018 or had a major life change. Those most at risk of having too little tax withheld include those who itemized in the past but now take the increased standard deduction, as well as two wage earner households, employees with nonwage sources of income and those with complex tax situations.

To get started, check out the new Tax Withholding Estimator, available on IRS.gov. More information about tax withholding and estimated tax can be found on the agency’s Pay As You Go web page, as well as in Publication 505.

---

August 13, 2019
IRS Tax Transcript Availability Update

The IRS has updated some IRS.gov content to clarify issues regarding changes to the tax transcript distribution methods. As you may recall, in lieu of faxing tax transcripts, we will send certain transcripts into practitioners’ e-Services secure mailbox. However, there is a time limit for those transcripts to be available in your mailbox. To avoid having to repeat your request, print or download the transcript immediately from your mailbox. Our new language on the About the New Tax Transcript page is highlighted below in yellow:

Employer Information for Tax Return Preparation and Electronic Filing

If you are a taxpayer seeking to file a current or prior year tax return or a tax professional preparing a current or prior year return for a client, please remember that all financial entries on all transcript types are fully visible. If you are seeking a missing Form W-2 or Form 1099 information, there is a process for obtaining those current-year documents.

If an unmasked Wage & Income transcript is necessary for tax return preparation and electronic filing, a tax professional may contact the Practitioner Priority Service line. An unmasked Wage and Income Transcript will fully display employers’ names, addresses and Employer Identification Numbers (EINs) needed for tax software preparation and for electronic filing. If the tax professional has proper taxpayer authorization, but it's not on file, they  can  fax the authorization to the IRS assistor and an unmasked Wage and Income transcript will be sent to the practitioner’s Secure Object Repository (SOR), available through e-Services. Tax professionals must have an e-Services account and pass Secure Access authentication to use the SOR option.

PLEASE NOTE: The requested transcript will remain in the SOR for a limited time. The transcript automatically will  be removed from the SOR after three days once you view it or after 30 days if it is not viewed.  Print or save the transcript if you want to keep a copy.

The unmasked Wage and Income Transcript also is available to those tax professionals with e-Services accounts, approved authorization and access to the Transcript Delivery Service. Reminder: Circular 230 practitioners, i.e. attorneys, Certified Public Accountants and Enrolled Agents, can create an e-Services account and obtain TDS access. Unenrolled practitioners must either be responsible parties or delegates users on the E-File application.

Alternatively, taxpayers or other third parties who require an unmasked transcript for tax return preparation or filing may contact the IRS, present proper authentication to prove their identities and an unmasked transcript will be mailed to the taxpayer’s address of record.

---

August 6, 2019
IRS launches new Tax Withholding Estimator; Redesigned online tool makes it easier to do a paycheck checkup

IR-2019-139

WASHINGTON — The Internal Revenue Service today launched the new Tax Withholding Estimator, an expanded, mobile-friendly online tool designed to make it easier for everyone to have the right amount of tax withheld during the year.

The Tax Withholding Estimator replaces the Withholding Calculator, which offered workers a convenient online method for checking their withholding. The new Tax Withholding Estimator offers workers, as well as retirees, self-employed individuals and other taxpayers, a more user-friendly step-by-step tool for effectively tailoring the amount of income tax they have withheld from wages and pension payments.

“The new estimator takes a new approach and makes it easier for taxpayers to review their withholding,” said IRS Commissioner Chuck Rettig. “This is part of an ongoing effort by the IRS to improve quality services as we continue to pursue modernization and enhancements of our taxpayer relationships.”

The IRS took the feedback and concerns of taxpayers and tax professionals to develop the Tax Withholding Estimator, which offers a variety of new user-friendly features including:

• Plain language throughout the tool to improve comprehension.
• The ability to more effectively target at the time of filing either a tax due amount close to zero or a refund amount.
• A new progress tracker to help users see how much more information they need to input.
• The ability to move back and forth through the steps, correct previous entries and skip questions that don’t apply.
• Enhanced tips and links to help the user quickly determine if they qualify for various tax credits and deductions.
• Self-employment tax for a user who has self-employment income in addition to wages or pensions.
• Automatic calculation of the taxable portion of any Social Security benefits.
• A mobile-friendly design.

In addition, the new Tax Withholding Estimator makes it easier to enter wages and withholding for each job held by the taxpayer and their spouse, as well as separately entering pensions and other sources of income. At the end of the process, the tool makes specific withholding recommendations for each job and each spouse and clearly explains what the taxpayer should do next.

The new Tax Withholding Estimator will help anyone doing tax planning for the last few months of 2019. Like last year, the IRS urges everyone to do a Paycheck Checkup and review their withholding for 2019. This is especially important for anyone who faced an unexpected tax bill or a penalty when they filed this year. It’s also an important step for those who made withholding adjustments in 2018 or had a major life change.

Those most at risk of having too little tax withheld include those who itemized in the past but now take the increased standard deduction, as well as two-wage-earner households, employees with nonwage sources of income and those with complex tax situations.

To get started, check out the Tax Withholding Estimator on IRS.gov.

---

August 1, 2019
Tax Security 2.0 – A ‘Taxes-Security-Together’ Checklist 

IRS, Security Summit partners urge tax professionals to review their practices, enhance safeguards to protect taxpayer data 

IRS YouTube Videos:

• Tax Security 2.0: Taxes-Security-Together Checklist: English

IR-2019-122

WASHINGTON — Leaders from the IRS, state tax agencies and the tax industry today called on tax professionals nationwide to take time this summer to review their current security practices, enhance safeguards where necessary and take steps to protect their businesses from global cybercriminal syndicates prowling the Internet.

Despite major progress by the IRS and the Security Summit partners against identity theft, evolving tactics continue to threaten the tax community and the sensitive data of taxpayers. 

To help combat this, the Security Summit partners created a new “Taxes-Security-Together” Checklist to serve as a starting point for tax professionals. Beginning next week, the IRS and Summit partners will issue a series of five Tax Security 2.0 news releases highlighting “Taxes-Security-Together” Checklist action items.   

“The IRS, the states and the private sector tax industry have taken major steps to protect taxpayers and their data,” said IRS Commissioner Chuck Rettig. “But a major risk remains, regardless of whether you are the sole tax practitioner in your office or part of a multi-partner accounting firm. To help with this, we assembled a security checklist to assist the tax community. We hope tax professionals will use our checklist as a starting point to do everything necessary to protect their client’s data.” 

The Security Summit — a partnership between the IRS, states and the private-sector tax community — started in 2015 to combat identity theft and protect taxpayers. Key IRS data show the Summit continues making major progress against tax-related identity theft. Between 2015 and 2018, key indicators showed:

• The number of taxpayers who reported to the IRS that they were victims of identity theft fell 71 percent. In 2018, the IRS received 199,000 identity theft affidavits from taxpayers compared to 677,000 in 2015. This was the third consecutive year this number declined.

• The number of confirmed identity theft returns stopped by the IRS declined by 54 percent, falling from 1.4 million in 2015 to 649,000 in 2018.

As the Summit has increased the tax community’s defenses against identity theft and refund fraud, cybercriminals continue to evolve. Increasingly, they look to data thefts at tax professionals’ offices to obtain large amounts of sensitive taxpayer data. Thieves then use stolen data from tax professionals to create fraudulent returns that are harder to detect.

The ‘Taxes-Security-Together’ Checklist

The Summit partners urge the tax community to review these basic security steps this summer. Some tax pros may routinely overlook these checklist items and others need to regularly revisit them. The steps are not only important for tax practitioners, but for taxpayers as well. Everyone has a responsibility to protect sensitive data.

The Taxes-Security-Together checklist highlights key security features 

   *Deploy the “Security Six” measures:

• Activate anti-virus software.
• Use a firewall.
• Opt for two-factor authentication when it’s offered.
• Use backup software/services.
• Use Drive encryption.
• Create and secure Virtual Private Networks.

   *Create a data security plan:

• Federal law requires all “professional tax preparers” to create and maintain an information security plan for client data. 
• The security plan requirement is flexible enough to fit any size of tax preparation firm, from small to large. 
• Tax professionals are asked to focus on key risk areas such as employee management and training; information systems; and detecting and managing system failures.

   *Educate yourself and be alert to key email scams, a frequent risk area involving:

• Learn about spear phishing emails.
• Beware ransomware.

   *Recognize the signs of client data theft:

• Clients receive IRS letters about suspicious tax returns in their name.
• More tax returns filed with a practitioner’s Electronic Filing Identification Number than submitted. 
• Clients receive tax transcripts they did not request.

   *Create a data theft recovery plan including:

• Contact the local IRS Stakeholder Liaison immediately.
• Assist the IRS in protecting clients’ accounts.
• Contract with a cybersecurity expert to help prevent and stop thefts. 

Security Summit partners/tax professionals urge review

“The states and our partners have made progress in the fight against tax-related identity theft, but criminals continue to evolve. We cannot let our guard down in this fight because our common enemy is well-funded, technologically skilled and savvy about state and federal tax processes,” said Sharonne Bonardi, president of the Board of Trustees of the Federation of Tax Administrators and Deputy Comptroller in Maryland. “To make this work, we need help from individual tax professionals across the nation.”

Checklist marks third year of Summit campaigns aimed at tax professional community

This year’s Tax Security 2.0 effort involving the Security Checklist is the third summer campaign in a row involving the Summit partners. The effort follows feedback and recommendations from the Electronic Tax Administration Advisory Committee (ETAAC) that encouraged the Summit partners to expand and intensify outreach efforts to the tax professional community on identity theft and security issues. 

This year’s campaign also coincides with this summer’s IRS Nationwide Tax Forums, which will again feature a major focus on security protection for tax professionals. The sessions will provide continuing education credits for sessions led by experts from inside and outside the IRS. The American Coalition for Taxpayer Rights also will again sponsor special sessions with experts from the Pell Center for International Relations and Public Policy at Salve Regina University in Rhode Island. 

Last year, Summit education effort focused on Protect Your Clients, Protect Yourself: Tax Security 101. In 2017, the campaign highlighted email schemes in Don’t Take the Bait.

Separate Summit initiatives focus on identity theft awareness for individual taxpayers and consumer alerts for developing tax scams and schemes. 

Resources available for tax professionals

Tax professionals also can get help with security recommendations by reviewing IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology. 

Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.

Tax Security 2.0 – A ‘Taxes-Security-Together’ Checklist – Step 1

IRS, states and industry outline ‘Security Six’ protections to help tax professionals and taxpayers be safer online

IRS YouTube Videos:
Tax Security 2.0, The Taxes-Security-Together Checklist – English

IR-2019-127

WASHINGTON — Using a new “Taxes-Security-Together” Checklist, the Internal Revenue Service and the Security Summit partners urged tax professionals to review critical security steps to ensure they are fully protecting their computers and email as well as safeguarding sensitive taxpayer data.

The Security Summit partners – the IRS, states and tax industry – urge tax professionals to take time this summer to give their data safeguards a thorough review. To help the tax community, the Summit created a “Taxes-Security-Together” Checklist as a starting point for analyzing office data security.

In the first of a five-part weekly series, the initial step on the checklist involves the “Security Six” protections. These steps fall into several major security categories. 

“These six steps are simple actions that anyone can take,” said IRS Commissioner Chuck Rettig. “The important thing to remember is that every tax professional, whether a sole practitioner or a partner in a large firm, is a potential target for cybercriminals. No tax business should assume they are too small or too smart to avoid identity thieves.”

Although the Security Summit – a partnership between the IRS, states and the private-sector tax community – is making major progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices continue. Thieves use stolen data from tax practitioners to create fraudulent returns that are harder to detect.

The Security Summit partnership urges tax professionals across the nation to remember these basic steps to help in the battle against identity theft.

Deploy the ‘Security Six’ steps for basic protections

The following are the basic protections that everyone, especially tax professionals handling sensitive data, should deploy:

1. Anti-virus software

Although details may vary between commercial products, anti-virus software scans computer files or memory for certain patterns that may indicate the presence of malicious software (also called malware). Anti-virus software (sometimes more broadly referred to as anti-malware software) looks for patterns based on the signatures or definitions of known malware from cyber criminals. Anti-virus vendors find new issues and update malware daily, so it is important that people have the latest updates installed on their computer, according to the U.S. Computer Emergency Readiness Team (US-CERT), a division of the Department of Homeland Security.

Once users have installed an anti-virus package, they should scan their entire computer periodically by doing:

• Automatic scans – Most anti-virus software can be configured to automatically scan specific files or directories in real time and prompt users at set intervals to perform complete scans.
• Manual scans – If the anti-virus software does not automatically scan new files, users should manually scan files and media received from an outside source before opening them. This manual process includes:

o Saving and scanning email attachments or web downloads rather than opening them directly from the source.

o Scanning portable media, including CDs and DVDs, for malware before opening files.

Sometimes the software will produce a dialog box with an alert that it has found malware and asks whether users want it to “clean” the file (to remove the malware). In other cases, the software may attempt to remove the malware without asking first. 

When selecting an anti-virus package, users should learn about its features, so they know what to expect. Keep security software set to automatically receive the latest updates so that it is always current.

A reminder about spyware, a category of malware intended to steal sensitive data and passwords without the user’s knowledge: Strong security software should protect against spyware. But remember, never click links within pop-up windows, never download “free” software from a pop-up, never follow email links that offer anti-spyware software. The links and pop-ups may be installing the spyware they claim to be eliminating.

A reminder about phishing emails: A strong security package also should contain anti-phishing capabilities. Never open an email from a suspicious source, click on a link in a suspicious email or open an attachment – or else you could be a victim of a phishing attack and you and your clients’ data could be compromised  

2. Firewalls

Firewalls provide protection against outside attackers by shielding your computer or network from malicious or unnecessary web traffic and preventing malicious software from accessing your systems. Firewalls can be configured to block data from certain suspicious locations or applications while allowing relevant and necessary data through, according to US-CERT.

Firewalls may be broadly categorized as hardware or software. While both have their advantages and disadvantages, the decision to use a firewall is far more important than deciding which type you use:

• Hardware – Typically called network firewalls, these external devices are positioned between a computer and the internet (or another network connection). Hardware-based firewalls are particularly useful for protecting multiple computers and control the network activity that attempts to pass through them. 
• Software – Most operating systems include a built-in firewall feature that should be enabled for added protection even if using an external firewall. Firewall software can also be obtained as separate software from a local computer store, software vendor or ISP. If downloading firewall software from the internet, make sure it is from a reputable source (such as an established software vendor or service provider) and offered via a secure website.

While properly configured firewalls may be effective at blocking some cyber-attacks, don’t be lulled into a false sense of security. Firewalls do not guarantee that a computer will not be attacked. Firewalls primarily help protect against malicious traffic, not against malicious programs (malware), and may not protect the device if the user accidentally installs malware. However, using a firewall in conjunction with other protective measures (such as anti-virus software and safe computing practices) will strengthen resistance to attacks.

The Security Summit reminds tax pros that anti-virus software and firewalls cannot protect data if computer users fall for email phishing scams and divulge sensitive data, such as usernames and passwords. The Summit reminds the tax community that users, not the software, is the first-line of defense in protecting taxpayer data.

3. Two-factor authentication 

Many email providers now offer customers two-factor authentication protections to access email accounts. Tax professionals should always use this option to prevent their accounts from being taken over by cybercriminals and putting their clients and colleagues at risk.

Two-factor authentication helps by adding an extra layer of protection beyond a password. Often two-factor authentication means the returning user must enter credentials (username and password) plus another step, such as entering a security code sent via text to a mobile phone. The idea is a thief may be able to steal the username and password but it’s highly unlikely they also would have a user’s mobile phone to receive a security code and complete the process.

The use of two-factor authentication and even three-factor authentication is on the rise, and tax preparers should always opt for a multi-factor authentication protection when it is offered, whether on an email account or tax software account or any password-protected product. 

IRS Secure Access, which protects IRS.gov tools including e-Services, is an example of two-factor authentication. 

Tax pros can check their email account settings to see if the email provider offers two-factor protections.

4. Backup software/services

Critical files on computers should routinely be backed up to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or similar product. Or, a copy of the file is made to an external disk, such as an external hard drive that now comes with multiple terabytes of storage capacity. Tax professionals should ensure that taxpayer data that is backed up also is encrypted – for the safety of the taxpayer and the tax pro.  

5. Drive encryption

Given the sensitive client data maintained on tax practitioners’ computers, users should consider drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for an unauthorized person accessing the computer to obtain data. Drive encryption may come as a stand-alone security software product. It may also include encryption for removable media, such as a thumb drive and its data.

6. Virtual Private Network

If a tax firm’s employees must occasionally connect to unknown networks or work from home, establish an encrypted Virtual Private Networks (VPN) to allow for a more secure connection. A VPN provides a secure, encrypted tunnel to transmit data between a remote user via the Internet and the company network. Search for “Best VPNs” to find a legitimate vendor; major technology sites often provide lists of top services.

How to get started with the ‘Security Six’ 
All tax professionals also should review their professional insurance policy to ensure the business is protected should a data theft occur. Some insurance companies will provide cybersecurity experts for their clients. 

These experts can help with technology safeguards and offer more advanced recommendations.  

Having the proper insurance coverage is a common recommendation from tax professionals who have experienced data thefts.

Additional resources

Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.

Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media.

The Taxes-Security-Together Checklist

During this special Security Summit series, the checklist highlights these key areas for tax professionals:

• Deploy “Security Six” basic safeguards
• Create data security plan
• Educate yourself on phishing scams
• Recognize the signs of client data theft
• Create a data theft recovery plan, and call the IRS immediately

Tax Security 2.0 – A ‘Taxes-Security-Together’ Checklist – Step 2

IRS, Security Summit partners remind practitioners that all ‘professional tax preparers’ must create a written data security plan to protect clients

IR-2019-131 

WASHINGTON — The IRS, state tax agencies and the nation’s tax industry today reminded all “professional tax preparers” that federal law requires them to create a written information security plan to protect their clients’ data.

The reminder came as the IRS and its Security Summit partners urged tax professionals to take time this summer to review their data security protections. To help them in this complex area, the Summit created a special “Taxes-Security-Together” Checklist as a starting point.

“Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers,” said IRS Commissioner Chuck Rettig. “Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business." 

Creating a data security plan is the second item on the “Taxes-Security-Together” Checklist. The first step for tax professionals involved deploying the “Security Six” basic steps to protect computers and email.

Although the Security Summit -- a partnership between the IRS, states and the private-sector tax community -- is making major progress against tax-related identity theft, cybercriminals continue to evolve, and data thefts at tax professionals’ offices remain a major threat. Thieves use stolen data from tax practitioners to create fraudulent returns that can be harder for the IRS and Summit partners to detect.

Create a data security plan under federal law 

The Security Summit partners noted that many in the tax professional community do not realize they are required under federal law to have a data security plan. 

The Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley (GLB) Act, gives the Federal Trade Commission authority to set information safeguard regulations for various entities, including professional tax return preparers. According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation. The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.

The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. According to the FTC, each company, as part of its plan, must:

• designate one or more employees to coordinate its information security program;
• identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
• design and implement a safeguards program and regularly monitor and test it;
• select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
• evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring. 

The FTC says the requirements are designed to be flexible so that companies can implement safeguards appropriate to their own circumstances. The Safeguards Rule requires companies to assess and address the risks to customer information in all areas of their operations.

Please note: The FTC currently is re-evaluating the Safeguards Rule and has proposed new regulations. Be alert to any changes in the Safeguards Rule and its effect on the tax preparation community.

IRS Publication 4557, Safeguarding Taxpayer Data, details critical security measures that all tax professionals should enact. The publication also includes information on how to comply with the FTC Safeguards Rule, including a checklist of items for a prospective data security plan. Tax professionals are asked to focus on key areas such as employee management and training; information systems; and detecting and managing system failures. 

Additional data protection provisions may apply

The IRS and certain Internal Revenue Code (IRC) sections also focus on protection of taxpayer information and requirements of tax professionals. Here are a few examples:

• IRS Publication 3112 - IRS e-File Application and Participation, states: Safeguarding of IRS e-file from fraud and abuse is the shared responsibility of the IRS and Authorized IRS e-file Providers. Providers must be diligent in recognizing fraud and abuse, reporting it to the IRS, and preventing it when possible. Providers must also cooperate with the IRS’ investigations by making available to the IRS upon request information and documents related to returns with potential fraud or abuse.
• IRC, Section 7216 - This IRS code provision imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosures or uses information furnished to them in connection with the preparation of an income tax return.
• IRC, Section 6713 - This code provision imposes monetary penalties on the unauthorized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns.
• IRS Revenue Procedure 2007-40 - This legal guidance requires authorized IRS e-file providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties. It also specifies that violations of the GLB Act and the implementing rules and regulations put into effect by the FTC, as well as violations of non-disclosure rules addressed in IRC sections 6713 and 7216, are considered violations of Revenue Procedure 2007-40. These violations are subject to penalties or sanctions specified in the Revenue Procedure.

Many state laws govern or relate to the privacy and security of financial data, which includes taxpayer data. They extend rights and remedies to consumers by requiring individuals and businesses that offer financial services to safeguard nonpublic personal information. For more information on state laws that businesses must follow, consult state laws and regulations.

Where to report data theft for the IRS, states

To notify the IRS in case of data theft, contact the appropriate local IRS Stakeholder Liaison.

In some states, data thefts must be reported to various authorities. Email the Federation of Tax Administrators at [email protected] to get information on how to report victim information to the states.

Additional resources

Tax professionals also can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.

Publication 5293, Data Security Resource Guide for Tax Professionals, provides a compilation of data theft information available on IRS.gov. Also, tax professionals should stay connected to the IRS through subscriptions to e-News for Tax Professionals and Social Media. 

The Taxes-Security-Together Checklist

During this special Security Summit series, the checklist highlights these key areas for tax professionals:

• Deploy “Security Six” basic safeguards
• Create data security plan
• Educate yourself on phishing scams
• Recognize the signs of client data theft
• Create a data theft recovery plan, and call the IRS immediately

---

August 1, 2019
IRS: Truckers should e-file highway use tax return by Sept. 3

IR-2019-138

WASHINGTON — The Internal Revenue Service today issued a reminder for owners of most heavy highway vehicles that the time to file Form 2290, Heavy Highway Vehicle Use Tax Return, began July 1, 2019.

The highway use tax applies to highway motor vehicles with a taxable gross weight of 55,000 pounds or more. This generally includes large trucks, truck tractors and buses. The tax is based on the weight of the vehicle and a variety of special rules apply. These special rules are explained in the instructions to Form 2290.

In 2019, the IRS expects to receive almost 900,000 Heavy Highway Vehicle Use Tax Returns. Though some taxpayers have the option of filing Form 2290 on paper, taxpayers with 25 or more taxed vehicles must e-file Form 2290.

The deadline to file Form 2290 and pay the tax is Sept. 3, 2019, for vehicles used on the road during July. Truckers have the additional time since the normal deadline of Aug. 31 falls on a Saturday this year and Monday, Sept. 2, is a federal holiday.

The IRS encourages all owners to take advantage of the speed and convenience of e-file and paying any tax due. There is no need to visit an IRS office because the form can be filed and any required tax payment can be made online. Filers can use a credit or debit card to pay the Heavy Highway Vehicle Use Tax. Visit IRS.gov for a list of IRS-approved e-file providers and to find an approved provider for Form 2290 on the 2290 e-file partner’s page.

Generally, e-filers receive their IRS-stamped Schedule 1 electronically minutes after filing. They can then print the Schedule 1 and provide it to their state department of motor vehicles, without visiting an IRS office.

For those who want face-to-face service, all IRS Taxpayer Assistance Centers now operate by appointment and taxpayers can call 844-545-5640 to schedule one. See the Taxpayer Assistance Center page on IRS.gov for details.

The IRS will host a webinar, “Understanding Form 2290-Heavy Highway Vehicle Use Tax,” Aug. 15 at 2 p.m. Eastern time. Pre-register for this free 60-minute webinar. Closed captioning is available. Tax professionals can earn one continuing professional education credit for attending.

For more information about the highway use tax, visit the Trucking Tax Center at IRS.gov/trucker.