Securing Your Tax Practice - Safeguarding Your Data

In the first part of this series, we saw how the engagement letter can be an indispensable tool to protecting your tax practice. In the second part of the series, we will see how to properly secure your client’s data.

Security Checklist

The following checklist is inspired by the IRS Publication 4557, Safeguarding Taxpayer Data. This document provides 7 checklists to go through in order to properly secure your data. We will summarize the 7 checklists below.

1 - Administrative Activities

You should complete a risk assessment study and identify the risks of a data breach of your client’s data. Based on this assessment, write up a security plan that addresses these risks and how to address each one. This security plan should be periodically reviewed and revised if necessary.

2 - Facilities Security

Your client’s data should be physically safe from any unforeseen event (theft, floods, etc.). Make sure that your client’s data is not left unsecured around the office, such as desks or photocopiers, especially if it can be accessible by other people that are not working with you. You should also provide for safe disposal of the client’s information, such as shredders, or hard drive destruction. You can do this yourself, or hire information security companies who specialize in document destruction.

3 - Personnel Security

Create a code of conduct document that describes responsibilities and expected behaviour regarding computer information systems as well as paper records and usage of taxpayer data. Have everyone in your office complete, sign, and submit an acknowledgement that they have read, understood, and agree to comply with the code of conduct. Have personnel who will have access to taxpayer information sign nondisclosure agreements on the use of confidential taxpayer information. Have procedures in place to immediately cancel the login IDs and passwords, and recover access cards of former employees.

4 - Information Systems Security

Backing up your client’s data regularly (daily during tax season) is essential. Store the information in a secure location that is outside of the office; this will prevent backups from being lost or destroyed at the same time as the original data. A contingency plan should be in place in case of a disruption of business. This plan should be tested periodically.

5 - Computer Systems Security

A password policy is, of course, essential; you should implement a policy that requires strong passwords, and that require periodic changes to them. It is important to remind employees not to share their passwords. Invest in robust security software that includes a firewall and anti-malware and anti-virus programs that are updated regularly. Simply having security software monitoring is not enough; regular scans of your hard drives with that software are necessary.

Any file exchange of sensitive documents pertaining to your clients should be done through secure server products, such as DT Client Portal or Onvio.

6 – Media Security

Store all computer disks, removable media, tapes, compact disks and flash drives in a secure location. Secure this location by locks or key access.

7 - Certifying Information Systems for Use

It is good practice to have an independent audit of your security procedures and systems. This audit should provide you with the deficiencies of your systems, as the case may be. Create plans around this audit to rectify those deficiencies.

Educating Your Clients

Another aspect to safeguarding your tax practice is to educate your client on the proper procedures for interactions between you and them. Make sure you drive home the potential risks they face if they don’t properly secure their sensitive information on their end. Implementing a policy of file exchanges through secure servers mentioned above is a crucial step to securing your client’s data on both ends.