Safeguarding Taxpayer Data 

    Safeguarding Taxpayer Data: A Guide for Your Business

    A calculator and tax form for safeguarding taxpayer dataSafeguarding taxpayer data is a top priority for the Internal Revenue Service (IRS) and the responsibility of governments, businesses, organizations, and individuals that receive, maintain, share, transmit, or store taxpayers’ personal information. Taxpayer data is any information furnished in any form or manner by or on behalf of taxpayers for preparation or filing of their returns. No matter what the size of your firm, it is critical to protect taxpayer data. Having the right safeguards in place helps prevent fraud and identity theft, and enhances client confidence and trust.

    Firms must implement security and privacy practices that are appropriate for the size, complexity, nature, and scope of their business activities. The IRS Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business, contains information to help non-governmental businesses, organizations, and individuals to understand and meet their responsibility to safeguard taxpayer information.

    Publication 4557 helps firms evaluate their security with a very extensive checklist that covers not only computer and file security but employee issues and reporting requirements when there is a security breach. The publication also contains a list of resources for more information on privacy issues.

    The checklist covers such areas as:

    • Administrative Activities
    • Facilities Security
    • Personnel Security
    •  Information Systems Security
    • Computer Systems Security
    • Media Security
    There are a growing number of laws and regulations that cover the privacy and security of taxpayer data. This guide references those that provide guidelines on establishing safeguards that help you:

    • Preserve the confidentiality and privacy of taxpayer data by restricting access and disclosure;
    •  Protect the integrity of taxpayer data by preventing improper or unauthorized modification or destruction; and
    • Maintain the availability of taxpayer data by providing timely and reliable access and data recovery.
    The publication also provides a list of information security standards and best practice guidelines to safeguard personal tax data, including those from the Federal Trade Commission and the National Institute of Standards and Technology (NIST).  Here are some of those guides along with other relevant publications:

    Copier Data Security: A Guide for Businesses
    Does your company keep sensitive data — Social Security numbers, credit reports, account numbers, health records, or business secrets? If so, then you’ve probably instituted safeguards to protect that information. Your information security plans also should cover the digital copiers your company uses.

    Peer-to-Peer File Sharing: A Guide for Business
    Most businesses collect and store sensitive information about their employees and customers, like Social Security numbers, credit card and account information, and medical and other personal data. Many of them have a legal obligation to protect this information. If it gets into the wrong hands, it could lead to fraud and identity theft. That’s why any company that collects and stores sensitive information must consider the security implications of using Peer-to-Peer (P2P) file sharing software and minimize the risks associated with it.

    Financial Institutions and Customer Information: Complying with the Safeguards Rule
    The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. The plan must be appropriate to the company’s size and complexity, the nature and scope of its activities, and the sensitivity of the customer information it handles. 

    NIST Documents

    A stack of NIST documentsNIST SP 800-18 Guide for Developing Security Plans for Federal Information Systems.  This document provides guidance on developing an Information Security Plan and includes a sample plan in Appendix A.

    NIST SP 800-39 Managing Information Security Risk. This document provides a structured, yet flexible approach for managing risk that is intentionally broad-based, with the specific details of assessing, responding to, and monitoring risk on an ongoing basis provided by other supporting NIST security standards and guidelines.

    NIST SP 800-53Recommended Security Controls for Federal Information Systems and Organizations. This document provides guidelines for selecting and specifying security controls for information systems.

    NIST SP 800-61 Computer Security Incident Handling Guide. This document seeks to help both established and newly formed incident response teams. This document assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.

    A A A

    Copyright © 2006-2014 American Institute of CPAs.