top of page
Search

IRS Publication 4557 Made Simple: A Tax Preparer’s Guide to Data Security

Updated: Feb 1


AI generated image with people working in an office with a lock above them with the word secure

Have you ever wondered if your client's sensitive data is fully protected? As tax season approaches, this question is more important than ever. If the thought hasn’t crossed your mind, you’re not alone. Many tax preparers are unaware of IRS Publication 4557 and its importance in safeguarding taxpayer data. Use this article as a quick guide to understand the importance of and how to implement its suggestions into your business.  


What Is IRS Publication 4557? 

IRS Publication 4557 is a guide created to help tax professionals safeguard their clients’ private data. Since 2014, reported data breaches of CPA firms have steadily increased by over 80%.  This publication outlines the necessary procedures and best practices for securing client/taxpayer information from various cyber threats and identity theft. As the number of cybercrimes continues to rise, tax professionals must adhere to this guide more and more.  


IRS Publication 4557 includes: 


  • Basic Securing Tips 

  • How to Recognize and Report Data Theft 

  • How to Comply with FTC Safeguard Rules 


This guide is essential for all tax professionals to ensure they are protecting private data and remain compliant with federal regulations. A cyberattack can affect both the client and tax professional, as one data breach can easily destroy their businesses.  Many types of sensitive information can be leaked, including: 


  • Social Security Numbers 

  • Bank Account Details 

  • Medical Records 

  • Login Credentials 

  • Business Information 

  • Addresses 

  • Financial Statements 


This is just a fraction of the data that a cybercriminal could potentially steal. For example, in 2021, a phishing attack on a CPA firm led to a data breach exposing 6,000 clients’ personal information. Cybercriminals will often use this information to further hack into accounts or hold it for ransom.  


Why Publication 4557 Matters for Data Security 

Publication 4557 was created in response to the growing number of cyberattacks targeting financial institutions and tax professionals as well as their client’s private data. In 2023 alone, small businesses, including tax preparers, were 2.5x more likely to experience ransomware attacks than larger companies. These guidelines are meant to help protect forms of data relating to taxes. It is meant to help tax professionals adhere to Federal Privacy Laws and FTC Safeguard Rules and Regulations.  


Following Federal Privacy Laws helps to ensure the protection of personally identifiable information (PII). FTC Safeguard Rules require tax professionals to comply with the Federal Trade Commission Rules, which require them to implement security measures to protect personal client information from hackers.  

If tax professionals choose not to follow Publication 4557 to ensure data security, there are several consequences to be aware of. These include: 


  • Fines: Individuals and organizations can face large fines for not complying with regulations. For example, a small tax firm in Illinois was fined $75,000 after a breach exposed clients’ Social Security Numbers. 

  • Litigation Costs: Lawsuits and other legal fees can add up quickly when dealing with the fallout of a hacking incident due to not complying with federal regulations. 

  • Reputation Damage: Non-compliance can lead to hacking which can then lead to mass reputation damage for a company as a whole or an individual tax professional. This can also lead to less customers and thus less profit. 

  • Operation Disruptions: Businesses can be shut down anywhere from days to months to years after a cyberattack.  

  • Personal Liability: Lack of compliance with regulations can sometimes lead to individual employees facing personal liability, including fines and even imprisonment, depending on the severity of the attack.  


These are just a few potential consequences of non-compliance. Even experiencing just one consequence can lead to the deterioration of a business or individual tax professional. So, instead of trying to get around regulations, it is best to comply and save your business or yourself from complete financial and reputational ruin. Tax professionals who implement robust data security measures report higher client retention and referrals. Compliance is not just about avoiding penalties – it is a business growth strategy. 


Basic Security Steps from Publication 4557 

Let's start with a summary of the basic security steps a tax professional should take to secure client data: 


  • Conduct regular Security Assessments of your network and data security to identify potential threats to client data. 

  • A vulnerability scanning tool can help with this. 

  • Implement security measures to control access to sensitive information. 

  • Develop an incident response plan to address potential data breaches. 

  • Educate yourself on basic scam traps such as phishing emails and suspicious links. About 48% of Business Email Comprise (BEC) attacks have targeted financial services organizations and often cost victims over $100,000. 

  • Create an Information Security Program. 

  • Install anti-virus, anti-spyware, firewalls, data encryption, and anti-malware security on all devices with client data. 

  • Use strong passwords and employ Mutli-factor authorization to all accounts. 

  • Use a tool like Microsoft Authenticator or Duo Security 

  • Back up sensitive data to a secure location. 

  • Secure all wireless networks by changing the name of the network (a less identifiable name), reducing the range, and creating a strong password for access.  

  • Encrypt Data using tools like Bitlocker or Filevault. 

  • Report any suspicious activity immediately. 


Utilizing these steps can help keep client data safe and prevent a massive breach. It is especially important to keep an eye out for any suspicious activity and report it immediately to your team. If a hacker manages to get through the implemented safeguards, it is important to put a stop to it right away. This can prevent a full-blown data breach by securing all files and getting the hacker out of the system.  


Common Security Threats and What to Do to Protect Against Them 

Tax professionals face various cybersecurity threats daily. Understanding these threats is the first step toward mitigating them. Some of the most common threats include: 


  • Phishing attacks: Fraudulent emails or messages designed to trick recipients into revealing sensitive information. 

  • In 2022, phishing attacks accounted for over 80% of reported security incidents in the financial sector. 

  • Remediation Step: Train employees to recognize phishing emails and enable email filtering tools to block suspicious emails. 

  • Ransomware: Malicious software that encrypts (locks) data, holding it hostage and making it inaccessible until a ransom is paid. 

  • Remediation Step: Use robust computer (endpoint) protection tools to protect, prevent, and respond to ransomware attacks. 

  • Social Engineering: Psychological manipulation used to trick employees into divulging confidential information. 

  • Remediation Step: Conduct regular security awareness training and simulated social engineering exercises to reduce employee susceptibility. 

  • Vulnerabilities: Weaknesses in software, systems, or configurations that attackers can exploit to gain unauthorized access or disrupt operations. 

  • Remediation Step: Use vulnerability scanning tools to perform vulnerability scans and address high-risk exposures promptly. 


How to Comply with the FTC Safeguard Rule 

The FTC Safeguard Rule requires tax professionals to protect customer data by implementing a comprehensive security program. Here are the steps needed to follow the FTC Safeguard Rule: 


  • Designate a Qualified Information Security Officer: This individual will be the main person responsible for overseeing and implementing any security program. 

  • It is important to designate a qualified individual as the security officer responsible for overseeing and enforcing the information security program.  

  • This person should have the necessary expertise and authority to manage data security effectively. 

  • This can be either an internal team member or an external expert. 

  • Conduct Risk Assessments: Identify and assess any risks to customer data. 

  • Using vulnerability scanning or data monitoring tools can help with identifying high risk areas. 

  • Design and Implement an Information Security Program: Create a program with specific security measures (controls), including encryption, firewalls, anti-malware tools, access control, and any other security measure that you have in place to protect client data. 

  • You should constantly test and monitor this program to ensure it is working properly.  

  • Train Employees: All employees need to be trained to adhere to the security program and the best practices for protecting customer data, as well as any update and refresher training.  

  • Additional Service Provider Oversight: Any financial services institution should ensure that any service providers also have robust protections in place to protect employee and customer information. Ensure there is a clause in any contract that guarantees these protections.  

  • Develop and Test Incident Response Plan: Create a detailed incident response plan outlining how to identify, contain, report, and recover from a data breach. 

  • Testing: Conduct regular tabletop exercises or full simulations to test your plan’s effectiveness and identify gaps. 

  • Reporting Data Breaches: If you are a tax professional and experience a data breach – whether caused by hackers, theft, or an accidental error – there are certain vital steps that should be taken immediately. It is always best to consult with a cybersecurity professional for a detailed plan of action and expert guidance. Additional resources on reporting a data breach include

    • Data Theft Information for Tax Professionals 

    • IRS Stakeholder Liaison Local Contacts 


By following these steps, you can help protect all private information. While there are laws and regulations for companies to comply with, businesses should want to do this for themselves as well. Securing client data can help prevent massive breaches and PR scandals and save money.  


Castile Security Can Help Safeguard Your Financial Institution  

It is essential for all taxpayers to utilize IRS Publication 4557 to help safeguard their business and client data. Castile Security can help protect your business from hackers and ensure you are following all the rules and regulations needed. We can also assist with employee training to help prevent further attacks from human error. Do not wait until tax season to secure your client data – Schedule a call with us today!  

 

 
 
 

Recent Posts

See All

Comments

bottom of page