Since you've done about everything (and more) that could be expected of you under the circumstances, I doubt that yours was an "isolated" case; probably it was a Drake employee (who may or may not have been caught and dismissed). While I would not, of course, expect IRS to help out much, the reaction from Drake is probably par for the course. The disappearance of your posts and other people's is quite telling as they would naturally attempt to play down any talk about such; dampening sales and costing many dollars. There may have been half-a-dozen other tax preparers involved (not just you on this board) and none aware of the other's problems, but you'll never know because a company certainly isn't going to tell you that others have the same problem. They generally give out zero information until the numbers grow too large to ignore.

A local trade school had an ID theft problem a few years ago and I had a client affected. Nothing was done until a hundred people or so were affected and then they went public with it. But all they did was issue the standard boilerplate BS: "We take your security very seriously and are working hard to resolve this problem...", etc. They advised my client to file the 14 and get a theft PIN. They did, however, tell her that if the perpetrators were caught, she would never be advised of it, nor would those responsible be identified because of "legal liability issues."

I've got ATX and don't like to think of some of the nuts I've talked to there being in charge of my data, but I suppose it's just the nature of the beast and we'll have to learn to live with such dire possibilities.

P.S. One bright spot; the bozo (HH-3 kids-EIC) who stole my ordinarily no-refund client's info fouled up the fake tax return somehow and the bogus refund came to her address instead of the thief's . (Yes, she sent it back to IRS).

I didn't give out any 8879s this year in my clients' folders. I've had to change my EFIN 3 times now in order to run from the crook who hacked into my account. The e-services person I talked to the last time I changed it told me I'm supposed to keep the EFIN protected. When I told her that according to Circular 230 we are supposed to give clients a copy of the 8879 and the EFIN is on it, she said she'd never heard of that rule. I've realized it's crazy to give clients a copy of it, rule or no rule. One of my first clients this year was moving to Florida, and that made me really see how crazy it is to include any documents with the EFIN on it in a folder that a new preparer in a new state will have access to -- especially Florida!!

I originally downloaded the Drake program from their website, because if they were to mail me the disc, I would have had to pay sales tax. That may have been my worst mistake. Drake sent the link for the download in an email with my EFIN and log in info, so if a crook had managed to get access to my email, the person would have had all the tools needed to ruin my life and the lives of my clients. At the time, I wasn't aware of the 2-step verification available for email, and that may have prevented this whole thing from happening. Don't really know. It should be a requirement for preparers to get some education in security measures, and not just alarm systems and locking filing cabinets. I mean cyber-security. The hackers always seem to be at least one step ahead of us. There's so much that most of us just don't know, but we should.

Form 8879 - efin

You bring out a good point about providing the 8879

From the IRS web-site. Practitioner PIN Method for Forms 1040 and 4868 Modernized e-File (MeF)

"Do I provide a copy of the completed Form 8879 to the taxpayer for their records?
Provide a copy of the completed Form 8879 for those taxpayers requesting one. You may provide a copy to other taxpayers, but you are not required to do so.
However, EROs will need to provide taxpayers with a copy of Form 8879 if the current year PIN is assigned or generated by the ERO. The taxpayer may need the PIN when electronically signing their next year return. "

Well, I'll be glad to provide my clients' PIN#s, but I'll be danged if I'll give them my EFIN as well. Of course most of the tax documents end up in a filing cabinet or pile somewhere in the clients' houses, but many of them go to another preparer if the client moves out of town, or they lose them, or they are just plain careless with them. One of my elderly clients, when she was leaving my office, laid her tax folder on the hood of her car while she searched for her keys, then forgot it was there and drove away. So it was laying in the parking lot of my office complex for several hours! I only found out about it because she came back in telling me I forgot to give her the papers, but I remembered clearly that she had them in her hand when she left, so we both went outside to retrace her steps and there was the folder just laying there on the edge of the parking lot! So, yeah, rule or no rule, I'm not putting myself in danger anymore. We have no control over what clients do with the classified information we send them out the door with.

From the IRS web-site. Practitioner PIN Method for Forms 1040 and 4868 Modernized e-File (MeF)

"Do I provide a copy of the completed Form 8879 to the taxpayer for their records?
Provide a copy of the completed Form 8879 for those taxpayers requesting one. You may provide a copy to other taxpayers, but you are not required to do so.
However, EROs will need to provide taxpayers with a copy of Form 8879 if the current year PIN is assigned or generated by the ERO. The taxpayer may need the PIN when electronically signing their next year return. "


As you all know without the 8879 copy the taxpayer has no other form with their signature and declaration under penalties of perjury. Also this is a problem for those of us who generate the PIN instead of having the taxpayer key in their own pin. To do that you need a face to face appointment all the time.

Would it make the 8879 invalid if we blacked out our EFIN and PTIN on the client copy?

I'm not sure if we're required to include our PTIN in the client copies or not, but I do know that the IRS Tips for Choosing a Tax Return Preparer say to make sure your tax return preparer has a PTIN. It's the very first bullet point. http://www.irs.gov/uac/Tips-for-Choo...eturn-Preparer

So some taxpayers might assume you blacking out the PTIN is because you don't have one. Then again, do taxpayers ever really read this stuff?

Efin

What about covering the EFIN?

As others pointed out you're not required to provide the 8879 unless they ask, so that could be used to limit the exposure some. That said, if they ask, "At the request of the taxpayer, the ERO must provide the Submission ID and the date the IRS accepted the electronic individual income tax return data." Since the EFIN is part of the submission ID, I think a taxpayer that asks for it gets it.

I believe everywhere that the IRS permits information to be blacked out is specifically addressed in the IRS instructions. For example, "Filers of information returns are permitted to truncate a payee's SSN, ITIN, ATIN, or EIN on most payee statements." in the General Instructions for Certain Information Returns - http://www.irs.gov/pub/irs-pdf/i1099gi.pdf

Following the rules, if Shady Sid's Shady Returns across the street sends his nephew to your office and you preparer a return for them it seems Shady Sid can get your EFIN if you follow the pubs/instructions. He'd have to know to ask. In practice, I can't imagine blanking an EFIN or PTIN is really going to cause problems - someone would have to complain to start with.

Really, I don't think the availability of an EFIN is that terrible a problem so much as tax software companies relying upon it as a way to identify customers. Anything that prints anywhere on a tax return should never be something used to verify I am who I say I am. Hiding the EFIN is one way to help increase security, but really the problem is the software companies not the EFIN.

EFIN hiding

Agree.

Also worth noting: The submission identifier number (SID) at the top of Form 8879 et al clearly shows your EFIN. For instance, if your ETIN is 123456, the SID for every return filed this past/current tax season will always start with 1234562015.

Even the dumbest of Shady Sid's employees and others who may wish to do harm can figure that one out!

FE

I forgot that the SID and old DCN also had our EFIN embedded.

So there is no effective way to hide our EFIN or PTIN from prying eyes!

Concealing EFIN or PTIN on client copies

Not necessarily. . .

My tax software already (for the "client copies") blocks out most of the SSNs (taxpayer and dependents), my PTIN, bank account information for direct refund deposit, etc.

OTOH, it does not generate a "client copy" of Form 8879. Perhaps that is a software change that might need consideration? Of course, Part III of Form 8879 does consist of EFIN + related PIN, so there are two separate issues there.

I do feel it is important to provide a client with a Form 8879 of some sort, if for no other reason than for them to have a record of their own PINs in Part II. It would be nice for that form *NOT* to look like a Hillary Clinton redacted email when the client receives it. . .

While I think there is some room for improvement of the security type by the tax software providers, I am not greatly concerned over a (apparently isolated?) disaster of the type encountered by manyhappyreturns. Whenever I (rarely) need to contact my software provider re a specific tax return, there are many hoops I need to jump through first. . .and the "answers" have never been shown on *ANYTHING* that ever gets printed with a tax return - to include hard copies in my files or client copies. I assume that, should someone get access to the "secret answers" I could easily change those answers to solve that problem?

Those with continuing concerns should perhaps contact their own tax software providers with suggestions as to how to make things more secure for users of their products.

FE

FE, what software do you use? I'm shopping for a new one for next year.

This thread is a most interesting discussion, and I am also considering eliminating a copy of the 8879 from the client file. Would requesting a PIN from the TP's be an alternative strategy? That way it would not be generated by the ERO. That info could be included in another document such as the letter included with the tax return or with the Privacy Notice, for example. (This of course does not help that the client already has the EFIN from the last three years' 8879's in their files.) I don't think any one of my clients would specifically request that form. And I don't know how careful all clients are when disposing of their old tax returns either. I have a professional shredder come every year for my old files and they do it on-site while I watch. Perhaps I could include my clients' as well for a fee. I could charge them by the box.