Announcement

Collapse
No announcement yet.

Written data security plan for tax preparers

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Written data security plan for tax preparers

    Any one have a source for a written plan for a single person office.
    Thanks

    #2
    Try this: https://doi.org/10.6028/NIST.IR.7621r1

    This is an excellent document IMO and if you read it, you will be ahead of most.

    There is an appendix with a "sample", but you will still have to do some work on it. Frankly, I think the concept of a written plan for a solo practitioner is kind of ridiculous -- who is going to hold you accountable for following it? I fully endorse and practice following good security practices, but taking the time to write down a bunch of cliche statements that in and of themselves do not guarantee any security is a waste of time. For example, do I really need to write down "do not share passwords" in order to not actually share any passwords? Does writing it down mean that I won't actually share any passwords?

    Or put another way, what is the benefit of having a written plan? Does it avoid being sued for damages by a client? Does it keep you out of jail? (Again, I think with employees it is a whole other matter, and evidence that employees were instructed and trained is crucial for protection).
    Last edited by Rapid Robert; 07-17-2019, 07:31 PM.
    "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

    Comment


      #3

      In response to the above reply post’s questions in the last paragraph, it should be noted why a written plan is not only necessary but is the law:

      IR-2018-175, Aug. 28, 2018:

      According to the FTC Safeguards Rule, tax return preparers must create and enact security plans to protect client data. Failure to do so may result in an FTC investigation. The IRS also may treat a violation of the FTC Safeguards Rule as a violation of IRS Revenue Procedure 2007-40, which sets the rules for tax professionals participating as an Authorized IRS e-file Provider.


      see the FTC rule:



      you will find suggestions for developing a plan.


      Always cite your source for support to defend your opinion

      Comment


        #4
        Originally posted by TAXNJ View Post
        In response to the above reply post’s questions in the last paragraph, it should be noted why a written plan is not only necessary but is the law:
        Yes, that is a response, but does not answer the questions. None of the information you posted is new or a surprise to me; trust me, when the FTC puts me at the top of their prosecutorial priority list and asks for my written plan, I'll turn something over to them, no matter how plagiarized or meaningless it actually is. The reason I'm so cavalier is because implementing security, which I do, is far, far more important that writing a bunch of cliches about it on paper. And I am confident that with no employees or contract workers, the only person who has to know and implement my plan is me.

        To elaborate on one of my questions: suppose you have a written plan that meets all the requirements, but you still suffer a data breach, perhaps because your plan didn't address the precise situation, or maybe someone failed to follow the plan. How does having the written plan protect you in this case? Are you off the hook completely? If so, then yes, I agree it might be worth it to create one.

        It's like going on a diet. What is more important: actually changing the types and quantities of food you consume, or having a diet book sitting on your shelf? The law that requires a written plan is stupid, it would be far better to require continuing education, similar to ethics. And in the unlikely event I am actually charged with a crime for not having a written plan, I'll just do what illegal taxpayers (those who don't pay the full amount of tax they owe on time) do all the time: hire an expert to get me off.
        Last edited by Rapid Robert; 07-18-2019, 08:31 AM.
        "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

        Comment


          #5
          Thanks for your reply Robert, and I couldn't agree more that it is a waste of time to write a plan for my office, but as taxng said it is the law now.

          Comment


            #6
            Originally posted by Rapid Robert View Post
            Yes, that is a response, but does not answer the questions. None of the information you posted is new or a surprise to me; trust me, when the FTC puts me at the top of their prosecutorial priority list and asks for my written plan, I'll turn something over to them, no matter how plagiarized or meaningless it actually is. The reason I'm so cavalier is because implementing security, which I do, is far, far more important that writing a bunch of cliches about it on paper. And I am confident that with no employees or contract workers, the only person who has to know and implement my plan is me.

            To elaborate on one of my questions: suppose you have a written plan that meets all the requirements, but you still suffer a data breach, perhaps because your plan didn't address the precise situation, or maybe someone failed to follow the plan. How does having the written plan protect you in this case? Are you off the hook completely? If so, then yes, I agree it might be worth it to create one.

            It's like going on a diet. What is more important: actually changing the types and quantities of food you consume, or having a diet book sitting on your shelf? The law that requires a written plan is stupid, it would be far better to require continuing education, similar to ethics. And in the unlikely event I am actually charged with a crime for not having a written plan, I'll just do what illegal taxpayers (those who don't pay the full amount of tax they owe on time) do all the time: hire an expert to get me off.
            Just replying to the Original Poster. Great country where one can make their own decision so it’s up to the Original Poster for their decision. The Original Poster asked for a source for a plan only and not a dissertation of your views.

            No one is telling you that you have to follow something you don’t want to follow. Your extensive positive response is good for you but very overwhelming to read. Think reading the IRS code would be more of an interesting read and better use of time than your reply post.
            Last edited by TAXNJ; 07-18-2019, 05:07 PM.
            Always cite your source for support to defend your opinion

            Comment


              #7
              Originally posted by TAXNJ View Post
              The Original Poster asked for a source for a plan only and not a dissertation of your views.
              The Original Poster also did not ask for your advice on what other replies are worth reading or not, I'm sure he can make up his own mind. And FWIW, I did in fact respond to the poster with a helpful link to information about creating a plan.

              See ya in the next thread I feel like replying to!

              "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

              Comment


                #8
                Given how we are repeatedly reminded how important it is to have a written plan sitting on the shelf, it's odd that no one wants to actually provide a template of any kind. The closest I've seen is Tax Tip 2019-119 from the IRS, issued Aug 29 2019. So, using the available guidance in that tax tip, here is my written plan. Note that the law doesn't say it has to be very good, just that I have to have one. So, done.

                * Include the name of all information security program managers.

                Me.

                * Identify all risks to customer information.

                Fire, theft, flood, earthquake, government seizure of property, software malfunction, mis-addressed or mis-delivered communications. No risk from employees because I have none.

                * Evaluate risks and current safety measures.

                Yes, they are all risks. Current safety measures include physical locks, a dog on the premises, up to date professional computer software with all vendor supplied security patches applied within one week of release, and encryption of customer data in digital form.

                * Design a program to protect data.

                Immediately scan client paper documents into secure encrypted digital storage, then return or shred the paper. Use unique passwords for each login requiring a password. Do not share passwords. Use MFA for tax software access.

                * Put the data protection program in place.

                Yes.

                * Regularly monitor and test the program.

                Take this plan off the shelf once per year and read it. Test: get a colleague to come over and promise to buy them a meal if they access customer information in my tax office without my help, within 30 minutes.
                "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

                Comment


                  #9
                  Hello, I know this thread has been out there for awhile, but I'm glad I found it. I forgot about having a "written" plan down. The TB News item regarding Windows 7 threw this back into my mind. I no longer use a Windows 7 computer, but was happy for the reminder about safety risks and in turn the data security plan. It is quite silly to have a "written" plan for a single person office. However, as Tax Professionals there are a ton of silly things out there that we have to comply with. So, be kind and stock up on coffee and chocolates for the coming year!

                  PS: Rapid Robert Thanks for the simplification of following the IRS Tax Tip for creating a plan.

                  Comment

                  Working...
                  X