Announcement

Collapse
No announcement yet.

FTC Safeguards rule for tax pros - what is new?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    FTC Safeguards rule for tax pros - what is new?

    I've seen numerous emails in recent months, including one today from NAEA, about FTC Safeguards Rule and a June deadline.

    "You may have heard in the news that the Federal Trade Commission (FTC) will require tax professionals to have cyber compliance with the Safeguards Rule by 6/9/23."
    Is this the same thing as the requirement to have a WISP (written information security plan) under Gramm-Leach-Bliley (GLB) act, that we have already been subject to for a number of years now? The one where when you apply for a PTIN, you have to acknowledge that your are aware of the requirement (and not, as many mistakenly claim, that you have fully complied)?

    (The PTIN requirement is "I am aware that paid tax return preparers must have a data security plan to provide data and system security protections for all taxpayer information").

    I don't believe the IRS has authority to actually enforce FTC regulations, but I could be wrong, does anyone know?
    "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

    #2
    As far as I can tell, this is additional requirements to the WISP that aren't required until now. If you look at the bulleted points on the link below, it summarizes what is now required.

    The Federal Trade Commission today announced it is extending by six months the deadline for companies to comply with some of the changes the agency implemented to strengthen the data security safeg



    As for the IRS enforcing things, I tend to agree with you, but I suspect they are required to make tax professionals AWARE of the rules.

    Comment


      #3
      So what I conclude is that the new requirements are slightly more specific than the ones from a few years ago. The original ones said to write a plan, one of the points being to then implement it. The new ones are actually more specific implementation steps that they are dictating you must perform.

      As a sole prop, small practice, with no employees and almost no in person appointments in my private home office (I've always selected for remote clients), I believe my plan and implementation meets the requirements, It's less than a page. Between Microsoft BitLocker encryption, backups encryption, and my tax software vendor's requirements for MFA, I have been in good shape since before any of this starting applying to tax practices.

      Some of the new requirements are pretty lame. "periodically assess the security practices of service providers" - how am I supposed to do that? Just read what they put on their web site and terms of use (TOU)? "implement multi-factor authentication or another method with equivalent protection" - what is an acceptable "other method"? "train security personnel," -- can I deduct training for our resident dog? :-)

      The original WISP requirement had the following requirements listed as bullet points:
      • Include the name of all information security program managers.
      • Identify all risks to customer information.
      • Evaluate risks and current safety measures.
      • Design a program to protect data.
      • Put the data protection program in place.
      • Regularly monitor and test the program.

      The new version has these requirements listed as bullet points:
      • designate a qualified individual to oversee their information security program,
      • develop a written risk assessment,
      • limit and monitor who can access sensitive customer information,
      • encrypt all sensitive information,
      • train security personnel,
      • develop an incident response plan,
      • periodically assess the security practices of service providers, and
      • implement multi-factor authentication or another method with equivalent protection for any individual accessing customer information.
      "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

      Comment


        #4
        While skimming the CalCPA tax discussion forum, I saw several references to a 5,000 customer minimum threshold for the new requirements to apply. For example, if you prepare a 1040 for a married couple with two kids, that is four customers. Not sure how they count customers from the past.

        There does not seem to be any guidance for how to treat customer PII for former customers, for example when should you affirmatively delete old records (since in theory the SOL on a tax return may never end, if fraud is suspected)? That would be helpful!
        "You said it, they'll never know the difference. Come on, we'll paint our way out!" - Moe Howard

        Comment

        Working...
        X