Tax pros should create recovery plan and report thefts immediately

IRS Tax Tip 2019-126, September 12, 2019

Tax professionals should review their security measures and create a data theft recovery plan. This plan can help save valuable time and protect tax professionals and taxpayers after a data theft (PDF) . One of the first things a preparer should do after a theft is contact the IRS. Here are other steps tax pros should outline in their plan:

Contact the IRS and law enforcement:

  • Report client data theft to the local IRS Stakeholder Liaison. They will notify IRS Criminal Investigation and other appropriate offices within the agency on behalf of the preparer. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in a preparer’s clients’ names.
  •  Local Federal Bureau of Investigation.
  • Local police and file report on the data theft.

Contact state agencies where they prepare state returns:

  • State Tax Agencies. Email the Federation of Tax Administrators at StateAlert@taxadmin.org to get information on how to report victim information to the states.
  • State Attorneys General. Most states require that the attorney general be notified of data thefts. This process may involve contacting multiple offices.

Contact experts:

  • Security expert. They can determine the cause and scope of the theft. They can also figure out how to prevent further losses.
  • Insurance company. Preparers should check to see if their insurance policy covers expenses related to the data loss.

Contact clients and other services:

  • Federal Trade Commission. They offer tips and templates for businesses that suffer data compromise. They even have suggested language for informing clients.
  • Clients. Send a letter to victims letting them know about the theft. Preparers should work with law enforcement on timing. A preparer who has prior-year data in their system may need to contact former clients.
  • Tax software provider. They may need to take steps to prevent inappropriate use of the compromised account for e-filing.
  • Website and client portal provider. Thieves may have stolen passwords. The preparer and provider would need to reset these.
  • Credit and identity theft protection agency. Certain states require credit monitoring and identity theft protection to victims of ID theft.
  • Credit bureaus. Notify them if there’s a compromise. The preparer’s clients may seek their services.