Transcript Document

The Expert in Tax Education
Protecting Your Client's
Sensitive Information:
Your Legal Responsibility
IRC 7216, 6713 & FTC GLB
The Expert in Tax Education
Protecting Your Client's Sensitive
Information:
Your Legal Responsibility
Presented by XXXX
Developed by Rose Hablitzel, EA
Summer 2014
The Expert in Tax Education
Introduction
• This material is designed to inform Enrolled
Agents, CPAs, and Tax Preparers of the
possible pitfalls of disclosing taxpayer
information. Clients come to us who have been
in other professional offices and tell stories of
the confidential information they find on the
desks, conference rooms, reception areas of
other tax professionals. We are charged with
protecting and safekeeping that which is given
to us in confidence.
• Be aware and informed of your responsibilities.
Introduction - continued
• Two brochures from the Federal Trade
Commission which are very helpful in explaining
your responsibility are:
“Protecting Personal Information – A Guide for
Business” (business.ftc.gov/privacy-and-security)
“Copier Data Security: A Guide for Businesses”
(business.ftc.gov)
Both are free of charge and are available in large
quantities for use as handouts in ethics classes.
Disclosure or Use of Tax Information
• Internal Revenue Code Section 7216 updated
January 1, 2009. Previously not updated since
1970.
• Criminal provision enacted by U.S. Congress in
1971 that prohibits preparers of tax returns from
knowingly or recklessly disclosing or using tax
return information.
• Convicted preparer may be fined $1,000 or
imprisoned no more than 1 year or both for each
violation
Internal Revenue Code 6713
• Disclosure or use of information by
preparers of returns
– Imposition of Penalty – any person engaged in
business of preparing or providing services in
connection with the preparation of tax returns
who:
1. Discloses any information furnished to him for, or in
connection with the preparation of any such return, or
2. Uses any information for any purpose other than to prepare
tax
shall pay a penalty of $250 for each disclosure or use,
but the total amount imposed under this subsection for any
calendar year shall not exceed $10,000
Definitions
• Tax Return – Any return or amended return of income tax
• Tax Return Preparer –
– any person engaged in the business of preparing or assisting in
preparing tax returns
– Any person providing auxiliary services in connection with
preparation of tax returns (i.e. software developer, e-file
Providers)
– Any person compensated for preparing or assisting in preparing
– Any person who performs services that assist in preparation or
provides auxiliary services in tax preparation
–Business of Preparing returns
• A person is engaged in the business of
preparing tax returns in the course of the
person’s business, the person holds
himself out to tax return preparers or
taxpayers as a person who prepares tax
returns or assists in the preparing tax
returns, whether or not tax preparation is
the person’s sole business activity and
whether or not the person charges a fee
for tax return preparation services
• Providing auxiliary services
– …person holds himself out to tax return
preparers or to taxpayers as a person
who performs auxiliary services, whether
or not providing the auxiliary services is
the person’s sole business activity,
whether or not the person charges a fee.
• Otherwise compensated
– any person who is compensated for
preparing a tax return for another person,
but not in the course of a business, or
– Is compensated for helping, on a casual
basis, a relative, friend, or other
acquaintance to prepare their tax return.
• Tax Return Information – any information
including but not limited to:
– Taxpayer’s name
– Address
– Identifying number
which is furnished in any form or manner for, or in
connection with, the preparation of a tax return of
the taxpayer.
This included information that the taxpayer
furnishes to a tax return preparer and information
furnished to the tax return preparer by a third party.
• Use –
– Use of tax return information includes any
circumstance in which a tax return preparer
refers to, or relies upon, tax return information
as the basis to take or permit an action.
• Disclosure
– The term disclosure means the act of making
tax return information known to any person in
any manner whatever.
• Hyperlink –
– A hyperlink is a device used to transfer an
individual using tax preparation software from
a tax return preparer’s Web page to a Web
page operated by another person without the
individual having to separately enter the Web
address of the destination page
• Request for consent – A request for consent
includes any effort by a tax return preparer to
obtain the taxpayer’s consent to use or
disclose the taxpayer’s tax return information
• Gramm-Leach-Bliley Act – the requirements
of section 7216 do not override any
requirements or restrictions of the GLB Act
which are in addition to the requirements or
restriction of section 7216.
IRC Section 301.7216-2 Permissible disclosures or
uses without consent of the taxpayer
a. Disclosure pursuant to other provisions of
the IRC
b. Disclosures to the IRS
c. Disclosures or uses for preparation of a
taxpayer’s return
d. Disclosures to other tax return preparers
e. Disclosure or use of information in the case
of related taxpayers
f. Disclosure pursuant to an order of a court
or an administrative order, demand, request,
summons, or subpoena which is issued in
the performance of its duties by a Federal or
State agency, the United States congress, a
professional association ethics committee or
board, or the Public company Accounting
Oversight Board.
g. Disclosure for use in securing legal advice,
Treasury Investigations or court
proceedings.
h. Certain disclosures by attorneys and
accountants
i. Corporate Fiduciaries
j. Disclosure to taxpayer’s fiduciary
k. Disclosure or use of information in
preparation or audit of State or local tax
returns or assisting a taxpayer with foreign
country tax obligations.
l. Payment for tax preparation services
m.Retention of records
n. Lists for solicitation of tax return business
o. Producing statistical information in
connection with tax return preparation
business
p. Disclosure or use of information for quality,
peer, or conflict reviews
q. Disclosure to report the commission of a
crime
r. Disclosure of tax return information due to a
tax return preparer’s incapacity or death
s. Effective/applicability date – on or after
January 1, 2009
IRC Section 301.7216-3 Disclosure or use
permitted with taxpayers consent
1. Taxpayer consent – Unless section 7216 or
301.7216-2 specifically authorizes the
disclosure or use of tax return information, a
tax return preparer may not disclose or use
a taxpayer’s tax return information prior to
obtaining a written consent from the
taxpayer.
The consent must be knowing and voluntary.
2. Taxpayer consent to a tax return preparer
furnishing tax return information to another
tax preparer.
3. The form and content of taxpayer consents
A. Must include name of the tax preparer and name
of taxpayer
B. Must identify the intended purpose of the
disclosure, intended recipient of the information
and particular use authorized
C. Must specify the tax return information to be
disclosed or used by the preparer
D. If preparer located outside US, the taxpayers’
consent prior to any disclosure is required
E. Must be signed and dated by the taxpayer
Timing requirements and limitations
• No Retroactive consent
• A tax return preparer may not request a taxpayer’s
consent for solicitation of business unrelated to
tax return preparation
• No request for consent after an unsuccessful
request
• No consent to disclosure of a taxpayer’s social
security number to a return preparer outside the
United States
Special Rules
• Multiple disclosures within a single consent form
or multiple uses within a single consent form. A
single written document cannot authorize both
uses and disclosures.
• Disclosure of entire return – consent may
authorize disclosure of all information in return
• Copy of consent must be provided to taxpayer
Revenue Procedure 2008-35
• supplements the regulations and provides
guidance to preparers obtaining consents to
disclose and consents to use taxpayer data
– Consents must:
• Identify the intended purpose
• Identify the recipient and describe the information to be
disclosed
• Include the name of the tax return preparer and taxpayer
• Include mandatory language to inform taxpayer he is not
required to sign and if he signs, he can set duration of consent
• Consents must: (continued)
– Include mandatory language that refers taxpayer to
TIGTA if he believes his return has been disclosed
– Include appropriate mandatory statement informing
taxpayer his return information may be disclosed to a
preparer located outside the U.S.
– Be in 12-point type on 8 ½ by 11 inch paper.
Electronic consents must be in the same type as the
web site’s standard text and
– Contain taxpayer’s affirmative consent (not an opt-out
clause) and
– Be signed and dated by the taxpayer
• Updated regulations apply to:
– Paid preparers
– Software Developers
– Electronic Return Originators
– Persons or entities engaged in tax preparation service or auxiliary services
– Volunteer tax preparers (VITA)
– Tax Counseling for Elderly (TCE) volunteers
– Employees and contractors employed by tax preparation companies in a
support role
Violations could result in imprisonment up to 1 year & fine
of not more than $1,000 or both for each violation.
Gramm-leach-bliley act
• This act consists of three sections:
– Financial Privacy Rule
– Safeguards Rule
– Pretexting provisions
Financial Privacy Rule
• Requires financial institutions to provide
consumers with privacy notice at the time the
consumer relationship is established and annually
thereafter
• Must contain:
–
–
–
–
–
Explanation of information collected
Where the information is shared
How information is used
How the information is protected and
The consumer’s right to opt out of the information being
shared
• GLB defines “financial institutions” as companies
that offer financial products or services to
individuals, like loans, financial or investment
advice or insurance. Federal Trade Commission
(FTC) has jurisdiction over financial institutions
such as:
•
•
•
•
•
•
•
•
Non-bank mortgage lenders
Real estate appraisers
Loan brokers
Some financial or investment advisers
Debt collectors
Tax return preparers
Banks, and
Real estate settlement service providers
Safeguards rule
• Requires financial institutions to develop a written
security plan that describes:
– How the company is prepared for and
– Plans to continue to protect clients’ nonpublic personal
information (NPI)
• Plan must include:
–
–
–
–
Denote one employee to manage safeguards
Construct analysis on each department handling of NPI
Develop, monitor and test a program to secure NPI and
Change the safeguards as needed with the changes in
how information is collected, stored and used
Pretexting
• Social engineering – occurs when someone tries
to gain access to NPI without proper authority
– Done by impersonators using :
• Phone
• Mail
• Email
• Phishing
A well written plan needs a section on training
employees to recognize and deflect inquiries made
under a pretext.
Privacy notice
• Must accurately describe how you collect,
disclose and protect NPI. The notice must
include:
– Categories of information collected
– Categories of information disclosed
– Categories of affiliates and nonaffiliated third parties to
whom you disclose the NPI
– Categories of information disclosed and to whom
Privacy notice – (continued)
– A statement that the disclosures are made “as permitted
by law” if disclosing to nonaffiliated third parties
– Explanation of customers’ right to Opt-Out
– Any disclosures required by the Fair Credit Reporting Act
– Policies and practices with respect to protecting
confidentiality and security of NPI
Must be “clear and conspicuous” – using plain language
and be easy to read
Opt-out notices
• Must give consumers a reasonable
opportunity to opt-out.
• Once you receive an opt-out notice, you
must comply with it as soon as is
reasonably possible.
Safeguarding taxpayer information is a vital part of your business.
There are many things to consider:
• Office personnel, janitorial service, computer
technicians, contract labor
• Office, storage area, filing cabinets
• Client files
• Electronic transmissions, email, faxes, sharing files
• US mail, Fed ex, UPS
• Computer hardware and software, copy machines
Employee management and training
• Do background checks before hiring employees
who will have access to NPI
• Employees sign agreement to follow company’s
security standards for handling NPI
• Limit NPI to employees who have a need to see it
• Require employees to have strong passwords
• Use password-activated screen savers to lock
computers after a period of inactivity
• Develop policies for use and protection of laptops,
cellphones, PDAs or mobile devices
Employee Management Training (continued)
• Train employees to take steps to maintain security
by:
– Lock rooms and file cabinets
– Not sharing or openly posting employee passwords
– Encrypting sensitive customer information when
electronically transmitted
– Refer calls or other requests for customer information
to designated person
– Report suspicious attempts to obtain NPI
Employee Management Training (continued)
• Regularly remind employees of policies and legal
requirements to keep NPI secure
• Develop policies for employees who telecommute
• Impose disciplinary measures for security
violations
• Prevent terminated employees from accessing
NPI by deactivating passwords and user names.
Information systems
Network and software design, information processing,
storage, transmission, retrieval and disposal.
Suggestions for maintaining security from data entry to
data disposal:
• Know where sensitive NPI is stored and store it
securely
• Ensure secure transmission of customer information
• Dispose of customer information securely – consistent
with FTC’s Disposal Rule
• Take steps to prevent security breaches
Communication
• There are many ways we communicate with clients
and transmit sensitive information to other authorized
individuals.
– USPS, Fed Ex, and UPS – considered somewhat secure
– Faxes – could be sent to wrong number – consider
requesting confirmation
– Email – more vulnerable than other methods
Encryption is a way to alter the message in such a way the
unintended recipient cannot decipher it. Learn how to do it.
• Sharing files on a secure server
– Internet services are available to allow you to
upload files in an encrypted format which can be
downloaded to client’s computer. Using this kind
of service make sure your access to the service:
• Is accessed via an “https” connection
• Requires an ID and password login
• Stores the files on the server in an encrypted format
• Deletes the files after a short period of time
• Logs the network address of the person downloading the file
Paper files
These can also be a security factor. Files need to
be locked. Safeguards concerns are:
• Leaving documents in the open that are visible to
customers or employees
• Preparer’s workspace should be free from other
client information
• Scan paper files and destroy originals
• Destroy old files – burn, shred and certified
destruction
Electronic Data
• Protect onscreen data from others in the
room.
• Prevent theft of the computer.
• Flash Drives can easily be picked up and
taken or put in a pocket or purse and lost.
Consider a flash drive that can be encrypted.
• Reformatting a flash drive may not remove
the data. Consider destroying it completely.
Laptops are also not a secure means of storing
information. It can easily be stolen. If used for
storage consider a full disk encryption. Look
into:
• TrueCrypt
• BitLocker
• McAfee Endpoint Encryption
Biometrics (fingerprint reader) for the computer
password has been around for a few years.
Can be anywhere from $30 to $150.
Disposing of old computers requires no bits of
client information remain for the new owner to
read.
Reformatted drives can be hacked. Wipe a drive
at least 7 passes. If you take the drive out and
destroy it make sure the platters inside the drive
are broken.
Copiers, printers and fax machines also have the
ability to retain information. Those also need to
be destroyed when getting rid of them.
Secure software, strong passwords, data
encryption, virus protection, locking your hard drive,
and backing up your files ensure protection.
Protect your Wi-Fi – make sure it is password
protected
Sharing files on network – turn off “simple file
sharing” and turn on “share with permission”
Firewalls protect intruders from invading office
computers
You are ultimately responsible!
Use safeguards to protect client
NPI
NAEA created this educational program as part of its
firm commitment to providing up-to-date, convenient
continuing education that focuses on the issues that
members identify as top priorities. Members are invited
to suggest further areas of study or to submit
presentations by contacting [email protected].
National Association of Enrolled Agents
1730 Rhode Island Ave, NW Ste 400
Washington, DC 20036
Toll free: 855-880-NAEA
www.naea.org