Monday, March 28, 2011

Industry Urges Third-Party Reviews of Security Risks for E-File Providers

By Diane Freda

The Internal Revenue Service should require electronic tax filing providers to undergo third-party assessments every three years of whether they comply with information security controls, an industry group that advises the IRS said March 24.

Industry participants are hoping to head off a major security breach by the hundreds of data transmitters, software developers, online providers, and intermediate providers that routinely handle taxpayer accounts and personal taxpayer information that is sent to the IRS.

Such assessments would involve senior management annually certifying that the company has reasonable assurance of the security, confidentiality, and integrity of personal information, said CCH Small Firm Services Director Dave Olsen, a member of the IRS Electronic Tax Administration Advisory Committee working group.

However, the group's recommendations are likely to be controversial since the e-file industry is currently under a self-assessment model and is not required to undergo third-party assessments.

All authorized IRS e-file providers are required by the Federal Trade Commission Safeguards Rule to have a comprehensive information security program, but the working group is looking to bump that up a notch by requiring independent and more frequent assessments.

Among the working group's recommendations was that e-file providers—with the exception of tax preparers who have been deferred for later consideration—conduct annual self-assessments of their security controls, and that an independent third party assess the controls every three years.

Adapting Current Rules

The working group is proposing to match up the FTC Safeguards Rule with requirements of the IRS safeguards program—two different security programs, said Philip Piorier, vice president for the government consumer tax group with Intuit.

The IRS safeguards program manages the security risk associated with the IRS providing data to third parties such as states and municipalities. It requires that participants follow National Institute of Standards & Technology (NIST) controls, self-assess and get third-party assessments. However that program applies only to taxpayer information going out from IRS to third parties, not information going out from taxpayers to third parties. Therefore it would need to be adapted to the e-file provider community.

Companies should be required to report the result of their annual self-assessments and any periodic third-party assessments to IRS, and IRS should conduct spot checks of company and assessor performance, the working group said.

Adverse spot checks should have consequences including suspension of a company from the e-file program, or other IRS enforcement actions with a prohibition on assessors being used for third party assessments.

If adopted by the full ETAAC, the working group said IRS should issue guidance around its recommended security controls, while not being too prescriptive.

The complete text of this article can be found in the BNA Daily Tax Report, March 25, 2011.

© 2011, The Bureau of National Affairs, Inc.

No comments: