What to Do If You Suffer a Data Breach or Other Security Incident

Tax professionals are increasingly targets of cybercriminals seeking access to client data. Criminals use the stolen information to file fraudulent tax returns for refunds. Be prepared to protect your clients and yourself by taking a few critical steps.

Should you experience a data compromise, there are certain basic steps you should take. For a comprehensive list of security actions, consult a security professional. Also see Data Theft Information for Tax Professionals on IRS.gov.

Preliminary steps include:

Contact the IRS and law enforcement:

• Internal Revenue Service - Report client data theft to your local IRS Stakeholder Liaison. Liaisons will notify IRS Criminal Investigation and others within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
• Federal Bureau of Investigation – Contact your local office.
• Secret Service – Contact your local office (if directed).
• Local police – File a police report on the data breach.

Contact states in which you prepare state returns:

• State Tax Agencies - Contact each state in which you prepare returns
• State Attorneys General - Contact each state in which you prepare returns. Most states require that the attorney general be notified of data breaches. This notification process may involve multiple offices.

Contact experts:

• Security expert – They can determine the cause and scope of the breach, what to do to stop the breach and prevent further breaches from occurring.
• Insurance company – Report the breach and check if your insurance policy covers data breach mitigation expenses.

Contact clients and other services:

• Federal Trade Commission offers tips and templates for businesses that suffer data compromise, including suggested language for informing clients.
• Clients – Send an individual letter to victims to inform them of the breach but work with law enforcement on timing. Remember that you may need to contact former clients if their prior year data was still in your system.
• Your tax software provider – They may need to take steps to prevent inappropriate use of your account for e-filing.
• Your web site/client portal provider(s) – It’s possible that your firm and client passwords may have been compromised and need to be reset.
• Federal Trade Commission offers tips and templates for businesses that suffer data compromise, including suggested language for informing clients.
• Credit/ID theft protection agency - Certain states require offering credit monitoring/ID theft protection to victims of ID theft.
• Credit bureaus – Notify them if there is a compromise. Clients may seek their services.

The IRS reminds tax professionals that toll-free assisters cannot accept third-party notification of tax-related identity theft. Clients should file a Form 14039, Identity Theft Affidavit, only if their electronic return is rejected as a duplicate or they are directed to do so.

This tax tip is one in a series of special security tax tips intended to raise awareness for tax professionals. The “Protect Your Clients; Protect Yourself” campaign is an initiative of the Security Summit. The Security Summit is a joint project by the IRS, states and the tax community to combat identity theft. Due to the sensitive client data held by tax professionals, cybercriminals increasingly are targeting the tax preparation community.