Federal Trade Commission settles with tax preparation company over violations of privacy and security requirements that apply to all tax preparers

I have written in previous posts that the Gramm-Leach-Bliley statute, which many believe only applies to “financial institutions”, also applies to accountants who prepare tax returns for clients.  This statute, which has been around for over 15 years, requires anyone it applies to, to implement steps to protect the confidentiality, security, and integrity of client information, including the creation of a written information security plan.  Many accountants, however, do not realize that these requirements apply to them if they prepare tax returns for clients.

This week, the Federal Trade Commission (FTC), which enforces Gramm-Leach-Bliley, settled a complaint it brought against TaxSlayer, LLC, a Georgia-based online tax preparation service.  In its complaint, the FTC alleged that hackers breached TaxSlayer’s computer network and gained access to nearly 9,000 accounts during 2015, using the information to engage in identity theft and file fraudulent tax returns. The FTC claimed that TaxSlayer did not develop a written information security plan until November 2015, failed to conduct a required risk assessment, and failed to implement security safeguards to lower the risk of a cyberattack.  These included inadequate authentication measures to screen out hackers, and a failure to require clients to use “strong” passwords to make it more difficult for hackers to guess passwords.

The FTC and TaxSlayer agreed to settle the case, and will enter into a consent agreement, under which TaxSlayer will agree to implement specified security and privacy measures.  While TaxSlayer is an online service, however, the security requirements of Gramm-Leach-Bliley are the same for any accountant who prepares taxes for their clients.

So what are the takeaways for accountants from this case?  Here are a few, straight from the FTC enforcement staff:

• Use secure login and authentication procedures for clients to login and transmit important information. This could take the form of a private portal, where you can download information and documents to clients, and they can upload information or complete forms, without having to email documents back and forth
• Develop a written information security plan, and designate someone to coordinate the plan
• Identify and assess the risks to client information, and the vulnerabilities in your current network or computer systems
• Restrict access to client data to only those personnel who have a business need to see such data
• Train everyone—not just support staff—on how to identify and deal with suspicious emails, that could be ransomware or another type of threat
• Make sure all of your software is up to date, and use virtual private networks, or VPN’s, for any time personnel are working from home, a client’s office, or some other remote location

As I mentioned in an earlier article, this list is not exhaustive, but these and other measures should be part of an overall information security plan which you should review and update periodically. Risks and vulnerabilities change, and unfortunately the hackers are always a step or two ahead of the good guys.

In addition, CPA’s have ethical obligations under the AICPA Code of Professional Conduct, and their state licensing boards’ professional rules, to safeguard the confidentiality of client information.  Failing to take reasonable measures to do so can result in sanctions by the licensing authorities, up to and including loss of license to practice as a CPA.

If you have any questions about the cybersecurity obligations for accountants and other tax preparation services, feel free to call me at 720-575-0440 or email at mark@spitzlegalcounsel.com.