The Expert in Tax Education

Protecting Your Client's Sensitive Information:

Your Legal Responsibility IRC 7216, 6713 & FTC GLB

The Expert in Tax Education

The Expert in Tax Education

Developed by Rose Hablitzel, EA

Presented by XXXX

Summer 2014

Protecting Your Client's Sensitive Information:

Your Legal Responsibility 

Introduction• This material is designed to inform Enrolled

Agents, CPAs, and Tax Preparers of the possible pitfalls of disclosing taxpayer information. Clients come to us who have been in other professional offices and tell stories of the confidential information they find on the desks, conference rooms, reception areas of other tax professionals. We are charged with protecting and safekeeping that which is given to us in confidence.

• Be aware and informed of your responsibilities.

Introduction - continued

• Two brochures from the Federal Trade Commission which are very helpful in explaining your responsibility are:

“Protecting Personal Information – A Guide for Business” (business.ftc.gov/privacy-and-security)

“Copier Data Security: A Guide for Businesses” (business.ftc.gov)

Both are free of charge and are available in large quantities for use as handouts in ethics classes.

Disclosure or Use of Tax Information

• Internal Revenue Code Section 7216 updated January 1, 2009. Previously not updated since 1970.

• Criminal provision enacted by U.S. Congress in 1971 that prohibits preparers of tax returns from knowingly or recklessly disclosing or using tax return information.

• Convicted preparer may be fined $1,000 or imprisoned no more than 1 year or both for each violation

Internal Revenue Code 6713• Disclosure or use of information by

preparers of returns– Imposition of Penalty – any person engaged in

business of preparing or providing services in connection with the preparation of tax returns who:

1. Discloses any information furnished to him for, or in connection with the preparation of any such return, or

2. Uses any information for any purpose other than to prepare tax

shall pay a penalty of $250 for each disclosure or use, but the total amount imposed under this subsection for any calendar year shall not exceed $10,000

Definitions• Tax Return – Any return or amended return of income tax

• Tax Return Preparer – – any person engaged in the business of preparing or assisting in

preparing tax returns

– Any person providing auxiliary services in connection with preparation of tax returns (i.e. software developer, e-file Providers)

– Any person compensated for preparing or assisting in preparing

– Any person who performs services that assist in preparation or provides auxiliary services in tax preparation

–Business of Preparing returns• A person is engaged in the business of

preparing tax returns in the course of the person’s business, the person holds himself out to tax return preparers or taxpayers as a person who prepares tax returns or assists in the preparing tax returns, whether or not tax preparation is the person’s sole business activity and whether or not the person charges a fee for tax return preparation services

• Providing auxiliary services

– …person holds himself out to tax return preparers or to taxpayers as a person who performs auxiliary services, whether or not providing the auxiliary services is the person’s sole business activity, whether or not the person charges a fee.

• Otherwise compensated

– any person who is compensated for preparing a tax return for another person, but not in the course of a business, or

– Is compensated for helping, on a casual basis, a relative, friend, or other acquaintance to prepare their tax return.

• Tax Return Information – any information including but not limited to:

– Taxpayer’s name– Address– Identifying number

which is furnished in any form or manner for, or in connection with, the preparation of a tax return of the taxpayer.

This included information that the taxpayer furnishes to a tax return preparer and information furnished to the tax return preparer by a third party.

• Use – – Use of tax return information includes any

circumstance in which a tax return preparer refers to, or relies upon, tax return information as the basis to take or permit an action.

• Disclosure– The term disclosure means the act of making

tax return information known to any person in any manner whatever.

• Hyperlink – – A hyperlink is a device used to transfer an

individual using tax preparation software from a tax return preparer’s Web page to a Web page operated by another person without the individual having to separately enter the Web address of the destination page

• Request for consent – A request for consent includes any effort by a tax return preparer to obtain the taxpayer’s consent to use or disclose the taxpayer’s tax return information

• Gramm-Leach-Bliley Act – the requirements of section 7216 do not override any requirements or restrictions of the GLB Act which are in addition to the requirements or restriction of section 7216.

IRC Section 301.7216-2 Permissible disclosures or uses without consent of the taxpayer

a. Disclosure pursuant to other provisions of the IRC

b. Disclosures to the IRS

c. Disclosures or uses for preparation of a taxpayer’s return

d. Disclosures to other tax return preparers

e. Disclosure or use of information in the case of related taxpayers

f. Disclosure pursuant to an order of a court or an administrative order, demand, request, summons, or subpoena which is issued in the performance of its duties by a Federal or State agency, the United States congress, a professional association ethics committee or board, or the Public company Accounting Oversight Board.

g. Disclosure for use in securing legal advice, Treasury Investigations or court proceedings.

h. Certain disclosures by attorneys and accountants

i. Corporate Fiduciaries

j. Disclosure to taxpayer’s fiduciary

k. Disclosure or use of information in preparation or audit of State or local tax returns or assisting a taxpayer with foreign country tax obligations.

l. Payment for tax preparation services

m.Retention of records

n. Lists for solicitation of tax return business

o. Producing statistical information in connection with tax return preparation business

p. Disclosure or use of information for quality, peer, or conflict reviews

q. Disclosure to report the commission of a crime

r. Disclosure of tax return information due to a tax return preparer’s incapacity or death

s. Effective/applicability date – on or after January 1, 2009

IRC Section 301.7216-3 Disclosure or use permitted with taxpayers consent

1. Taxpayer consent – Unless section 7216 or 301.7216-2 specifically authorizes the disclosure or use of tax return information, a tax return preparer may not disclose or use a taxpayer’s tax return information prior to obtaining a written consent from the taxpayer.

The consent must be knowing and voluntary.

2. Taxpayer consent to a tax return preparer furnishing tax return information to another tax preparer.

3. The form and content of taxpayer consents

A. Must include name of the tax preparer and name of taxpayer

B. Must identify the intended purpose of the disclosure, intended recipient of the information and particular use authorized

C. Must specify the tax return information to be disclosed or used by the preparer

D. If preparer located outside US, the taxpayers’ consent prior to any disclosure is required

E. Must be signed and dated by the taxpayer

Timing requirements and limitations• No Retroactive consent

• A tax return preparer may not request a taxpayer’s consent for solicitation of business unrelated to tax return preparation

• No request for consent after an unsuccessful request

• No consent to disclosure of a taxpayer’s social security number to a return preparer outside the United States

Special Rules• Multiple disclosures within a single consent form

or multiple uses within a single consent form. A single written document cannot authorize both uses and disclosures.

• Disclosure of entire return – consent may authorize disclosure of all information in return

• Copy of consent must be provided to taxpayer

Revenue Procedure 2008-35

• supplements the regulations and provides guidance to preparers obtaining consents to disclose and consents to use taxpayer data– Consents must:

• Identify the intended purpose

• Identify the recipient and describe the information to be disclosed

• Include the name of the tax return preparer and taxpayer

• Include mandatory language to inform taxpayer he is not required to sign and if he signs, he can set duration of consent

• Consents must: (continued)– Include mandatory language that refers taxpayer to

TIGTA if he believes his return has been disclosed

– Include appropriate mandatory statement informing taxpayer his return information may be disclosed to a preparer located outside the U.S.

– Be in 12-point type on 8 ½ by 11 inch paper. Electronic consents must be in the same type as the web site’s standard text and

– Contain taxpayer’s affirmative consent (not an opt-out clause) and

– Be signed and dated by the taxpayer

• Updated regulations apply to:

– Paid preparers

– Software Developers

– Electronic Return Originators

– Persons or entities engaged in tax preparation service or auxiliary services

– Volunteer tax preparers (VITA)

– Tax Counseling for Elderly (TCE) volunteers

– Employees and contractors employed by tax preparation companies in a support role

Violations could result in imprisonment up to 1 year & fine of not more than $1,000 or both for each violation.

Gramm-leach-bliley act

• This act consists of three sections:

– Financial Privacy Rule

– Safeguards Rule

– Pretexting provisions

Financial Privacy Rule• Requires financial institutions to provide consumers

with privacy notice at the time the consumer relationship is established and annually thereafter

• Must contain:– Explanation of information collected– Where the information is shared– How information is used– How the information is protected and– The consumer’s right to opt out of the information being

shared

• GLB defines “financial institutions” as companies that offer financial products or services to individuals, like loans, financial or investment advice or insurance. Federal Trade Commission (FTC) has jurisdiction over financial institutions such as:

• Non-bank mortgage lenders• Real estate appraisers• Loan brokers• Some financial or investment advisers• Debt collectors• Tax return preparers• Banks, and • Real estate settlement service providers

Safeguards rule• Requires financial institutions to develop a written

security plan that describes:

– How the company is prepared for and– Plans to continue to protect clients’ nonpublic personal

information (NPI)

• Plan must include:

– Denote one employee to manage safeguards– Construct analysis on each department handling of NPI– Develop, monitor and test a program to secure NPI and– Change the safeguards as needed with the changes in how

information is collected, stored and used

Pretexting• Social engineering – occurs when someone tries

to gain access to NPI without proper authority

– Done by impersonators using :• Phone• Mail• Email• Phishing

A well written plan needs a section on training employees to recognize and deflect inquiries made under a pretext.

Privacy notice• Must accurately describe how you collect,

disclose and protect NPI. The notice must include:

– Categories of information collected

– Categories of information disclosed

– Categories of affiliates and nonaffiliated third parties to whom you disclose the NPI

– Categories of information disclosed and to whom

Privacy notice – (continued)– A statement that the disclosures are made “as permitted by

law” if disclosing to nonaffiliated third parties

– Explanation of customers’ right to Opt-Out

– Any disclosures required by the Fair Credit Reporting Act

– Policies and practices with respect to protecting confidentiality and security of NPI

Must be “clear and conspicuous” – using plain language and be easy to read

Opt-out notices

• Must give consumers a reasonable opportunity to opt-out.

• Once you receive an opt-out notice, you must comply with it as soon as is reasonably possible.

Safeguarding taxpayer information is a vital part of your business. There are many things to consider:

• Office personnel, janitorial service, computer technicians, contract labor

• Office, storage area, filing cabinets

• Client files

• Electronic transmissions, email, faxes, sharing files

• US mail, Fed ex, UPS

• Computer hardware and software, copy machines

Employee management and training

• Do background checks before hiring employees who will have access to NPI

• Employees sign agreement to follow company’s security standards for handling NPI

• Limit NPI to employees who have a need to see it• Require employees to have strong passwords• Use password-activated screen savers to lock

computers after a period of inactivity• Develop policies for use and protection of laptops,

cellphones, PDAs or mobile devices

Employee Management Training (continued)

• Train employees to take steps to maintain security by:– Lock rooms and file cabinets

– Not sharing or openly posting employee passwords

– Encrypting sensitive customer information when electronically transmitted

– Refer calls or other requests for customer information to designated person

– Report suspicious attempts to obtain NPI

Employee Management Training (continued)

• Regularly remind employees of policies and legal requirements to keep NPI secure

• Develop policies for employees who telecommute

• Impose disciplinary measures for security violations

• Prevent terminated employees from accessing NPI by deactivating passwords and user names.

Information systemsNetwork and software design, information processing, storage, transmission, retrieval and disposal.

Suggestions for maintaining security from data entry to data disposal:

• Know where sensitive NPI is stored and store it securely

• Ensure secure transmission of customer information• Dispose of customer information securely –

consistent with FTC’s Disposal Rule• Take steps to prevent security breaches

Communication• There are many ways we communicate with clients and

transmit sensitive information to other authorized individuals.

– USPS, Fed Ex, and UPS – considered somewhat secure

– Faxes – could be sent to wrong number – consider requesting confirmation

– Email – more vulnerable than other methods

Encryption is a way to alter the message in such a way the unintended recipient cannot decipher it. Learn how to do it.

• Sharing files on a secure server– Internet services are available to allow you to

upload files in an encrypted format which can be downloaded to client’s computer. Using this kind of service make sure your access to the service:

• Is accessed via an “https” connection

• Requires an ID and password login

• Stores the files on the server in an encrypted format

• Deletes the files after a short period of time

• Logs the network address of the person downloading the file

Paper filesThese can also be a security factor. Files need to be locked. Safeguards concerns are:

• Leaving documents in the open that are visible to customers or employees

• Preparer’s workspace should be free from other client information

• Scan paper files and destroy originals

• Destroy old files – burn, shred and certified destruction

Electronic Data

•Protect onscreen data from others in the room.

•Prevent theft of the computer.•Flash Drives can easily be picked up and

taken or put in a pocket or purse and lost. Consider a flash drive that can be encrypted.

•Reformatting a flash drive may not remove the data. Consider destroying it completely.

Laptops are also not a secure means of storing information. It can easily be stolen. If used for storage consider a full disk encryption. Look into:

• TrueCrypt• BitLocker• McAfee Endpoint Encryption

Biometrics (fingerprint reader) for the computer password has been around for a few years. Can be anywhere from $30 to $150.

Disposing of old computers requires no bits of client information remain for the new owner to read.

Reformatted drives can be hacked. Wipe a drive at least 7 passes. If you take the drive out and destroy it make sure the platters inside the drive are broken.

Copiers, printers and fax machines also have the ability to retain information. Those also need to be destroyed when getting rid of them.

Secure software, strong passwords, data encryption, virus protection, locking your hard drive, and backing up your files ensure protection.

Protect your Wi-Fi – make sure it is password protected

Sharing files on network – turn off “simple file sharing” and turn on “share with permission”

Firewalls protect intruders from invading office computers

You are ultimately responsible!

Use safeguards to protect client NPI

NAEA created this educational program as part of its firm commitment to providing up-to-date, convenient continuing education that focuses on the issues that members identify as top priorities. Members are invited to suggest further areas of study or to submit presentations by contacting hjones@naea.org.

National Association of Enrolled Agents1730 Rhode Island Ave, NW Ste 400Washington, DC 20036Toll free: 855-880-NAEAwww.naea.org