Critical Elements Of Practitioners' Required Security Plans
By now, most practitioners know that their firms must have a written security plan if they prepare tax returns. And even if a firm does not prepare tax returns, having a written security plan is still a solid business practice. Still, many firms have not yet created a plan, or their plan is inadequate. Remember, written security plans are not just a good idea but a legal requirement! If you renewed a Preparer Tax Identification Number (PTIN) this year, you had to certify that you were aware of the legal obligation to have a required security plan in place in your firm. Therefore, let’s examine the critical elements of your security plan to ensure that your organization is not unnecessarily exposed.
The Security Plan Requirement
The underlying legislation for required security plans in public accounting firms is the Gramm-Leach-Bliley Act (GLB) of 1999. However, GLB’s scope is not limited to public accounting firms; instead, it extends to many other businesses, including banks, credit card companies, and other financial institutions. After Congress passed GLB, the Federal Trade Commission created the Safeguards Rule and implemented it in 2003. The Safeguards Rule applies to financial institutions not subject to another regulator under Section 505 under GLB. In this context, “financial institutions” is a broad term and includes firms that prepare tax returns.
Among others, the Safeguards Rule demands the following from covered organizations. First, covered organizations must develop, implement, and maintain an information security program. This program must include administrative, technical, and physical safeguards to protect nonpublic customer information. Notably, covered information includes that in paper and electronic form. Further, covered organizations must document the plan, which must be appropriate to the size and complexity of the covered organization.
Of course, if your firm does not have a documented plan in force, the penalties can be severe. For example, the FTC can levy fines on non-compliant firms up to $100,000 for each violation. Further, partners, officers, and directors are subject to penalties of up to $10,000 for each violation.
Based on the above, there is no doubt that public accounting firms with a tax preparation business must have a documented security plan in place.
Nine Key Elements Of Your Security Plan
The Safeguards Rule outlines nine elements you must include in your security plan, as detailed below.
- The covered organization must designate a Qualified Individual to implement and supervise the plan. The Qualified Individual can be a team member or an outside resource, such as a consultant.
- Covered organizations must conduct a risk assessment to understand the risks posed to sensitive and private information stored by the organization. Recognize that these risks can arise internally and externally. The risk assessment must be written and include criteria for evaluating risks and threats.
- The covered organization must design and implement safeguards to control sensitive information in response to the risk assessment. Examples of controls include encrypting data, implementing appropriate authentication controls, and securely disposing of outdated information.
- You should regularly monitor and test the effectiveness of your safeguards. For example, annual penetration and semi-annual security scans can help satisfy this requirement.
- Staff training is a critical element of your security plan. Train all team members to spot potential security issues and provide more substantial training to those in charge of your required security plan.
- Covered organizations should monitor their service providers to ensure they have the appropriate skills and resources to maintain and comply with the company’s required security plan.
- Regularly update your plan to account for systems changes, personnel turnover, and evolving risks.
- Covered organizations should create an incident response plan to guide the organization in case of a security incident or breach.
- At least annually, the Qualified Individual responsible for the organization’s required security plan must report to the Board of Directors or similar body no less often than annually.
Undoubtedly, many organizations are likely already performing some of the above steps, if not all. However, they are doing so in a “casual” manner and, therefore, are likely not complying with the Safeguards Rule.
Don't Forget About Training
Training team members – a requirement enumerated above – is a necessary element of your required security plan. However, to that point, understand that the training effort will not convert all team members into security experts, nor should it. Instead, for most team members, the training should be designed to help them understand the risks they may face and how to respond when they perceive a data security incident is unfolding. Further, short, repeated “bursts” of training are often the best way to reinforce security awareness. For example, including ten to fifteen minutes of security training in monthly staff meetings can have a profound impact on keeping data security as a “top-of-mind” concern for your team.
You can find additional resources to assist you with your required security plan by visiting one or both of the following sites.
Data security is not just a good idea – it is a legal requirement if you work in a firm that prepares tax returns! And this requirement is not new. Passed in 1999, the Gramm-Leach-Bliley Act mandates that tax practitioners have documented security plans in force. If you don’t, not only are you exercising poor business practices, but you are also incurring the risk of substantial financial penalties. So ensure you have an appropriate plan and train your team members to comply with that plan to avoid any compliance issues – and related fines – in this area.