IRS Data Breach Notification Guidelines
Every running business or organization today is well aware of the most common data security issues. They also understand the value of their data and infrastructure and the effort and attention they invest in the efforts to protect them. However, based on the recent security breaches that have targeted tech giants of late – including LivingSocial, Facebook, Twitter, and Target, the commercial world is far from ready to deal with data threats decisively.
The tax collector, IRS, has a cause to be concerned with the recent spate of data breaches targeting businesses and organizations of all sizes. An email from the IRS’s Return Preparer Office (RPO) outlines the steps that tax professionals and companies should follow when reporting data breaches to the IRS.
Dealing with a data breach can be time and effort-consuming, and costly to the targeted companies. The IRS insists that companies must report such occurrences aside from notifying the Federal Trade Commission of the breach. Here are the breach notification guidelines a business should follow as soon as the breach is detected to inform the IRS.
Reporting the Breach to The IRS
The United States Trade Commission (FTC) is responsible for setting the data safeguard regulations for businesses and the professional bodies that help individuals and businesses prepare their tax returns. The authority has laid down six security standards and privacy considerations to be followed while filing returns in the IRS Publication 1345 handbook. This guide details security and privacy measures that IRS e-file providers must take to safeguard the details of taxpayers.
The IRS Publication 4557 handbook is a comprehensive guide for tax preparers on what to do to safeguard the tax data of their clients from theft. It details what businesses and tax preparers should do when they notice any signs of data breaches or identity theft. We can summarize the process into three critical steps.
Step 1: Contact the IRS and Law Enforcement
A business or tax preparer must contact the IRS if they have reason to suspect that there has been a data breach. The breach should also be reported to the local law enforcement and the specifics of the incident to the state’s IRS Stakeholder Liaison. Here is a list of local IRS Stakeholder Liaisons you can contact
Once notified, the IRS Stakeholder Liaison will escalate the matter to the IRS Criminal Investigation division and any other agency within the service. The IRS can help track and block the identifying client details in the stolen data if the breach is reported promptly enough.
Step 2: Contact the Local Police
The next step a business should take following a data breach is to file a police report on the incident. A police report will be one of the most critical pieces of documentation the organization will need to make an insurance claim if it covers the data breach. The IRS Liaison recommends that a victim business reports the breach to the local FBI office and the Secret Service.
Step 3: Get a Security Expert
Consult a data security expert to assess the scope of the breach, forestall further damage, and prevent future breaches. If the business has insured its data, the business may call a data security expert on to determine the extent of the damage that the policy covers.
Dealing with Internal and External Communication
If a data breach already took place, there is one most crucial step to take to mitigate its effects: Communicate.
The realization that important data has been stolen or accessed can cause panic among staff and stakeholders. Panic only makes the situation worse. Clear internal communication to appraise employees, stakeholders, and everyone involved in the situation is critical to suppressing panic.
The business’s tech specialists, public relations and communications teams, and client service managers must understand the nature of the breach and the impact before external communication is made.
There are basic rules to follow before making external announcements of the breach. These five rules will go a long way to get everyone on the same page before news of the breach is disseminated to the media, mailed to clients, or even governmental agencies are notified.
- Be open and sincere on the cause and nature of the breach. If the source of the breach has been established, it must be correctly documented. If the company is at fault for the breach, the best course of action is to accept responsibility.
- Provide the details of the breach. These may include factors that made the breach possible and any remedies that could have helped prevent the breach. It is at this point that the business should notify the IRS of the data breach.
- Mitigate the disaster and come up with solution suggestions for the affected users. Where possible, a special offer for the affected clients or audience may help reassure them of the actions taken.
- Educate the staff, clients, stakeholders, and any other parties on the issues that led to the breach. Education should begin at the earliest opportunity while the impact of the breach is still fresh. In many cases, learning about the circumstances of the breach will help prevent similar issues in the future.
- Invite stakeholders to discuss the ways forward. Welcome the IT department staff, managed service providers, analysts, clients, and stakeholders to discuss the source of the problem and determine the cost of the breach. They can then develop potential solutions to help the company recover and refocus on meeting its goals.
Conclusion
A business must not wait too long before reporting a data breach to the authorities. In the United States, businesses and organizations are required to report to the IRS any breach instances that may involve Federal Tax Information (FTI). The IRS has detailed the steps a business should take and to whom they should report.
Many businesses rarely ever know what to do in the event of a data breach because they do not prepare for such an eventuality. When it happens, the business must bring in a data security professional to analyze and investigate the breach. Contact Mathe Technologies should you need professional, no-nonsense advice on how to mitigate the risks of a data breach or get help dealing with one now.
With over 35 years in the business of supporting and implementing technology for the SME market, and 6 years previously in Corporate IT and Voice. I have seen a great deal of change. The only common thread is I have always focused on the Business Wise application of Technology. We always try to look 5 years ahead of the current technology to make sure our clients are on the right track to meet current and future needs.