How to Develop an IRS Data Security Plan

The Internal Revenue Service (IRS) recently added a requirement for all tax preparers to develop a “Data Security Plan” to protect customer data. The IRS responded to growing threats against small businesses that handle sensitive customer information. Tax professionals can be ideal targets since electronic tax data contains lots of personal information that would be gold in the hands of hackers, including social security numbers (SSN or EIN) and detailed financial information.

The IRS took the additional step of requiring tax preparers to verify that they have a data protection plan in place when they renew their PTIN number. According to the IRS, there are over 1 millions tax professionals in the United States, many of them small businesses or even sole practitioners. For many of these people, the task of creating such a plan seems complex and overwhelming. In this article we try to demystify the process and help practitioners create cyber security plan that works.

What is a Data Security Plan according to the IRS?

In its simplest form, a Data Security Plan is a written document that describes how your firm protects customer data. While most tax preparers are careful with customer data, rarely are these policies and practices written down and approved by management.

IRS Cyber Security Plan
IRS Cyber Plan

In addition, the IRS requires all plans to address certain key areas (see below). A Data Security Plan should be the “roadmap” for how your organization protects customer data, including references to specific policies and procedures that you adopt and follow. So a complete data security plan will not be a single document, but one or more written documents:

  1. The Written Data Security Plan – The main plan document, covering key topics, management statements and overall implementation. (And)
  2. Supporting Documents – Written security policies and procedures for HOW you implement the plan.

While the “plan” may be one large document, it often makes sense to separate out specific policies, lists, procedures, training and other documentation to keep the overall cyber plan simple.

What are the elements of an IRS data security plan?

The IRS requires that a data security plan have key elements. However, the refer to other documents such as IRS Publication 4557 to get the details. We have summarized the requirements here and in our IRS Cyber Plan Template. The IRS wants to make sure that practitioners don’t miss key “controls” that are known to protect customer data. While many small business may consider these requirements “overkill” – the key is not to ignore them, but to put together a plan that works for your company. The IRS specifies that a data security plan should cover the following:

Roles and Responsibilities – The organization must appoint a “leader” who is responsible for the information security function and then document his/her specific responsibilities. This person is the “go to” person for anything related to information security, and they need to approve and update the plan. This may be an internal person or an outside consultant.

Risk Management – The Plan should take into account the common cyber security risks to the organization, and ensure that the plan addresses these risks. The most common security threats for IRS practitioners would malware/ransomware, or accidental disclosure of personal data via email or web site hacks.

Policies and Procedures – The Plan requires the organization to develop written Information Security Policies and procedures to support the plan. For example, organizations should have an Acceptable Use of Assets Policy that defines how employees should interact with IT systems and the internet. (Note: The IRS Security Plan Template has all of these policies pre-written.)

Data Protection Safeguards – The Plan will require your organization to put tools in place to protect data. The most common examples are: (1) A firewall to protection your network, (2) malware protection on your PC’s or laptops, and (3) security awareness training for employees.

Security Awareness Training – The Plan should address how organizations will train employees and contractors on safe computer use. One of the most common and damaging attacks to small organizations is “ransomware” – where attackers seize control of your data and ask for payments to unlock it. These are almost always caused by users error – people clicking on email links that automatically download the malware.

Response and Recovery – The Plan should address how the organization will respond in the event of a successful attack or possible data breach. For most small organizations, this will start by calling your IT support personnel and your lawyer. If you believe there IS a breach, you will want to hire a forensics firm to help investigate. If your firm has Cyber Breach Insurance, those policies typically include access to a “Breach Coach” or other firms that can advise.

In short, any IRS Data Security Plan must cover these areas in some detail to address all of the IRS requirements.

Developing a Written IRS Data Security Plan

The best way to get started is to use some kind of “template” that has the outline of a plan in place. The Plan would have each key category and allow you to fill in the details. IRS Publication 4557 provides details of what is required in a plan. Unfortunately, the standard outline will often require “written information security policies” that are up to you to provide. For example, does your organization have an “Acceptable Use Policy” that defines how employees should use the internet, email and other tools to protection information? Most organizations would need to develop these from scratch. That is why our IRS Cyber Security Plan Template also includes pre-written security policies that cover all of the IRS requirements.

Customizing the Data Security Plan

Once you have the Plan outline, its time to customize it based on your organization. For example, you would want to list the specific individual who is responsible for information security, including their name and contact number. You will also want to write an ‘overview’ of your business, including the main systems and data within the organization. You will also want to list the “technical safeguards” you have in place to address each area. For example, what software tools do you use to support your anti-virus policy? How do you encrypt data stored on laptops or applications? What system do you use to train users? Unfortunately there is no shortcut to completing these sections. The GOOD news is that your firm probably does many of these things, they are just not documented.

Finalizing and Approving the Plan

The last step is to formally “approve” the plan. After you have drafted the plan, review it once more for accuracy. If you have a firm with a legal department, you can have them also review and “approve” the plan. This can be done simply by appended a footer at the end of the plan as follows:

VersionApproval DateApproved By Security Officer:Comments
1.0mm/dd/yyyyRobert T. JonesInitial version
Example of Cyber Plan Approval Section

As you revise and update the plan, you can add rows to the table to indicate any updates or changes. This not only provides evidence of approval, but helps show that your plan is being updated on a regular (annual) basis according to IRS requirements.

Now your plan is ready.

What’s Next: Following the Data Security Plan

Checking a box on the IRS web site is one thing. Actually DOING what your plan requires is another altogether. Most IRS professionals want to protect customer data, they just want to do it in a way that is appropriate for their business. Once you have developed the Data Security Plan, follow these three (3) key steps to keep your organization in compliance.

Confirm that you are following the plan requirements

This part is probably the most difficult – but can easily be done once you have your outline from the Plan. You simply work through each of the policy requirements in your plan and determine if you have done what is required. For example:

Have we appointed someone to be in charge of information security?

Have we implemented encryption on laptops that store customer data?

Do we know what to do if there is a possible data breach?

Address any Security Gaps

Once you assess your progress against your Plan, you may find some gaps. For example, perhaps you don’t provide security awareness training to employees (even if there is only ONE!) Perhaps you don’t encrypt customer data on laptops and need a solution. In this case you will want to do the work of finding technical solutions. Of course, the internet has many, many solutions in each area. In many cases, IRS tax preparers have IT service providers. These firms can be tremendous resources for finding tools to help. In fact, many of these firms already provide these key features and you might not even know it!

If you start with our IRS Security Plan Template, you will not have a gap in written information security policies. Each required area is covered with pre-written security policies that have been used by over 10,000 organizations worldwide.

Review and Update on an Annual Basis

The IRS requires that the Data Security Plan be reviewed and “approved” at least once annually. This process can be straightforward – especially since most organizations do not change a lot during the year. The key to addressing this requirement is maintaining version control on your Plan. A key elements of the plan should be a section that indicates when the plan was updated and who approved the update.