Register for Scaling New Heights to continue your accounting industry education.

Tax Season Prep: Building a Data Security Plan

Cathy Roth
Posted by Cathy Roth on Oct 5, 2021 12:19:52 PM

You might think that you are securing your client data, but are you really? Surely Nieman Marcus thought they had full data security, but they are currently notifying 4.6 million of their customers of a potential exposure of their personal and financial disclosure. Do you have an adequate data security plan? What should you do if your practice is victim to a data breach or information theft? 

Data Security Plan

All accounting and bookkeeping professionals should have a written data security plan that is reviewed and updated. Depending on the size of your practice, the type of services you offer and the client data and information you access and retain, your data plan may need to be quite robust. 

There are six components to a data security plan.  

  • Install and update antivirus software that scans files and memory for malware
  • Use firewalls to shield your computer or network from malicious traffic or malware
  • Use two-factor authentication to secure email, accounting software or any password-protected product
  • Routinely back up critical files to a secure external hard drive or cloud storage service
  • Encrypt files on computers and removable media
  • Write down your data security plan as required by the Federal Trade Commission's Safeguard Rule 5

Over the next few weeks, we will address each of these six components in greater detail to help you create your data security plan. 

What steps should you take if your practice is the victim of a data breach or information theft?

The IRS provides specific steps you should take (in the order provided) if your practice is a victim of data theft. 

1. Contact the IRS

It is critically essential that you contact your local IRS Stakeholder Liaison as soon as possible. Your liaison will then notify all relevant parties at the IRS to block or limit fraudulent tax returns in the names of your clients. 

Stakeholder Liaison Area Phone Email

Area 2 (CT, DE, MA, MD, ME, NH, NJ, PA, RI, VT, WV)

(412) 404-9151

Area 3 (AR, AL, DC, IN, KY, LA, MI, MS, OH, OK, TN, VA)

(405) 982-6807

Area 4 (FL, GA, NC, NY, SC, TX)

(216) 415-3518

Area 5 (AZ, CA, HI, NM, NV)

(203) 492-8630

Area 6 (AK, CO, IA, ID, IL, KS, MN, MO, MT, NE, ND, OR, SD, UT, WA, WI, WY)

(206) 946-3703


2. Contact law enforcement

After you contact your local stakeholder liaison at the IRS, you need to report the data theft to law enforcement. You will need to contact either the FBI or the Secret Service. In addition, you will need to file a report with your local police. 

3. Contact each state in which you prepare state returns

Unfortunately, if data from your practice is stolen, there may be an impact on tax accounts in all of the states where you file state tax returns for your clients. And that means you need to notify two authorities for each and every state:  

4. Contact other experts

  • Data security experts - they will need to investigate the data breach, including a determination of the cause and scope of the breach, develop steps to stop the breach, and then create a plan to prevent future breaches
  • Insurance company - the breach should be reported to your insurance company, who will determine if your policy covers the expenses involved in mitigating the breach
  • Credit and identity theft protection agency - depending on the state, you may be required to offer credit monitoring and ID theft protection to your clients
  • Credit bureaus - notify them that there has been a compromise and that your clients may reach out to them
  • Federal Trade Commission - download this Data Breach Response guide; additionally, you can contact the FTC at

5. Contact your clients

You will need to contact all of your clients to notify them of the data breach. However, work with law enforcement on when you should send the letter.

Prepare to build your data security plan

Over the next few weeks, we will provide steps to build your data security plan for your practice. To make sure  you don't miss a single component of the data security plan, make sure you are reading The Woodard Report every day! 

Topics: Business Technology

Do you have questions about this article? Email us and let us know >


Most Recent