PHOENIX — The IRS, state tax agencies and the tax industry today reminded tax professionals that if they experience a breach or theft of taxpayer data they should immediately contact the IRS to help protect clients.
The IRS can take some steps to lessen the impact of tax-related identity theft on clients, but a quick response by tax practitioners discovering a problem can help avert problems. Generally, criminals work quickly to convert the stolen data into fraudulent tax returns to claim refunds.
Encouraging tax practitioners to report data thefts is the final news release in a 10-week, "Don't Take the Bait" campaign, an effort focused on informing tax professionals. The IRS, state tax agencies and the tax industry, working together as the Security Summit, urge practitioners to immediately report data losses to the IRS and state tax agencies. This is part of the ongoing Protect Your Clients; Protect Yourself effort.
"The IRS, the states and the nation's tax community continue to make progress in the battle against tax-related identity theft," said IRS Commissioner John Koskinen. "But we need the help of tax professionals across the country to help strengthen this effort. In addition to working to ensure the safety of their systems, practitioners should promptly report identity theft or data breaches to help protect their clients."
The IRS has created a reporting process for tax professionals. Those experiencing a data loss should contact their local IRS stakeholder liaison. The IRS representative will relay information to other parts of the IRS that need to know, including the Return Integrity and Compliance Services and Criminal Investigation divisions.
Also, be aware that some states require notification of data losses, and tax professionals should notify each state for which they prepare returns.
IRS stakeholder liaisons will need a list of the affected taxpayers, including names and Social Security numbers. Send the file to liaisons in a CSV (Comma Separated Values) format. If using Microsoft Excel, simply "save as" and scroll the list of options to CSV. Save and encrypt the file before emailing it to IRS staff.
Protecting Clients and Businesses by Reporting Data Thefts
Tax professionals should review IRS Data Theft Information for Tax Professionals for details on reporting losses. Preliminary steps include:
Contacting the IRS and law enforcement:
- Internal Revenue Service, report client data theft to local stakeholder liaisons.
- Federal Bureau of Investigation, the local office.
- Secret Service, the local office (if directed).
- Local police – To file a police report on the data breach if required by insurance companies.
Contacting states in which the tax professional prepares state returns:
- Any breach of personal information could impact the victim's tax accounts with the states as well as the IRS. Email the Federation of Tax Administrators at StateAlert@taxadmin org to get information on how to report victim information to the states.
- State Attorneys General for each state in which the tax professional prepares returns. Most states require that the attorney general be notified of data breaches. This notification process may involve multiple offices.
- Contact a security expert to determine the cause and scope of the breach, to stop the breach and to prevent further breaches from occurring.
- Contact insurance companies to report the breach and to check if the insurance policy covers data breach mitigation expenses.
Contacting clients and other services:
- Federal Trade Commission
- For more individualized guidance, contact the FTC at email@example.com.
- Credit / identity theft protection -- certain states require offering credit monitoring / identity theft protection to victims.
- Credit bureaus – to notify them if there is a compromise and clients may seek their services.
- Clients – Send an individual letter to all victims to inform them of the breach but work with law enforcement on timing.
- IRS toll-free assisters cannot accept third-party notification of tax-related identity theft. Again, preparers should use their local IRS Stakeholder Liaison.