Take these steps after a data loss March 2018 Tax News
Important steps to take and contact information if you experience data theft
Contact the IRS and law enforcement:
- IRS – Report client data theft to the local IRS Stakeholder Liaison. Liaisons will notify IRS Criminal Investigation and other appropriate offices within the agency on your behalf. Speed is critical. If reported quickly, the IRS can take steps to block fraudulent returns in your clients’ names.
- Federal Bureau of Investigation – Contact your local office.
- Local police – File a police report on the data theft.
Contact state agencies where you prepare state returns:
- State Tax Agencies.
- State Attorneys General – Most states require that the attorney general be notified of data thefts. This process may involve contacting multiple offices.
- Security expert – They can determine the cause and scope of the theft. They can also figure out how to prevent further losses.
- Insurance company – You should check to see if your insurance policy covers expenses related to the data loss.
Contact clients and other services:
- Federal Trade Commission – They offer tips and templates for businesses that suffer data compromise. They even have suggested language for informing clients.
- Clients – Send a letter to victims letting them know about the theft. You should work with law enforcement on timing. If you have prior-year data in your system you may need to contact former clients.
- Tax software provider – Contact the provider you use in case they need to take steps to prevent inappropriate use of the compromised account for e-filing.
- Website and client portal provider – Thieves may have stolen passwords. You and the software provider would need to reset these.
- Credit and identity theft protection agency – Certain states require credit monitoring and identity theft protection to victims of ID theft. Check to see if you need to do this.
- Credit bureaus – Notify them if there’s a compromise. Your clients may seek their services.
IRS’ toll-free assistors cannot accept third-party notification of tax-related identity theft. Clients should file a Form 14039, Identity Theft Affidavit, only if their electronic return is rejected as a duplicate, or they’re directed to do so.