By Jeff Stimpson
The worst has happened: Hackers got to your system or maybe you left your iPad on the plane – and client information is gone. In this age of electronic business, few feelings of panic equal this moment.
But if you act quickly, you can help stop bogus returns from being filed in your clients’ names.
Tax preparers who suffer a data theft should report the incident immediately and follow an established process to protect their clients, whether they’ve been hit by cybercriminals, theft or accident. Here’s who to contact – and as fast as possible.
Report client data theft first to local IRS stakeholder liaisons, who will notify the Criminal Investigation division and others within the agency.
Also contact local offices of the Federal Bureau of Investigation and the Secret Service, as well as local police to file a report. Speed is critical.
The appropriate states
Any breach of personal information could have an effect on the victim’s tax accounts with the states, as well as with the IRS. The Federation of Tax Administrators has created a page with state-by-state listings of who to contact after a data loss. Also contact the attorney general for each state in which returns are prepared.
Your insurance company
Report the data loss to the appropriate insurance company and check if your insurance policy covers data breach expenses. They may also be able to provide help in remediation, and to give you advice on how to proceed.
Consult a cybersecurity expert who can help determine the cause and scope of the breach, stop the breach, and then prevent further breaches from occurring.
Agencies and bureaus
The Federal Trade Commission offers general guidance on data loss, from how to question those who discovered the breach to when to call in lawyers. For more individualized guidance, contact the FTC at [email protected].
Credit monitoring and ID theft protection agencies
Some states require tax preparers to offer credit monitoring and ID theft protection to victims of ID theft; if that’s the case in your state, contact credit and ID-theft protection agencies.
Send an individual letter to all victims to inform them of the breach – but work with law enforcement on when to send that letter so it doesn’t inadvertently hinder any investigation that may be under way.