cybersecurity, the irs, and data security plans: meeting...
Post on 27-Jul-2020
2 Views
Preview:
TRANSCRIPT
WHO TO CONTACT DURING THE LIVE PROGRAM
For Additional Registrations:
-Call Strafford Customer Service 1-800-926-7926 x1 (or 404-881-1141 x1)
For Assistance During the Live Program:
-On the web, use the chat box at the bottom left of the screen
If you get disconnected during the program, you can simply log in using your original instructions and PIN.
IMPORTANT INFORMATION FOR THE LIVE PROGRAM
This program is approved for 2 CPE credit hours. To earn credit you must:
• Participate in the program on your own computer connection (no sharing) – if you need to register
additional people, please call customer service at 1-800-926-7926 ext. 1 (or 404-881-1141 ext. 1).
Strafford accepts American Express, Visa, MasterCard, Discover.
• Listen on-line via your computer speakers.
• Respond to five prompts during the program plus a single verification code.
• To earn full credit, you must remain connected for the entire program.
Cybersecurity, the IRS, and Data Security Plans: Meeting
FTC Requirements and IRS Guidelines
TUESDAY, MAY 12, 2020, 1:00-2:50 pm Eastern
FOR LIVE PROGRAM ONLY
Tips for Optimal Quality FOR LIVE PROGRAM ONLY
Sound Quality
When listening via your computer speakers, please note that the quality
of your sound will vary depending on the speed and quality of your internet
connection.
If the sound quality is not satisfactory, please e-mail sound@straffordpub.com
immediately so we can address the problem.
May 12, 2020
Cybersecurity, the IRS, and Data Security Plans: Meeting FTC Requirements and IRS Guidelines
Joseph J. Lazzarotti, Principal
Jackson Lewis
joseph.lazzarotti@jacksonlewis.com
Nancy D. Lieberman, General Counsel
Anchin Block & Anchin
nancy.lieberman@anchin.com
Notice
ANY TAX ADVICE IN THIS COMMUNICATION IS NOT INTENDED OR WRITTEN BY
THE SPEAKERS’ FIRMS TO BE USED, AND CANNOT BE USED, BY A CLIENT OR ANY
OTHER PERSON OR ENTITY FOR THE PURPOSE OF (i) AVOIDING PENALTIES THAT
MAY BE IMPOSED ON ANY TAXPAYER OR (ii) PROMOTING, MARKETING OR
RECOMMENDING TO ANOTHER PARTY ANY MATTERS ADDRESSED HEREIN.
You (and your employees, representatives, or agents) may disclose to any and all persons,
without limitation, the tax treatment or tax structure, or both, of any transaction
described in the associated materials we provide to you, including, but not limited to,
any tax opinions, memoranda, or other tax analyses contained in those materials.
The information contained herein is of a general nature and based on authorities that are
subject to change. Applicability of the information to specific situations should be
determined through consultation with your tax adviser.
© 2020 Jackson Lewis P.C.
Cybersecurity, the IRS, and Data Security Plans: Meeting FTC Requirements and IRS Guidelines
Joseph J. Lazzarotti, Esq.
May 12, 2020
Jackson Lewis, P.C. - Berkeley Heights, NJ office
Joseph.Lazzarotti@jacksonlewis.com
Nancy D. Lieberman, Esq.
Anchin, Block & Anchin LLPNancy.Lieberman@Anchin.com
An all too familiar story…
- Tax preparation service, traditional or online, gets hacked.
- Phishing, Spoofing, business email compromise, inadvertent disclosure…
- Sensitive tax information gets in the hands of malicious actors
- Malicious actors file false tax returns…
Jackson Lewis P.C. 6
None of us can escape
Jackson Lewis P.C. 7
• Ponemon Institute 2018 annual survey of SMBs found:
• 67% of respondents reported experiencing a cyberattack
• 58% reported experiencing a data breach
• $1.43M – damage to or theft of IT assets
• $1.56M – disruption to normal business operations
• Additional costs – digital forensics, legal, notice distribution, call center, credit monitoring, government agency investigations
Jackson Lewis P.C. 8
Client/Employee Data on the Move
CPA firm
IRS, other tax agencies
IndividualClients
Business clients
Cloud Services
Financial Advisors
Employees
Jackson Lewis P.C. 9
Jackson Lewis P.C. 10
Jackson Lewis P.C. 11
Understandable?
Jackson Lewis P.C. 12
Getting started!
Plan and gather data
Identify risks and
vulnerabilities
Consider existing
safeguards and evaluate
risk
Select and implement
safeguards to address risks
Re-Evaluate
Jackson Lewis P.C. 14
Personal Information
• Individually identifiable information from or about an individual consumer, including but not limited to:
• email address; • user account credentials; • first and last name; • government-issued identification number,
such as a Social Security number; • mobile or other telephone number; • home or other physical address, including
street name and name of city or town; or• any information from or about an
individual consumer that is combined with any of information above
• Settlement agreement between FTC and TaxSlayer, LLC., Aug. 2017
Jackson Lewis P.C. 15
Factors Driving Risk and Legal Obligations
Residence of Data Subject
• Permissibility of collection
• Data security safeguards
• Conditions for disclosure
• Record retention
• Rights to access/delete (GDPR/CCPA/…)
Purpose for Collection/Use
• Employment
• Marketing
• Tax preparation
• Tax controversy
• Payroll services
• Advisory work
• Purchase/sell practice
• Location or system monitoring
Nature of Information
• Use and disclosure
• Sharing internally
• Record retention requirements
• Level of security safeguards
• Breach notification requirements
Format
• I-9 requirements
• Level of security safeguards
• Accessibility and integrity
Location of Information
• Remote workforce
• Devices
• Third-party service providers
• Referral sources
• Cross border transfers
Jackson Lewis P.C. 16
◆ Gramm-Leach-Bliley Act (GLB)
◆ Financial Privacy Rule
◆ Safeguards Rule
◆ Pretexting Rule
◆ Agency guidance
◆ Internal Revenue Service
◆ Federal Trade Commission
◆ State data security laws
◆ Agency guidance
◆ AICPA
Jackson Lewis P.C. 17
❑ Designate one or more persons to coordinate program
❑ Identify and assess risks to customer information
❑ Evaluate effectiveness of current safeguards to address those risks
❑ Develop and implement security program, monitor it, and test it
❑ Select service providers that can maintain appropriate safeguards
❑ Bind service providers by contract to safeguard customer data and oversee them
❑ Evaluate and adjust security program periodically for changed in circumstances, business, operations and make adjustments
FTC Safeguards Rule
Jackson Lewis P.C. 18
FTC Focus:•Employee Management and Training
• Information Systems
•Detecting and Managing System Failures
19
• Background checks
• Confidentiality agreement
• Access limited to business reason to know
• Password management
• Locking screens following period of inactivity
• Manage devices
• Training and awareness
• Remote work controls
• Impose sanctions for violations
• Terminate access at employment termination
Employee Management and Training
Jackson Lewis P.C. 20
• Know the what, where, how, who, and why of data• Access management
• Backups including offline storage
• Password management
• Physical security
• Inventory systems and devices
• Access management
• Secure transmission of customer data
• Follow FTC disposal rule - secure destruction
Information Systems
Jackson Lewis P.C. 21
• Deter• Track news on emerging threats and available defenses, including from software vendors
websites
• Stay up to date on security updates and patches
• Maintain up to date firewalls
• Close unused ports
• Detect • Maintain and monitor system and other logs files
• Intrusion detection systems
• Look for “indicators of compromise” – unexpected large data file transfers
• Defend• Maintain incident response plan
• Coordinate with law enforcement, including IRS and state agencies
• Cyberinsurance
Detecting and Managing System Failures
Jackson Lewis P.C. 22
❑ Antivirus software
❑ Firewalls
❑ Two-factor authentication
❑Backup software/services
❑Drive encryption
❑Virtual Private Network (VPN)
IRS Security Six
Jackson Lewis P.C. 23
IRS Basic Security Steps:
• Learn to recognize and not engage with phishing emails.
• Enable automatic updates for software.
• Encrypt all sensitive files/emails.
• Back up sensitive data to a safe and secure external source not connected fulltime to a network.
• Make a final review of return information – especially direct deposit information - prior to e-filing.
• Wipe clean or destroy old computer hard drives and printers that contain sensitive data.
• Check IRS e-Services account weekly for number of returns filed with EFIN.
24
Leverage Common Threads
Jackson Lewis P.C. 25
Quick Summary of State Laws
Breach Notification
Security rules
Vendor Agreements
Data Disposal
Jackson Lewis P.C. 26
New York Approach
➢ Stop Hacks and Improve Electronic Data Security Act (“Shield Act”)➢ Effective March 21, 2020.➢ Add new data security protections for personal information.
➢ Amends New York’s existing data breach notification law. ➢ Penalties➢ Breach notification - the greater of $5K or up to $20 per
instance of failed notification, provided that the latter amount shall not exceed $250,000.
➢ Reasonable safeguards - not more than $5K for each violation.
Jackson Lewis P.C. 28
New York Approach
➢ Personal information consisting of any information in combination with any of the following data elements:➢ SSN, DL#➢ Account/credit card number with security/access code, password, or
other information that permits access to individual’s financial account➢ Account/credit card number alone if individual’s financial account can be
accessed without identifying information, security/access code, password➢ Biometric information➢ Private information also includes a user name or e-mail address in
combination with a password or security question and answer that would permit access to an online account.
Jackson Lewis P.C. 29
New York Approach
The General Rule:
Any person or business that owns or licenses computerized data
which includes private information of a resident of New York shall
develop, implement and maintain reasonable safeguards to protect
the security, confidentiality and integrity of the private information
including, but not limited to, disposal of data.
Jackson Lewis P.C. 30
New York Approach
The Compliant Regulated Entity
➢ Persons or entities subject to and compliant with:
➢ Gramm Leach-Bliley Act; ➢ Health Insurance Portability and Accountability Act of
1996 and the Health Information Technology for Economic and Clinical Health Act;
➢ NYSDFS Reg. 500; or➢ any other data security rules and regulations of, and
the statutes administered by, federal or New York state agencies.
Jackson Lewis P.C. 31
New York Approach
What if you are not a “Compliant Regulated Entity”?
➢ Administrative Safeguards
➢ Physical Safeguards
➢ Technical Safeguards
Jackson Lewis P.C. 32
New York Approach
Small businesses exclusion – No, but a lower standard for compliance.
➢ Small business means any person or business with ➢ fewer than fifty employees; ➢ less than $3M in gross annual revenue in each of the last three fiscal
years; or ➢ Less than $5M year-end total assets per GAAP
➢ Must still have reasonable administrative, technical and physical safeguards, but they may be appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information.
Jackson Lewis P.C. 33
California Approach
➢ Constitutional protection➢ Breach Notification ➢ Affirmative obligation to safeguard “personal
information” ➢ Privacy Protections for SSNs – limited disclosures,
embedding in barcodes or chips, truncate on paystubs
➢ Credit check law➢ Website privacy statement and do
not track notice requirement
Jackson Lewis P.C. 34
• Effective January 1, 2020
• Most expansive U.S. privacy law
• Other states are considering similar laws
• Focus: individuals rights of notice, access, opt-out
• Private right of action providing statutory remedies for data breaches resulting from lack of reasonable safeguards
Jackson Lewis P.C. 35
Have you been the victim of a data breach
Jackson Lewis P.C. 36
Data Breaches
• In general – unauthorized access or acquisition of personal information that compromises security, confidentiality, or integrity of personal information.
• Good faith employee exception
• Risk of harm trigger
• State agency notification
• Mitigation/ID theft services
37
Handling a Breach
• Incident response plan
• Investigation
• Law enforcement
• Safeguard systems
• Cyber insurance
• Notification
• Credit monitoring
• Remediation
38
IRS Guidance
• IRS Protect Your Clients; Protect Yourself campaign (visit www.irs.gov for more information)
• Publication 5293 Data Security Resource Guide for Tax Professionals
*Visit www.irs.gov for more information
39
Additional Data Security Responsibilities
• Sec. 7216 – prohibits preparers from knowingly or recklessly disclosing or using tax return information
• AICPA Code of Professional Conduct – addresses responsibilities to keep client information confidential and secure
• Privacy Management Framework – Firm should publish privacy statement on its website
*For more information, please refer to:
• www.aicpa.org
• www.aicpa.org/IMTA
40
Thank you.
4141
top related