WHO TO CONTACT DURING THE LIVE PROGRAM

For Additional Registrations:

-Call Strafford Customer Service 1-800-926-7926 x1 (or 404-881-1141 x1)

For Assistance During the Live Program:

-On the web, use the chat box at the bottom left of the screen

If you get disconnected during the program, you can simply log in using your original instructions and PIN.

IMPORTANT INFORMATION FOR THE LIVE PROGRAM

This program is approved for 2 CPE credit hours. To earn credit you must:

• Participate in the program on your own computer connection (no sharing) – if you need to register

additional people, please call customer service at 1-800-926-7926 ext. 1 (or 404-881-1141 ext. 1).

Strafford accepts American Express, Visa, MasterCard, Discover.

• Listen on-line via your computer speakers.

• Respond to five prompts during the program plus a single verification code.

• To earn full credit, you must remain connected for the entire program.

Cybersecurity, the IRS, and Data Security Plans: Meeting

FTC Requirements and IRS Guidelines

TUESDAY, MAY 12, 2020, 1:00-2:50 pm Eastern

FOR LIVE PROGRAM ONLY

Tips for Optimal Quality FOR LIVE PROGRAM ONLY

Sound Quality

When listening via your computer speakers, please note that the quality

of your sound will vary depending on the speed and quality of your internet

connection.

If the sound quality is not satisfactory, please e-mail sound@straffordpub.com

immediately so we can address the problem.

May 12, 2020

Cybersecurity, the IRS, and Data Security Plans: Meeting FTC Requirements and IRS Guidelines

Joseph J. Lazzarotti, Principal

Jackson Lewis

joseph.lazzarotti@jacksonlewis.com

Nancy D. Lieberman, General Counsel

Anchin Block & Anchin

nancy.lieberman@anchin.com

Notice

ANY TAX ADVICE IN THIS COMMUNICATION IS NOT INTENDED OR WRITTEN BY

THE SPEAKERS’ FIRMS TO BE USED, AND CANNOT BE USED, BY A CLIENT OR ANY

OTHER PERSON OR ENTITY FOR THE PURPOSE OF (i) AVOIDING PENALTIES THAT

MAY BE IMPOSED ON ANY TAXPAYER OR (ii) PROMOTING, MARKETING OR

RECOMMENDING TO ANOTHER PARTY ANY MATTERS ADDRESSED HEREIN.

You (and your employees, representatives, or agents) may disclose to any and all persons,

without limitation, the tax treatment or tax structure, or both, of any transaction

described in the associated materials we provide to you, including, but not limited to,

any tax opinions, memoranda, or other tax analyses contained in those materials.

The information contained herein is of a general nature and based on authorities that are

subject to change. Applicability of the information to specific situations should be

determined through consultation with your tax adviser.

© 2020 Jackson Lewis P.C.

Cybersecurity, the IRS, and Data Security Plans: Meeting FTC Requirements and IRS Guidelines

Joseph J. Lazzarotti, Esq.

May 12, 2020

Jackson Lewis, P.C. - Berkeley Heights, NJ office

Joseph.Lazzarotti@jacksonlewis.com

Nancy D. Lieberman, Esq.

Anchin, Block & Anchin LLPNancy.Lieberman@Anchin.com

An all too familiar story…

- Tax preparation service, traditional or online, gets hacked.

- Phishing, Spoofing, business email compromise, inadvertent disclosure…

- Sensitive tax information gets in the hands of malicious actors

- Malicious actors file false tax returns…

Jackson Lewis P.C. 6

None of us can escape

Jackson Lewis P.C. 7

• Ponemon Institute 2018 annual survey of SMBs found:

• 67% of respondents reported experiencing a cyberattack

• 58% reported experiencing a data breach

• $1.43M – damage to or theft of IT assets

• $1.56M – disruption to normal business operations

• Additional costs – digital forensics, legal, notice distribution, call center, credit monitoring, government agency investigations

Jackson Lewis P.C. 8

Client/Employee Data on the Move

CPA firm

IRS, other tax agencies

IndividualClients

Business clients

Cloud Services

Financial Advisors

Employees

Jackson Lewis P.C. 9

Jackson Lewis P.C. 10

Jackson Lewis P.C. 11

Understandable?

Jackson Lewis P.C. 12

Getting started!

Plan and gather data

Identify risks and

vulnerabilities

Consider existing

safeguards and evaluate

risk

Select and implement

safeguards to address risks

Re-Evaluate

Jackson Lewis P.C. 14

Personal Information

• Individually identifiable information from or about an individual consumer, including but not limited to:

• email address; • user account credentials; • first and last name; • government-issued identification number,

such as a Social Security number; • mobile or other telephone number; • home or other physical address, including

street name and name of city or town; or• any information from or about an

individual consumer that is combined with any of information above

• Settlement agreement between FTC and TaxSlayer, LLC., Aug. 2017

Jackson Lewis P.C. 15

Factors Driving Risk and Legal Obligations

Residence of Data Subject

• Permissibility of collection

• Data security safeguards

• Conditions for disclosure

• Record retention

• Rights to access/delete (GDPR/CCPA/…)

Purpose for Collection/Use

• Employment

• Marketing

• Tax preparation

• Tax controversy

• Payroll services

• Advisory work

• Purchase/sell practice

• Location or system monitoring

Nature of Information

• Use and disclosure

• Sharing internally

• Record retention requirements

• Level of security safeguards

• Breach notification requirements

Format

• I-9 requirements

• Level of security safeguards

• Accessibility and integrity

Location of Information

• Remote workforce

• Devices

• Third-party service providers

• Referral sources

• Cross border transfers

Jackson Lewis P.C. 16

◆ Gramm-Leach-Bliley Act (GLB)

◆ Financial Privacy Rule

◆ Safeguards Rule

◆ Pretexting Rule

◆ Agency guidance

◆ Internal Revenue Service

◆ Federal Trade Commission

◆ State data security laws

◆ Agency guidance

◆ AICPA

Jackson Lewis P.C. 17

❑ Designate one or more persons to coordinate program

❑ Identify and assess risks to customer information

❑ Evaluate effectiveness of current safeguards to address those risks

❑ Develop and implement security program, monitor it, and test it

❑ Select service providers that can maintain appropriate safeguards

❑ Bind service providers by contract to safeguard customer data and oversee them

❑ Evaluate and adjust security program periodically for changed in circumstances, business, operations and make adjustments

FTC Safeguards Rule

Jackson Lewis P.C. 18

FTC Focus:•Employee Management and Training

• Information Systems

•Detecting and Managing System Failures

19

• Background checks

• Confidentiality agreement

• Access limited to business reason to know

• Password management

• Locking screens following period of inactivity

• Manage devices

• Training and awareness

• Remote work controls

• Impose sanctions for violations

• Terminate access at employment termination

Employee Management and Training

Jackson Lewis P.C. 20

• Know the what, where, how, who, and why of data• Access management

• Backups including offline storage

• Password management

• Physical security

• Inventory systems and devices

• Access management

• Secure transmission of customer data

• Follow FTC disposal rule - secure destruction

Information Systems

Jackson Lewis P.C. 21

• Deter• Track news on emerging threats and available defenses, including from software vendors

websites

• Stay up to date on security updates and patches

• Maintain up to date firewalls

• Close unused ports

• Detect • Maintain and monitor system and other logs files

• Intrusion detection systems

• Look for “indicators of compromise” – unexpected large data file transfers

• Defend• Maintain incident response plan

• Coordinate with law enforcement, including IRS and state agencies

• Cyberinsurance

Detecting and Managing System Failures

Jackson Lewis P.C. 22

❑ Antivirus software

❑ Firewalls

❑ Two-factor authentication

❑Backup software/services

❑Drive encryption

❑Virtual Private Network (VPN)

IRS Security Six

Jackson Lewis P.C. 23

IRS Basic Security Steps:

• Learn to recognize and not engage with phishing emails.

• Enable automatic updates for software.

• Encrypt all sensitive files/emails.

• Back up sensitive data to a safe and secure external source not connected fulltime to a network.

• Make a final review of return information – especially direct deposit information - prior to e-filing.

• Wipe clean or destroy old computer hard drives and printers that contain sensitive data.

• Check IRS e-Services account weekly for number of returns filed with EFIN.

24

Leverage Common Threads

Jackson Lewis P.C. 25

Quick Summary of State Laws

Breach Notification

Security rules

Vendor Agreements

Data Disposal

Jackson Lewis P.C. 26

New York Approach

➢ Stop Hacks and Improve Electronic Data Security Act (“Shield Act”)➢ Effective March 21, 2020.➢ Add new data security protections for personal information.

➢ Amends New York’s existing data breach notification law. ➢ Penalties➢ Breach notification - the greater of $5K or up to $20 per

instance of failed notification, provided that the latter amount shall not exceed $250,000.

➢ Reasonable safeguards - not more than $5K for each violation.

Jackson Lewis P.C. 28

New York Approach

➢ Personal information consisting of any information in combination with any of the following data elements:➢ SSN, DL#➢ Account/credit card number with security/access code, password, or

other information that permits access to individual’s financial account➢ Account/credit card number alone if individual’s financial account can be

accessed without identifying information, security/access code, password➢ Biometric information➢ Private information also includes a user name or e-mail address in

combination with a password or security question and answer that would permit access to an online account.

Jackson Lewis P.C. 29

New York Approach

The General Rule:

Any person or business that owns or licenses computerized data

which includes private information of a resident of New York shall

develop, implement and maintain reasonable safeguards to protect

the security, confidentiality and integrity of the private information

including, but not limited to, disposal of data.

Jackson Lewis P.C. 30

New York Approach

The Compliant Regulated Entity

➢ Persons or entities subject to and compliant with:

➢ Gramm Leach-Bliley Act; ➢ Health Insurance Portability and Accountability Act of

1996 and the Health Information Technology for Economic and Clinical Health Act;

➢ NYSDFS Reg. 500; or➢ any other data security rules and regulations of, and

the statutes administered by, federal or New York state agencies.

Jackson Lewis P.C. 31

New York Approach

What if you are not a “Compliant Regulated Entity”?

➢ Administrative Safeguards

➢ Physical Safeguards

➢ Technical Safeguards

Jackson Lewis P.C. 32

New York Approach

Small businesses exclusion – No, but a lower standard for compliance.

➢ Small business means any person or business with ➢ fewer than fifty employees; ➢ less than $3M in gross annual revenue in each of the last three fiscal

years; or ➢ Less than $5M year-end total assets per GAAP

➢ Must still have reasonable administrative, technical and physical safeguards, but they may be appropriate for the size and complexity of the small business, the nature and scope of the small business's activities, and the sensitivity of the personal information.

Jackson Lewis P.C. 33

California Approach

➢ Constitutional protection➢ Breach Notification ➢ Affirmative obligation to safeguard “personal

information” ➢ Privacy Protections for SSNs – limited disclosures,

embedding in barcodes or chips, truncate on paystubs

➢ Credit check law➢ Website privacy statement and do

not track notice requirement

Jackson Lewis P.C. 34

• Effective January 1, 2020

• Most expansive U.S. privacy law

• Other states are considering similar laws

• Focus: individuals rights of notice, access, opt-out

• Private right of action providing statutory remedies for data breaches resulting from lack of reasonable safeguards

Jackson Lewis P.C. 35

Have you been the victim of a data breach

Jackson Lewis P.C. 36

Data Breaches

• In general – unauthorized access or acquisition of personal information that compromises security, confidentiality, or integrity of personal information.

• Good faith employee exception

• Risk of harm trigger

• State agency notification

• Mitigation/ID theft services

37

Handling a Breach

• Incident response plan

• Investigation

• Law enforcement

• Safeguard systems

• Cyber insurance

• Notification

• Credit monitoring

• Remediation

38

IRS Guidance

• IRS Protect Your Clients; Protect Yourself campaign (visit www.irs.gov for more information)

• Publication 5293 Data Security Resource Guide for Tax Professionals

*Visit www.irs.gov for more information

39

Additional Data Security Responsibilities

• Sec. 7216 – prohibits preparers from knowingly or recklessly disclosing or using tax return information

• AICPA Code of Professional Conduct – addresses responsibilities to keep client information confidential and secure

• Privacy Management Framework – Firm should publish privacy statement on its website

*For more information, please refer to:

• www.aicpa.org

• www.aicpa.org/IMTA

40

Thank you.

4141