Check System
Send us your comment!

Your comment will be read by our web staff, but will not be published.

Please do not enter any personal information. Your comment is voluntary and will remain anonymous, therefore we do not collect any information which would enable us to respond to any inquiries.

However, IRS.gov provides a How to Contact the IRS page where you will find guidance on where to submit specific questions.



Share this presentation
Copy and paste the following URL to share this presentation
To email a link to this presentation, click the following:
Bookmarks
This program writes a small 'cookie' locally on your computer when you set a bookmark.
If you want to utilize this feature, check the following checkbox. Otherwise, bookmarks will be disabled.
This is an IRS
audio presentation.

To view this page, ensure that Adobe Flash Player
version 10 or greater is installed.

Get Adobe Flash player

Slides PDF

Karen Russell Hello, everyone. It's the top of the hour. I want to welcome you to today's broadcast. My name is Karen Russell, and I will be your moderator for the presentation, Protect Your Clients; Protect Yourself: Tax Security 101. Joining me today are my colleagues LaMar Singletary from Return Integrity and Compliance Services and special agent Brian Thomas from criminal investigation. Both these gentlemen work tax related identity theft issues. And we also have a special guest with us today, Susan Jarvis. Sue is a CPA from Pennsylvania, and she has firsthand information to share with you. And we really appreciate her being here with us.

So, before we begin the presentation, if there's anyone in the audience that's from the media on the webinar, please send an email to the address, uh, to our email address CL.SL.web.conference.team@IRS.gov. And in your message, if you'll include your contact information and the news publication you're with, one of our media relations or stakeholder liaison staff can assist or answer any questions you have. All right. Hopefully you received today's PowerPoint resources and technical support documents in a reminder email. But if you didn't. Don't worry about it. We've got you covered. You can download these documents by clicking the materials button found on the left side of your screen as shown on this slide. If you're having trouble hearing the audio through your computer speakers, closed captioning is available for today's presentation as well. Simply click the CC button on the left side of your screen to access it. All right, now, if you have topic-specific questions for us today, please submit them by clicking on the ask question button. And that's on the left side of your screen, too. If you have a question during the web conference, please iterate it into the text box and click submit. And I urge you, do not, I'm going to emphasize, please don't enter any sensitive or taxpayer specific information. We will have a Q&A session at the end of the presentation and answer as many of your questions as we can. So please submit those. All right, now also during this presentation, we will take a few breaks to share knowledge based question with you. And at those times what's going to happen is a polling style feature will pop-up on your screen with a question and multiple-choice answers. What you need to do is select the response that you believe is correct by clicking on the radial button, that's to your selection and click submit.

Don't forget to click submit. And you might have to turn off your pop-up blocker to receive these questions. In the event that you don't get the pop-up box for responding, we're going to have you enter your response timely in the ask questions feature and then click submit. And this will help us track your participation for CPA, CPE purposes. All right. So, speaking of polling questions, let's start off with one right off the bat. This is a true or false statement.

Federal law requires all professional tax return preparers to create and maintain a written data security plan. Is that statement true or is it false? And if you don't know, select C for I don't know. And this is a good segue into our topic, tax security 101. One of the biggest trends of 2018 has been the level of data theft perpetrated on tax professionals. The number of data theft reports is on the rise. The IRS has seen a significant increase from 2017 to 2018.

So, our objective today is to talk to you about your obligations to protect taxpayer data. And this obligation includes a legal requirement that all professional tax preparers must have a written information security plan. So back to our polling question. The answer is most definitely true. There's a federal law that requires all tax return preparers to have a written plan, and that's what we're going to talk about. We will also talk about common signs of data theft in your office, the types of threats we're seeing now, and the basic steps you need to take to protect your client data and your own data. And finally, we'll talk about how you report data theft to the IRS. So, let's get started. LaMar, will you set the stage for us?

What's the most important thing for tax professionals to know about data security? Lamar Singletary Thank you, Karen. So, the first thing that everyone is a potential victim.

That's probably the most important thing to know. It doesn't matter if you're with a big firm or with a sole practitioner. You are a target. And everyone must take the strongest safeguards possible. I suspect a lot of people listening today aren't thinking it can happen to them. But it can and it does. Just this year from January through September 12 we saw roughly 30% increase in the number of tax firms reporting data theft. We're averaging five or six firms calling each week reporting data theft. Those numbers into hundreds of PTIN holders and tens of thousands of taxpayers who are clients of those firms. Karen Russell Lamar, why are cyber criminals so focused suddenly on tax preparers what's up with that? Lamar Singletary okay, so here's what's happening, the IRS and the state industry partners deployed new policies and safeguards since 2015. You can read about these at the security summit page at IRS.gov. We made a lot of hard-- we've made it a lot harder for cyber criminals to file fraudulent returns.

We're producing results and there-- for example, we've seen about 65% decrease in the number of self-reported identity theft victims. The number of confirmed identity theft has also declined by 57%. But we can't take victory because of the criminals and their tactics keep evolving.

Thieves know they need more personal data and real data to create fraudulent tax returns. They need data that create fraudulent tax returns that looks real and can slip past our filters. To get this data, they are targeting tax professionals and employers. They look for prior tax year returns, tax transcripts, and W2 information. They look at the centralized authorization files or the CAF numbers, electronic file identification numbers, EFIN, and preparer tax identification number, PTINs. These thieves also impersonate tax practitioners. Karen Russell Okay, so LaMar, back to our polling question, can you talk about the requirement for a security plan? Lamar Singletary Sure. There's a 20-year-old federal law that requires all federal tax preparers to create and maintain a written data security plan. That may be news to a lot of people. This is the law that is administered by the Federal Trade Commission, not the IRS. The financial services modernization act of 1999, also known as the Gramm-Leach-Bliley Act requires certain financial entities including professional tax return preparers to create and maintain a security plan for the protection of the client data. The Federal Trade Commission administered this law and the safeguard rules and regulations. What is the safeguards rule in and where can tax professionals learn more about it? We recommend practitioners get started by looking at IRS publication 4557, safeguarding taxpayer data. We have a section for the Federal Trade Commission safeguard rules. The safeguard rules is the rules that the Federal Trade Commission created to administer the law. But here's an overview as part of the written plan each company must use. Designate one or more employees to coordinate this information security program.

Identify and assess the risk to the customer information in each relevant area of the company's operation and evaluate the effectiveness of the current safeguards for controlling these risks, design and implement a safeguards program and regularly monitor and test it. Select service providers that can maintain the appropriate safeguards and make sure your contract requires them to maintain safeguards and oversee their handling of customer information. And evaluate and adjust the program in light of relevant circumstances including the change in the firm's business or operations or the results of the security test and monitoring. As you can see, it's vague. And it's by design. It's trying to give the various industries flexibility to comply.

In publication 4557, we have a checklist item that tax pros should consider when creating a data security plan. You will hear us talk a lot about that today. Safeguarding taxpayer�s data.

We highly recommend you view it and share is it with all your employees. LaMar, thank you so much. That was excellent information. So, um, Brian, I'm going to turn the threats now. There were a whole lot of them out there. Now, as the National ID Theft Coordinator for our Criminal Investigation Division, you work with a lot of tax firms that are victims of identity theft.

Will you share some of the tactics thieves use to steal data? Brian Thomas Thanks, Karen.

There are many scams out there. But I'm just going it talk about the three most common that IRS CI sees. The first one is spear phishing. It's the most common practice used by fraudsters. They purposely target tax professionals, human resources representatives, payroll personnel. Because the fraudster�s seeking unauthorized access to sensitive information both personal, identifiable information which we commonly call PII. For the tax professionals, imposters will disguise themselves as a trusted source. This would include a tax software provider, a Cloud storage provider, a potential client, another CPA or even the IRS. Within these phishing emails they use a tactic referred to as implied pressure or sense of urgency. Act now or be locked out of your account. These emails contain an embedded link which could direct you to an impersonation site or they may ask you to enter your user name and password. The email may contain an attachment often a PDF which may contain malware. Malware is the malicious software that secretly downloads into your computer that could provide the imposter of remote control, send additional spam, allow the fraudsters to investigate the local area network and s steal the sensitive data. In addition to that, the fraudsters can add a key logger which tracks every key stroke eventually given all the user names and passwords and other data that let's criminals access your system The second one is a remote access attack or which we refer to as remote desktop protocol, RDP. This can occur in multiple ways. Cyber criminals exploit weaknesses in the security system to access devices. They can use the malware to download malicious code that gives criminals access to the network. It's especially vulnerable to wireless networks, mobile phones, modems, routers, printers, fax machines and television that retain their factory issued password settings. For example, a factory issue default password could be easily accessed and the criminals could see the tax return information that's stored within its memory. It's important to change the default passwords and utilize a strong password.

In a recent case, criminals gained remote control access then they accessed the tax software and completed all the pending tax transaction. These were real client tax returns. The thieves completed the entries and directed the refund to bank accounts and prepaid cards that they control. And the 3rd and final one is ransomware attacks. This often starts with a phishing email. The email contains a ransomware that allows the criminal to lock down your system and your data. The criminals usually demand a ransom. Usually it's a fair small amount to entice you to pay. The FBI urges people not to pay because the odds are just as good that they get the money and you still don't get your data. This is one of the fastest growing tactics. According to the internet crime complaint center, commonly known as the IC3 which is run by the FBI, the total losses of ransomware attacks exceeded $1.4 billion in 2017. Karen Russell holy Toledo.

That's a scary stat, 1.4 billion? So, this slide that we're looking at right now, this is an actual scam email, right? Brian Thomas That's exactly right. This one is especially interesting. The thief is posing as a potential client. I apologize it's a little bit blurry.

The subject line on the email is tax return and the fraudster writes, hello, I got your email from the local directory. And I hope you're doing good and actively involved in the tax season.

What you need to educate yourself on is the spelling and grammar contained within the actual email. For instance, your should be UR. And the thief asks the tax pro to review his data and give him an estimate for the tax filing. And here's a tip. The these included a hyperlink in the message. Click here to review my details, he says. There's another version of this which includes an attachment and suggests that the tax pro open it to review the tax information. Of course, the attachment contains the malware. I also want to make it clear that these cyber criminals are savvy about technology and taxes. They are a national and international syndicates that are that are well funded criminal organizations. By now you've heard about the dark web.

It's part of a worldwide web that's not searchable by regular search engine such as Google, Bing, Yahoo. It's now important to-- it's sort of like the wild, wild west of the internet.

You can find complete packages to file tax returns, stolen PII, stolen CAF numbers, EFIN, and PTINs. Karen, I'm going turn it back to you for another polling question. Karen Russell Thank you, Brian. That's even more scary information. Okay, I hope the audience is paying attention.

So, you guys, I need to clarify something real quick. When we do a polling question, the only time that you need to use the ask question feature is if the polling question is not popping up for you, okay? And if it's not popping up, you might need to go in and disable your pop-up blocker. Okay? So, let's get to our polling question. And the question is this: If your office experiences a data theft, which of the following could be affected? Your representation, A; B, your profits, C, your health; or D, all of the above. I'm going to repeat the question and your choices just in case you're not getting the pop-up. So, if your office experiences a data theft, which of the following could be affected? A, your reputation; B, your profits; C, your health; or D, all of the above. And as you make your selection, I want to welcome Susan Jarvis to the discussion. Sue is a CPA, sole proprietor based in Nazareth, Pennsylvania, and Sue I want to thank you so much for being here. We're going to let you take over here in just a few minutes. Susan Jarvis Sounds good, Karen. Karen Russell Okay, all right, you guys, let's stop the polling. Hopefully you had time to make your selection. And we'll see how many of you got it correct. And we'll show that on the next slide. Okay, and the correct response is D, all of the above. We have 96% accuracy rate which is awesome. And of course, a data theft can have a tremendous impact on all aspects of your business and your personal life and your health if it's not handled properly. So, let's delve into a real-life experience. Sue, you had some unfortunate firsthand knowledge on this subject. Will you please share your story with the audience? Susan Jarvis Yes, I am. Good afternoon, everyone. Uh, I have a small practice in Eastern Pennsylvania. We service about, 330 to 350 individuals, about 60 Corps and S Corps, about another 25 or so partnerships and about a dozen or so nonprofits. So small practice. I have a wonderful staff of three, um, another CPA and two other accountants who assist me. Let me take you back to December of 2016. And in December of 2016, my IT company, and I do have an IT company I had for the last couple of years. An IT company that monitors my server 24/7 and does all my IT work. That's way beyond my bailiwick. So, they called me right before Christmas, December 2016, and said, someone has tried to log in remotely to your machine, to your workstation and to one of your staff's. And there's a problem here. So, we're going to shut down your system, we're going to lock it down. And instead of people using log me in to work remotely from home, we're going to suggest that you install a VPN, a Virtual Private Network for everybody that works remotely from home which will force them to log into the Virtual Private Network first. Everybody has their own individualized code and then they will log into their computer, and they can work. So, I said, of course that makes perfect sense. So, they undertook that task. And they finished it on the 17th of January of 2017. Just kind of hold that in your memory for a moment. Then fast forward to Valentine's Day of 2017. So, the last tax season, 2017 we were working on 2016 tax returns. And right before Valentine's Day, I had my first client receive a 4883C letter. If you're not familiar with that letter, it's the letter from the IRS that says, we have a tax return in the system. But we're not sure that it's your authorized tax return. It hasn't passed-- it's been held up as a result of passing through some of our filters. So, we want to hear from you to verify whether or not this tax return is your authorized return. I had never seen that letter before. I was a little suspicious of it because as we know there were fraudulent IRS letters out there. But low and behold between the Friday before Valentine's Day and Monday the day before and Tuesday which was Valentine's Day, we received a total of maybe about 18 or 20 of those letters from clients. And, uh, at the same time we had started filing E filing our first individual return had filed six or eight of them and two of them bounced back indicating that another return was already in the system using either the taxpayer or spouse's social security number. At that point I knew that I had a problem.

Luckily, I had just been at a seminar in the beginning of February that was put on by the greater Philadelphia chapter of the Pennsylvania Institute of CPAs a seminar that really dealt almost exclusively with cybersecurity issues. And as a result of going to that particular seminar, I knew what to do. So, after having an incredible meltdown where I potentially saw my livelihood and 35 years of practice going down the drain, I pulled myself together and called my IRS stakeholder. And we have a wonderful stakeholder here in the Philadelphia area, Richard Furlong.

So, I called him first, described what had happened, what I think is going on. And he said, yeah, sounds like you have a security breach. So, the first thing that I had to do was take my entire client data base from 2015 and 2016 and send those securely to the Internal Revenue Service. They open those spreadsheets up behind their firewall. They were encrypted. And then they marked all of those taxpayers as potential identity theft victims which also suggest that I immediately call my local police who unfortunately can't really do much for you except record that there has been an episode. That I call my insurance carrier and that I also get in touch with my software provider. I did all of those absolutely immediately. The software really isn't an issue. There's so much encryption that goes between you and the software when they're moving tax returns between you and the Internal Revenue Service that that really wasn't an area where we thought we had been breached. But they several put a hold and looked at all of the returns that we were filing and sent that onto their security folks. Clients continued to get this 4883C letter. They continued to get something called the 12C letter, and they kept coming in and coming in and coming in. All in all, when all was said and done, about half of our individual clients received some kind of notification or went to e-file their tax return and it bounced back because there was already a tax return in the system. Business entity returns were not affected. I would imagine that the bad guys get a much bigger bank for their buck on individual returns than they do on business entity returns. One of the things that my-- insurance carrier did was refer me immediately to a law firm in Philadelphia who handles a lot of cybersecurity issues. They took care of notifying the attorney�s general in the various states where we file tax returns because they there are requirements for you to notify them. You legally are bound to do that. So, they took care of once they had my client list. They took care of notifying, making all those notifications for me. And then they referred me to a cybersecurity firm in McLean, Virginia who we-- that engaged to do a forensic investigation of my network. Thankfully, thankfully, that when I renewed my malpractice insurance the year before, I took the cybersecurity rider. Inexpensive, 200, or $250 to add that cybersecurity rider, providing $25,000 worth of coverage. And my insurance carrier said, we're going to try to keep the expense to that $25,000 or under if we can. The biggest expense of the entire thing was the forensic IT investigation. And through that investigation, we were able to determine exactly when the bad guys got into my system, how they got into my system and what they took. And as Brian was talking about before, um, the second most common way that people get into your system is through remote desktop access and that is in fact how they breached my system. Prior to the installation of the VPN, we were just using, I believe, log me in for people to work remotely.

What happened was one of these, one of these bad guys, piggy back in on the remote access of one of my staff. Now the really kind of creepy thing is, as a result of the forensic IT investigation, um, they looked at parts of my system and logged that my normal IT people don't normally look at. Even though I have an IT firm that monitors everything, and believe me, they're on top of anything. If somebody sneezes in a strange way in my office, they're calling us to say that there's been a blip on the server. But they couldn't find where this breach occurred.

And that was incredibly troubling to them. But the forensic investigation was able to locate the problem. So, this is where it gets kind of dicey. So, I will let you know exactly what happened. In fact, they did breach via remote desktop, the remote desktop access. And if you went in under this particular staff person's remote access, there were three work files that the perpetrator created. And if you had just looked at that particular workstation, they would have looked harmless. But if you know what you're looking for, they were able to identify that that's where all the data was sitting that the perpetrators were calling out of my system. So as a matter of fact, the first breach of my system was on March 30 of 2016. So, the prior year, while we were working feverishly near the end of tax season, somebody came into my system on March 30, 2016. They logged in again on April 10, of 2016 and between April 10 of 2016 and January the 16 of 2017, just before we finished the VPN, they had logged in 56 different times from ten different countries. Now, likely it was the same person that kept coming into my system and just pinging themselves around the globe. But 56 times from ten different countries.

Brian in one of his presentations makes the point that the average time that somebody is in your system before you realize it is 210 days. And that's about how long they were in my system before we found that they were there. So, they created these files, and they were taking-- they were removing data to file fraudulent tax returns. That was the day I think I could have gone into the shower and stayed there all day because it felt incredibly violating to me. However, we-- they suggested that we scrub that machine which we did. And install some additional protocols to help protect us even though we had a strong firewall. We had now moved to the VPN.

They suggested that we move our email to Microsoft 365 which we did immediately. My email now flows through my IT provider before we get it. If they look at anything, if they find anything suspicious, they'll hold those emails and ask me if I want them to come through. And that happens four or five times a day. We had our server encrypted. And that's almost something that really has no cost whatsoever. My zip server is now encrypted. So, if somebody were to come in and pick up my server box, it would be of no use to them. We go into three factor identification for somebody to work remotely. So, everyone now has an app called duo security on their phone.

First they log into duo security. They get a code via text. He enter the code and then they log into the VPN, and then they log into the computer. That whole process takes maybe 15 seconds. So, you're not really slowing down anybody's work. And there was very little cost to do the VPN and add on the Duo Security. We also added malware bites onto our individual machines. We have all the ransomware and malware stuff on the server. But we added on our individual machines a software called malware bites. Very inexpensive. I think I paid about $150 to put it on four workstations. We also will no longer utilize somebody's flash drive data, their quick books data or their tax data off of a flash drive unless we scan it first using malware bites to make sure there's nothing bad on their initially and somebody's junk from their system doesn't make its way onto ours. And probably the biggest thing that we did from the get go from the day I found this out, from Valentine's Day when I found it out. The very first thing after I called Richard Furlong was to begin to draft a letter to clients to-- it was a length any letter but saying, here's what I think happened. And it's possible that you may receive one of several different notifications from the IRS. If you get one, the notification is legitimate, #1. And number two, if you have any question about how to respond to it, let me know immediately. Come to my Office. We'll respond to it together. And also letting them know that my insurance carrier was going to be able to offer them credit monitoring through Experian free for one year. So, I think that the biggest thing that we did was to try to get out in front of it and to be honest with people. I will let you know that, as a bottom line, now, you know, there were some negative residual things that happen once you give your data base to the IRS which we don't necessarily have a lot of time to go into here. But when all was said and done at the end of that tax season, we lost one client. And that client was not affected by identity theft or the security breach. But one client chose to walk away. But for the most part our clients took it in stride. They said it's just the world we live in today. It's an electronic world. We're not going to stop using our credit cards, and stop doing things digitally. Unfortunately, it's a price we have to pay. They felt confident that I was doing humanly I could do to be on top of it and protect them. And I think that was one of the keys to really being successful in battling. , if you will this whole breach. Karen Russell Wow, Sue. I'm reading some questions that are coming in. So that is a-- I mean, for lack of a better word, that's a nightmare. Susan Jarvis Yes, it was. Karen Russell I know, right? So, we're often asked how to find cyber experts and such. Can you talk more about how you came to choose the IT expert that you did and what, having the insurance coverage did for you? I don't know. I couldn't-- I can't recall if you had gone through how much that had cost you when you do did the forensic thing. But yeah, if you already went through it, please reiterate that though. Susan Jarvis Most definitely. Um,-- let's talk about the insurance first. My limit of coverage was $25,000.

The forensic IT investigation was a little over $15,000. And their attorney was 13,000 or $14,000 when it was all said and done. The total cost to me when everything was finished was a total of $27,000. So, I was about $2,000 out-of-pocket. I was grateful for the 200, $250 I spent for that rider on my policy. Second in terms of IT folks, I've always farmed out my IT. I said, that's not something within my purview. So, when it comes to setting up new workstations, getting a new server, I've always had a firm that has come in to do that. And there have been various firms over about 37 years of my career. Um, but about five or six years ago, I started using my current firm. And they came in and set up some new work stations for me. I bought new computers. And they and first posed the idea of letting them do the server monitoring for me and some other services. And I have to admit that initially I thought, well, you know, this is a cost. Do I really need to undertake it? And I decided it was a smart move particularly since I'm a small practice with no IT department and took that on as a contract. And I have never looked back. It's just the cost of doing business. I found them from talking with other colleagues of mine in the area who have outside IT people, other small practitioners. These folks happen to have an office by me in other parts of Pennsylvania. And you can pay anywhere from $100 a month to thousands of dollars a month, depending what it is you want or need. To some degree there's a cost benefit analysis that needs to happen because they can analyze all kinds of stuff every month from your server and the data that you're moving back and forth. But you have to try to find the program that's cost effective for you and what fits into your budget.

But as a sole practitioner you really need to protect yourself from that data. And in my mind, it's just a cost of doing business. So, if it's going to cost you 300, $400 a month up to 600, $700 a month, I really think you need to take on that cost. Karen Russell All right. Thank you, Sue, so much for that additional information. So, Brian, Sue talked about the signs of data theft that she saw that tipped her off. What are some more signs that tax professionals should be aware of? Brian Thomas The IRS and the security summit partners have created a list of warning signs that typically occur in a data loss situation. The first one is client e-file returns begin to reject because the returns with their social security numbers have already been on file. We refer to this as a 902 code already on file. You've got to ask yourself, is it normal for my practice to have 10% to 15% of my electronic filings reject? That's a warning sign. The second one is clients who have filed tax returns begin to receive notification letters such as 5071C, a 4883C, or 5747C from the IRS. Clients who have filed tax returns start to receive either ACH direct deposits or U.S. Treasury checks. Clients receiving transcripts when they know they haven't requested them. Clients receiving IRS notices about online have accounts such as get transcript that they either did not create and did not change. You may notice that a number of returns filed with your EFIN and PTIN is more than the actual number of returns that you filed. And the way to check this is going through your e services account. And if you know you have 500 clients, and if you see 2,000 returns filed with your EFIN, you know you have a problem. You or your colleagues start receiving emails that you did not send or communication.

Your office computers are running slower than normal. Your computer cursors are moving and numbers are changing without touching the keyboard, and finally your network computers are locked out. And they lock out your employees. If you see these signs, you need to start investigating whether or not you have a data theft. Karen Russell And you know what, tax professionals should know that much of this information is available on IRS.gov on our identity theft page, just IRS.gov \ identity theft. And this, you know, it outlines the signs that tax professionals should be aware of. And you know, so that we have time for our question-and-answer session, you know for the last little bit of the webinar, you guys, let's see if we can move it along a little bit. So even though that was a lot for us to absorb, Brian, can you give the audience-- well, let's give the audience a break first and we'll pause and do a polling question. And it is about passwords Ok? So, let's get to our polling question. And it's: Which password on this slide meets the new National Institute of Standards and technology guidelines? NIST for short. Okay. Is it A, a password with upper case, lower case, and numeric; is it the random letters and numbers which is B or is it C, sun walk rain drive. And remember, you guys, wait for the pop-up. And then submit your response that way. And of course, if the pop-up doesn't come up, then you can submit your answer through the ask question feature. But again I can just reiterate that you need to turn your pop-up blocker off. So again, which of these is an example of a strong password that meets the new National Institute of Standards and technology guidelines? And is it A, the password 01, is it B, just the letters and numbers and gibberish, or is it C, sun walk rain drive. And then while everyone is contemplating their answer, I want to ask something of LaMar. And it's about passwords. So, Lamar, there's been some new thinking around passwords recently, hasn't there? Lamar Singletary That's right. This resists the cybersecurity framework for fellow agencies. Issued new guidance in passwords and 2017. The basic idea was the password should really be a phrase you can remember. Prior to 2017 this endorsed the use of random letters, numbers and characters. The problem with that was, the users couldn't remember their password. Karen Russell I know, right? So, let's close the polling. And we're going to have LaMar continue educating us about passwords. Lamar Singletary Okay, so the new thinking in passwords is it should be a phrase. Maybe a line from a movie you like or a series of connective words that you can remember. Karen Russell Okay. That's -- actually that's what I make my password. And that makes a lot of sense. So the correct answer to the polling question is C,sun walk rain drive.

And let's see how many of you got that right. Ooh, 7%. Okay, you guys, so the deal is with the password, it's a phrase that you can r remember versus letters and numbers or anything like that that you can't, something that's easy for you to remember. So LaMar, will you tell us about the steps tax professionals can take to protect their businesses and review some of the basic safeguards with us as quickly as possible? thank you. Lamar Singletary Sure, Karen. So, there are some basics that the security summit endorsed. Learning to recognize phishing emails, scam emails often pretend to be from the IRS or tax providers or cloud storage providers or state tax agencies. Never open a link or a attachment from a suspicious email. Remember the IRS never initiates email contact with tax professionals. Brian talked about the common phishing emails this is why this is the number one only our list. Guarding against it not only takes security software but education of everyone in your office. Next we want you to create a data security plan using the IRS publication 4557, safeguarding taxpayers data and small business information security, the fundamentals. By this standard of technology, this is an FTC requirement. We encourage you to review internal controls such as anti-malware and antivirus security software, and we encourage you to create passwords at least at eight characters long. Encrypt all sensitive files, peoples, and use strong password protection. Back up sensitive data to a safe and secure external source not connected full-time to the network. Wipe clean or destroy all old computer and hardware devices and printers that contain sensitive data. Limit access to the taxpayer data to individuals who need it only. If you're an EFIN holder, check your IRS e-service account week little for the number of returns filed with your EFIN. Report any data or data loss to the appropriate agency. And stay connected with the IRS through a subscription to the e-News for tax professionals, quick alerts and social media. Karen Russell Thank you LaMar. That is really great information. And then when you report any data theft or data loss, that gets reported to IRS stakeholder liaison which I am. So, Sue, I'm going to circle back to you. Based on your experience, in a nutshell, can you give us any additional suggestions that the tax professionals need to know? Susan Jarvis Uh, most definitely. Uh one of the resources that you can use if you're a small practitioner like myself, and it doesn't cost you anything is Brian and his team. If you think you've got, if you think you're a victim of a security breach, you can contact Brian and his team can look at your computer and try to determine whether you've been a victim of a breach. Brian will tell you most of the time when he comes to your office you're either a suspect or a witness. But not in this case. He is a resource. And a resource that is very familiar with what the bad guys are doing out there. So, uh, if you think you've been breached and you don't have the insurance or you don't have IT folks, reach out to him.

Reach out to your IRS stakeholder. They will put you in touch with the criminal investigation, the identity theft investigation folks. Um, I would also say that, one of the most important things, if this happens to you and it's a horrible thing to happen. I don't wish it on anybody.

You know it did take its toll on my life and on my financial aspect of my practice everything that was in that earlier polling question. But we got through it. You need to be upfront with your clients because you need to protect them, of course. I think before yourself, you need to protect your clients and their data and make sure that the refunds that they're entitled to are going to them and not to somebody in Latvia or Uruguay or somebody else who shouldn't have their refund. But you need to be upfront with them. You need to keep them informed about what's going on and what you're doing and what the next steps are. We took inordinate amounts of time, myself and my staff who were with me every step of the way. If a client called and they had questions, their questions got answered immediately. If they needed to talk to me directly, I dropped what I was doing and I spoke to them to try to put everybody at easy to be extent possible to say, we're on top of this. And generally, once you explain, particularly if a client gets a letter asking them to go into the taxpayer assistance center, schedule an appointment, go in and validate their identity which you really don't want to have them take away from their time to do that, but once you explain that it's vital that that happens because the IRS wants to make sure that their refund goes to them appropriately and not to someone it doesn't belong to, that's a pretty easy sell. And for those clients, and we had about 150 or more probably more of our clients had to do that, our individual tax clients had to do that. That process was pretty easy. They could make an appointment online. They went in. In general, the conversation with the IRS took five to ten minutes. They just had to validate their identity with photo ID, bring their last year's tax return. Everything match up. That allows the IRS to eliminate the bad return from the system, get rid of it and allow the good return to process through, otherwise they're authorized return is going to be parked in no man's land forever until they come in to validate. So you've got to keep on top of it. You've got to be honest with your clients and let them know exactly what's going on. As I said for those of you who allow your staff to work remotely, or if you work remotely, if you work from your iPad or your phone and log only to your system. Put a VPN on your iPad or your phone. And make sure you have at least two factor authentication for people who are working remotely. Malwarebytes is a cheap and easy way to further protect your system. Encrypting your server, I understand if you're an IT person and now how to do that, it's an easy piecey fix for your server. We still have residual effects of everything that happened last year this year. Nothing like it was last year. But there have been some things that have popped up. But at least we now have the knowledge to know how to deal with it effectively. We know who to call if something happens. We recently had a situation where a client got a letter saying, um, your power of attorney is being rejected because we don't like the taxpayer's signature. It turned out my client got a copy of a power attorney that didn't have my name on it. It had some other practitioner from Ohio's name on it.

So, somewhere out there that practitioner was breached. And somebody has their CAF number.

So, things are ongoing, but we now at least have the knowledge of how to deal with them and it doesn't throw me like it did the first time. but you've got to be out in front of it from the get go. If you think you have a problem and you can't sleep at night, you probably do. At the very least, please contact Brian. Karen Russell Brian, or you're stakeholder liaison. And those are really good tips, Sue. And we're going it take a brief second, you guys. This is an easy polling question for you. Make sure that you answer this so that you can get credit. So, the polling question is, if you experience a data loss, who should you call first? Is it IRS stakeholder liaison, A; and it the FBI B; or is it their Secret Service, C. And I tell you right now, I expect 100% accuracy on this. So, if you experience a data loss, who should you call first? Is it IRS stakeholder liaison, A; is it Federal Bureau of Investigation, B; or is it the Secret Service, C? Get your answers in and we're going to stop the polling and we're going to show you the correct response on the next slide which I'm sure everybody knows. And the correct response is A. Stakeholder liaison. 98%. Thank you so much, and you guys, I'm going to turn it over to Brian to go over a couple of things real quickly with you so that we can get to the Q&A segment. So, Brian, it's all yours as long as you can talk fast. Brian Thomas Tax practitioners need to report data losses immediately because the IRS needs to put in the procedures in order to protect you, the tax practitioner, your clients, and then we have to stop the bleeding coming out of the U.S. Treasury. Here's how you report it. You need to contact IRS law enforcement which is IRS CI or the stakeholder liaison. You can contact the Federal Bureau of Investigation, Secret Service, and local police to file a police report. If you have cyber insurance, you need to contact your carrier as soon as possible. They're going to put you in touch with a cybersecurity law firm. IRS CI works with several law firms located throughout the country. This law firm will assist you in mitigating your reporting requirements to the state, the department of revenue and the Attorney General's office. In addition, if your policy covers it, they may hire a cyber forensic team. We actually work well with those teams. They are used to determining the breach and scope of the breach as well as make recommendations to assist you in preventing further breaches from occurring. If you don't have cyber insurance, you're still required to report to the state. Each state has its own laws and reporting requirements. Basic rule of thumb is this it�s where you prepare the return and where your clients resides. You can email the federal tax administrators at alert@tax at minute.org. For a complete checklist see data theft for tax approaching ales at www.IRS.gov \ identity theft. The information is also contained in the publication 4557. There are a couple of other actions you can expect.

You know once you are in touch with your local stakeholder liaison or CI, we will let you know that your EFIN will be shut off. And we will be working with LaMar's organization. During this, we're going to ask you for a complete list of your clients and that includes business, I individuals, and your CAF numbers. The reason is because we use this information to prevent fraudulent returns from being filed. Um, and we also prevent fraudulent power of attorneys from going out; um, this is where having a data theft as part of your insurance policy comes in handy. Often the insurance company is going to provide you experts to help you determine how your breach occurred. And the important thing is once you identify it, making those corrections to solidify and protect yourself even more. back to you, Karen. Karen Russell Thank you, Brian, so much. Okay, you guys, we're going to go right to the Q&A session. Um, so that we can get to as many questions as possible. And I want to thank everyone for attending today's presentation, Protect Your Clients; Protect Yourself: LaMar, Brian and Sue are staying on to answer your questions. We will answer as many as we have time for. But of course, we've gotten so many in, we're not going to be able to answer all of them. So, without further ado, I'm going to start off.

Brian, I've got a question from someone in the audience. What security software do you suggest we have installed on our computers? Can you answer that? Brian Thomas I can't endorse an actual software. But I will say that there are many resources out there available. I would highly recommend that you talk to some of your peers and see what kind of software that they use. If you belong to any professional organizations such as the NAPP, the AICPA, those are great resources. And I would also challenge you to do some research on your own. There are a lot of well published magazines and companies out there that publish a lot of security type stuff on data security. Karen Russell Thank you so much. And Sue, I'm going to throw this one out to you. Um, can you talk about how to set up a VPN and tell us what VPN stands for. And is it a good idea even if the person is a sole proprietor or sole provider, they meet clients remotely at times. Can you respond to that, please? Susan Jarvis I'm do my best. VPN is a Virtual Private Network. I'm not a tech person so I can't tell you the logistics and the mechanics of how that gets set up. My IT folks did that for me. But my advice is that if you're working remotely in any way that you should definitely have two factor authentication which means you need to put the VPN. My IT people said, even if you work from your iPad or your phone or log into your computer, you can have it installed on your phone. I think it just takes a very short period of time to set up. I'm talking, maybe 30 minutes. It's not a big deal. But most definitely, um, you need to do it if you're working remotely at all. Karen Russell Thank you so much for that information. LaMar, I'm going to toss one out to you. The publication that you were talking about, uh, the publication 4557, what is the title of that? Do you remember? Lamar Singletary Publication 4557, standby for a second, please. Make sure I got it right. Speakers Overlapping]. Brian Thomas Karen, it's safeguarding taxpayer data. Karen Russell Thank you so much. But it is the 4557, LaMar, correct? You've got that right. Lamar Singletary Yes. Karen Russell Yep. Okay. And then I've got another question for you quickly, LaMar. So, you know there was a pilot program for the IPPIN for Georgia, Florida, and DC because this is where the most cases of ID theft were in the United States. So, the question is, can others not in those states apply for an IPPIN to reduce the identity theft? is that a possibility? Can they do that? Lamar Singletary They should be able to, yes. Karen Russell Awesome. And would they just go online or IRS.gov to find out more information about that?

Lamar Singletary Yeah. Karen Russell Okay. Thank you so much. Okay, um, Brian, I have someone in the audience that says their professional software now requires a driver's license from their clients. Okay. So, when they're preparing returns, I guess the preparer has to put the client's driver's license number in the software. Doesn't this make the tax preparer more of a target and make the client more vulnerable? Brian Thomas Uh, actually no. But it does make them vulnerable. And the reason that the software is requiring that is because they do authentication getting to know your client. So, for instance, um, they want -- the software company wants to make sure that the person sitting across from the tax preparer is actually the person that is actually transmitting the return. Because if it's not and when they go to send it and it doesn't match, it will automatically kickback from your software provider. It will not go to the IRS. Karen Russell Okay. Thank you so much for that. And I see a question in here about how to find out who our local IRS stakeholder liaison is. Brian do you want to answer that or do you want me to answer that? Brian Thomas Well, I always went to IRS.gov and typed in stakeholder liaison into the search engine. And it gave me a bunch of them. Karen Russell That's right. That's right. Or you can go to IRS.gov and, when you type in stakeholder liaison, it will pull up a map. And then you click on whatever state you're in. And you can find out that way. Karen Russell Um, Sue, there is a sole proprietor who works on very few tax returns, less than 15. And they were the only person that works on the tax return. Do they need a data security plan? Susan Jarvis Um, under the FTC rules, I don't know what the rule is quite honestly. But I'm guessing that they do. And frankly it you're working on that few returns, I have to ask myself, is it worthwhile at this point in time? Is it worthwhile to have the malpractice insurance, doing the IT that you need to do and all of those things, you know, that's a personal choice. But for me you're either all in, or you're all out. Karen Russell Thank you for that information. So, you guys, that is all the time we had for questions. Now, many thanks to our presenters, awesome job, you guys, thank you. Thank you, thank you. And so, for the audience, if you attended today's web conference for at least 50 minutes after the official start time which is 2:00PM, you will a certificate of completion that you can use with your credentialing organizations for possible CPE credit. Now if you're eligible for continuing education from the IRS and registered with your valid PTIN, your credit will be posted in your PTIN account. And if you're eligible for continuing education from the California tax education council, your credit will be posted to your CTEC account as well. Now if you registered through the Florida institute of CPAs, your participation information will be provided to them for earning your CPA, CPE. If you have, if you qualify and you haven't received your certificate and/or credit by November 14, please email us at CL.SL.web.conference.team@IRS.gov. And the email is shown on the slide as well. So, our continuing education lead wants you to know that we welcome your participation in our webinars. But when we offer a topic more than once during any given time, you can only earn a certificate and related CE credit for one, not two of the same webinar. Um, if you're interested in finding out who your stakeholder liaison is, if you don't want to go irs.gov, go ahead and send an email to the address on the slide and we'll send you that information. And then as a part of the services effort to provide you with timely topics and interesting speakers, we'd appreciate it is if you would take a few moments to the complete a short survey before you exit the webinar. what you'll need to do if you didn't turn your pop-up blocker off, you'll need to turn it off so that you can get the survey. If you'd like to have more sessions like this one, let us know. If you have thoughts on how we can make them better, let us know that, too. If you have any requests for future web conference topics or pertinent information you want to see on IRS.gov or on IRS FAQ sheet or tax tip or an FAQ you know, please include your suggestions in the comment section of the survey. And all you'll need to do is click the survey button on the left side of your screen to begin. And if it doesn't come up, check that your pop-up blocker is disabled. So, we are planning additional webinars throughout the rest of this year and the rest of next year. And all you need to do is go on IRS.gov and use keyword search webinar in the search box. And you can either pull up webinars for tax practitioners or webinars for small businesses, depending on which ones you want to choose from. And we will be offering CE credit for those as well. So, it has been a real pleasure to be here with you. And on behalf of the Internal Revenue Service and Susan Jarvis, I would like to thank you all for attending today's webinar. It's important for us to stay connected with the tax professional community, our industry associations, program state, and local government organizations and individual taxpayers. And that's because you guys make our jobs a lot easier by sharing the information that allows for proper tax reporting. So, thank you again for your time and attendance. Much success in your business and/or your practice.

And as you prepare for the upcoming filing season and please feel free to exit our web conference at this time. Karen Russell Thank you. This concludes today's webinar. We thank you for your participation. You may disconnect your line at this time, and have a great day.