For tax preparers, navigating stringent data security regulations can feel like navigating a minefield. One data breach from the tax preparer can lead to a breach in trust and revocation from the client, along with reputational damage to bear. Additionally, harsh penalties from the IRS can range from financial penalties to disbarment. These are the consequences that every tax preparer faces.
For tax preparers, the first step to avoiding these consequences is to have an in-depth understanding of relevant regulations. This is especially important regarding IRC sections, under which failure to protect taxpayers’ data may lead to severe penalties for tax preparers. Along the way, they must stay up-to-date with the latest IRS Data Security requirements, such as maintaining a WISP document. They should also follow the Security Six Guidelines to ensure compliance with the recommended security protocols.
This blog helps tax preparers understand IRS Data Breach Penalties so they can develop strategies and systems to stay compliant.
IRS Data Breach Penalties for Tax Preparers
Financial Penalties
Under IRC Section 6713, tax preparers may be subject to significant civil monetary penalties for unauthorized use or disclosure of taxpayer information. A tax preparer’s civil monetary penalty is $250 per violation for the unauthorized use or disclosure of taxpayer information related to tax preparation; for the calendar year, the maximum is $10,000.
If an unauthorized use or disclosure relates to identity theft, the civil monetary penalty is $1,000 per violation; furthermore, for the calendar year, the maximum is $50,000. Tax preparers must have a comprehensive written information security plan to comply with the FTC Safeguarding Rule. Failure to implement and adopt such security plans will result in additional penalties starting at $50,000 per violation.
Criminal Penalties
Tax Preparers and others that intentionally breach the confidentiality of Taxpayer information under U.S. Treasury Regulations in violation of Title 26 U.S.C. § 7216, or other statutes making it illegal for any person, corporation or government entity from using Taxpayer information for their own purposes, face the same penalties as those individuals who violate Title 26 U.S.C. § 7216, which is the “General Policy Concerning Confidentiality of Taxpayer Information” or any other applicable statute that prohibits fraud.
The act of delivering a Taxpayer’s information to someone else by a Tax Preparer would be considered an appropriate case for saying that the Tax Preparer had committed a criminal offence against the Federal Government and could subject them to criminal charges with a possible maximum sentence of $1,000, as well as probationary supervision for up to one year after release from the custody of the Bureau of Prisons.
If a tax professional has been found to have committed fraud or has fraudulently declared anything on a tax return, this will be treated as a felony with a maximum fine of $100,000 ($500,000 for corporations) and/or three years in jail.
Loss of Professional Credentials
Disciplinary action against tax professionals who violate Circular 230 while working with the IRS lies within the authority of the IRS Office of Professional Responsibility (OPR). Such authority extends to auditing and investigations offices of the IRS that utilize tax accountants to serve their clients.
The OPR has three types of sanctions available:
- Public reprimand
- Suspension of the client representation for a given period of time (temporary suspension)
- Indefinite suspension until further instructions from the OPR
If the tax preparer has committed an egregious act, OPR can revoke their right to practice before the IRS (disbar) and prevent them from representing any taxpayers for five years or more. The primary objective of the sanctions imposed by OPR is to increase professionalism and integrity in the tax preparation industry and hold all practitioners accountable for their ethical responsibilities and compliance with IRS regulations.
Revocation of the preparer’s PTIN and EFIN
Tax Preparers that have received multiple penalties due to their lack of compliance with IRS regulations are subject to termination of their PTIN and EFIN by the IRS. Without a PTIN and EFIN, a Tax Preparer cannot charge their clients to prepare and file their taxes. Along with losing these credentials, a Tax Preparer who does not comply with IRS guidelines may face penalties, fines or both when they prepare a tax return.
Any false statements made or false representations provided by the Tax Preparer during the tax preparation and filing process are also considered serious violations, and the Tax Preparer could face criminal prosecution, fines, and/or imprisonment.
How to Avoid IRS Data Breach Penalties
- Create a WISP Document: A Written Information Security Plan (WISP) is an official, documented program that describes a CPA firm’s methods for protecting sensitive information, especially client data, through a combination of administrative, technical, and physical controls. It acts as a roadmap for a CPA firm’s data protection efforts, ensuring compliance with IRS tax preparer security standards, FTC regulations, and state laws.
- Follow the IRS’s Security Six Guidelines: The IRS has developed the Security Six which includes 6 essential cybersecurity protection measures that CPA firms should put into place to mitigate data intrusion and cyberattacks. Implementing these Security Six guidelines will ultimately provide CPA firms with the best possible chance of effectively protecting their clients’ sensitive information and keeping an effective framework in place that limits the potential for data compromise.
- Appoint a Security Coordinator: CPA firms should designate at least one employee to be responsible for managing their information security program. The appointed individual will act as the authority for implementing all security protocols and for training staff members in how to maintain compliance and safety.
- Perform Regular Risk Assessments: A CPA firm should assess potential risks and vulnerabilities in its computer systems regularly. This will allow CPA firms to determine the weak points in their security systems and develop strategies for targeting improvements in these areas.
- Conduct Continuous Monitoring and Testing: CPA firms should actively monitor their security practices and conduct tests periodically to check for successes in those practices. If there are any new risks or changes in operations, CPA firms need to update their security measures accordingly and as soon as possible.
Conclusion
The tax preparation industry is subject to large amounts of sensitive financial data submitted to tax preparers that is at risk for a malicious attack through electronic systems or bad actors accessing client files.
Maintaining client confidentiality is required by all tax preparers, as is the preservation of their own good reputation, in accordance with IRS regulations. Consequently, tax preparers should adopt the most effective measures available to them for the protection of such data. To stay on top of things, tax preparers must stay informed of changes in safety/compliance regulations particularly for changes coming in from the IRS.
