In the world of tax professionals, there’s a saying: “It’s not a matter of if, but when.” This adage, once reserved for IRS audits, now applies to a far more menacing threat: data breaches.
Tax firms possess a trove of sensitive client information, including Social Security numbers, bank account details, and past tax returns. This comprehensive data makes tax professionals prime targets for cybercriminals looking to commit identity theft and file fraudulent returns.
In this Federal Tax Updates podcast episode, Roger Harris interviews Catharine Madeley, a CPA from Austin, Texas, who shares her firsthand experience of a data breach at her firm. Catharine’s story underscores the urgent need for tax professionals to prioritize cybersecurity in an evolving threat landscape.
This article explores why tax professionals are prime targets for cybercriminals, the real-world consequences of a data breach, and how practitioners can effectively prevent, detect, and respond to cyber incidents.
The Consequences of a Data Breach
Catharine shared the details of the breach at her firm, which occurred right before the September 15th filing deadline, one of the busiest times for tax professionals. The breach’s timing amplified Catharine’s already immense stress and workload, forcing her to navigate the incident response while still serving clients.
The impact of a data breach extends far beyond the initial incident. A breach can erode client trust, lead to legal liability, and threaten the very existence of a tax practice.
Catharine’s firm had to dedicate significant time and resources to investigate the scope of the breach, communicate with affected clients, and implement protective measures. The personal toll was also substantial, with Catharine barely sleeping for a month as she juggled the incident response with her normal workload.
Shifting the Mindset on Cybersecurity
Many tax professionals treat data security as a mere checkbox exercise rather than a critical, ongoing priority. As Roger notes, “We’re all aware that when we renew our PTIN, we have to check a box saying we’re supposed to have a written plan. But I think sometimes we don’t take it seriously. We write a plan to have a written plan, not to have data security.”
To navigate the evolving threat landscape, practitioners must embrace cybersecurity as an ethical imperative and invest in robust measures, response plans, and continuous education. This involves:
- Implementing strong technical controls, such as encryption, firewalls, and multi-factor authentication
- Regularly training staff on cybersecurity best practices and phishing awareness
- Developing and testing incident response plans to ensure prompt, effective action in the event of a breach
- Staying informed about emerging threats and trends through continuous learning and collaboration with cybersecurity experts
Responding to a Breach with Transparency and Expertise
After her firm’s breach, Catharine followed her written security plan, immediately contacting insurance, law enforcement, and the IRS. She recounts, “Stepping back, the first call I made was to insurance. I also went down that written information security plan list: call your state attorney general, call law enforcement, call the IRS.”
Catharine’s cyber insurance provided access to expert resources to investigate the breach and guide her response, underscoring the value of proactive preparation. Catharine maintained trust and strengthened relationships amid the incident by transparently communicating with clients and offering guidance on protective measures.
Catharine’s experience also highlights the importance of leveraging the IRS’s identity theft resources for tax professionals. By promptly registering exposed taxpayers with the IRS, firms can prevent fraudulent returns and protect clients and themselves.
Safeguarding Your Practice in the Face of Evolving Threats
Catharine’s story is a powerful reminder that no tax professional is immune to cybersecurity threats. To protect sensitive client data and uphold public trust, practitioners must shift their mindset, prioritizing cybersecurity as an ongoing, top-level concern.
As the cybersecurity landscape continues to evolve, tax professionals have a choice: view data security as a burdensome requirement or embrace it as an opportunity to strengthen client relationships and differentiate their services. By choosing the latter, practitioners can protect taxpayers and uphold the profession’s integrity.
Listen to the complete Federal Tax Update podcast episode to learn more about Catharine’s experience and gain valuable insights for safeguarding your practice.