Meet IRS cybersecurity requirements with a data security plan

minute read

Last Updated January 19, 2024


Tax security is the law, and firms that don’t meet IRS cybersecurity requirements cannot legally operate a large segment of their businesses. But what does it take to comply? Adopting the right technology is only part of what your firm needs to do. You also need a compliant data security plan.  

Three years ago, the IRS added security measures to its requirements for obtaining or renewing a Tax Preparer Tax Identification Number (PTIN), which all tax preparers must have in order to legally deal with tax returns. Two years ago, the agency followed up with specific steps that tax preparers must follow to qualify for or renew a PTIN 

Building with Internal Revenue Service spelled out on sign
Accounting firms must meet IRS security requirements in order to obtain or renew a Tax Preparer Tax Identification Number (PTIN).

Data Security Starts But Doesn’t End With Security Technology  

The simplest part of a strategy for data security that meets IRS requirements is technology adoption. Most firms have likely already implemented the basic “Security Six” technologies the IRS requires: 

  1.  Antivirus software
  2. Firewalls
  3. Two-factor authentication
  4. Backup software services
  5. Drive encryption
  6. Virtual private network (VPN) 

However, firms should go beyond merely adopting the IRS Security Six if they want to prevent phishing attacks and implement true protection against cyberattacks. And in order to qualify for a PTIN, they’ll have to go beyond implementing cybersecurity technology.  

Image of a statue of lady justice against a blue sky background
Recognizing that protecting client tax data is the law for tax preparers, the IRS has developed several recommendations and resources to help firms.

IRS Cybersecurity Requirements For a Preparer Tax Identification Number  

The other elements of PTIN qualification involve coming up with a written strategy for data security that passes IRS tests. This is not optional for firms; tax preparers who work without a PTIN can face severe penalties, including imprisonment for up to five years, steep fines (up to $100,000 for each violation, with officers and directors potentially being fined up to $10,000 for each violation) or both.  

So, what does the IRS require in a PTIN data security plan? Here’s what the agency itself says: 

  • Pick one or more employees to coordinate the information security program.
  • Identify the risks to customer information.
  • Evaluate the safety measures for controlling these risks.
  • Design and implement a safeguards program.
  • Select service providers that can maintain proper safety measures.
  • Make sure the contract requires the provider to maintain safety measures and oversees their handling of customer information.
  • Regularly monitor and test the program.
  • Change the security program as needed. This should happen if any part is outdated, or when employees leave or join the company. 

Develop a Data Security Plan to Qualify For a Preparer Tax Identification Number 

This is not a simple set of tasks. They’re very likely to require outside expertise, particularly for small accounting firms. Fortunately, templates exist to assist you with creating a written plan; the IRS even offers one 

But even if some of the written work is done for you already, tasks such as picking an employee to coordinate a program, selecting a service provider to maintain safety measures, and monitoring and testing the program will fall to your firm.  

Outside of finding an employee to be a coordinator, you shouldn’t try to complete any of those tasks by yourself. It’s highly unlikely that you have the internal expertise or employee resources to successfully develop a PTIN cybersecurity strategy. Most accounting firms don’t. Most small businesses don’t. 

What’s more, the IRS template includes a requirement for training employees on how to avoid cyberthreats as well as for developing a plan in case of data theft. Those are also major tasks firms shouldn’t try to take on alone.  

The fact is that your business is accounting—not training employees on security, meeting security requirements or even managing cybersecurity technology. The IRS cybersecurity requirements specifically say that firms need service providers to implement and maintain proper security measures. This isn’t an internal project. It is, however, the law. 

Keep your accounting firm compliant with IRS cybersecurity requirements
Finding the right security service provider to partner with can give firms confidence in meeting IRS cybersecurity requirements.

Smart Security Management Enables Firms to Meet IRS Cybersecurity Requirements  

Fortunately, there are service providers that can take pressure off of firms to meet PTIN requirements. Smart Security Management (SSM), a concept pioneered by Right Networks, checks the boxes for firms looking to stay PTIN compliant.  

Smart Security Management represents a new model for handling security—one where firms take a holistic approach to security both inside and outside of the cloud. And who better to help you achieve this than Right Networks—a leading provider of cloud and security services with more than two decades of experience?  

Right Networks security tools allow firms to not only maintain a PTIN and meet IRS cybersecurity requirements but also to achieve a higher level of security overall. Firms can adopt Smart Security Management by moving to the right set of Right Networks products, including: 

  • Secure Cloud: Secure and reliable cloud hosting that safeguards your data with end-to-end redundancy across all systems. Secure Cloud also provides real-time data replication and multi-layer security systems fit for the enterprise—24/7/365.
  • Secure Workstation: A comprehensive, secure endpoint solution to safeguard your most critical data. You can have peace of mind with added security for all your employees with one solution.
  • Security Awareness Training: An employee education program that provides best practices for staying safe online. Security Awareness Training from Right Networks uses a gamified training program developed by experts. 

Right Networks perfectly fits the profile of the security provider the IRS requires—and much more. With Right Networks, you can concentrate on serving clients and building your firm while somebody else handles the IRS cybersecurity requirements and compliance for you.  

Are you ready to take your firm’s security strategy beyond where it is today? Contact Rightworks 

Subscribe to our blog

Get Rightworks articles delivered straight to your inbox.