Tax season is always a stressful time, and with the IRS tax deadline just around the corner, many individuals and businesses are rushing to get their returns filed in time. In this scramble, it’s easy to overlook the plethora of serious privacy and security concerns surrounding the sensitive financial data entrusted to tax preparation companies. 

There are few documents more personal and sensitive than a tax return, which is why you shouldn’t trust just any tax preparation company. Unfortunately, in recent years we’ve seen numerous cases of these companies misusing or failing to properly protect their customers’ personal and financial information. In fact, last year, a congressional report showed that some of America’s largest tax-prep companies had been sharing clients’ sensitive financial data with tech giants for years. This data includes income, mortgage information, etc., and was allegedly used to target individuals with tailored financial advertisements and product offers, potentially in violation of federal law. To make things worse, some of these companies still do not know whether the shared data still remains in the hands of these tech platforms. Customers put their trust (often blindly) in these tax prep companies to handle their most sensitive financial details, and they deserve to know that their information will be protected.

In addition to the violation of consumer trust we’ve seen from tax prep companies themselves, tax season marks a peak in cybercriminal activity. The increase of sensitive information being shared during this time makes it perfect for bad actors to take advantage. Last year, the IRS identity theft detection identified more than 1.1 million tax returns as potentially fraudulent, with the total refunds claimed totaling over $6 billion. Individuals and businesses must be extra vigilant when sharing their financial data, especially during tax season.

This piece will explore strategies for individuals, as well as tax preparation organizations, to ensure their data and their clients’ data is protected this tax season and beyond. 

Protecting your personal data

First and foremost, it is important to be extremely cautious about which tax prep company you choose to work with. Research their privacy policies, data security practices and any past incidents of data breaches or misuse before moving forward. 

Additionally, individuals should utilize encryption and password managers when sharing financial documents digitally. Encryption should be the standard for all sensitive information, whether stored locally, in the cloud or transmitted over networks. Utilizing strong encryption algorithms ensures that even if data is compromised, it remains unreadable to unauthorized parties. It is also vital to use strong, unique passwords for all accounts and be wary of phishing scams that use convincing tactics to encourage individuals to reveal sensitive information — never send sensitive information like Social Security numbers or bank account details via unsecured email or file sharing. Instead, look for tax prep companies that offer secure client portals or encrypted file transfer options.

Finally, individuals should monitor credit reports and financial accounts, even after their taxes have been filed. Signs of identity theft or unauthorized activity may not appear immediately, so continuous monitoring is important. 

Best practices for tax prep companies and professionals

As a tax prep company, it is vital that sensitive client information is protected. These organizations must be aware of two types of rise — people risks and systems risks. They should invest in tools that automatically enhance data security for both people and systems. For example, data security can be simplified through automating encryption and decryption processes to ensure robust protection of sensitive information.

Access control is also critical to limit exposure to sensitive data, by not only enforcing the least privilege principle but also continuously monitoring and adjusting access rights based on role changes or project completions. Advanced access management systems, integrating multi-factor authentication (MFA), can automatically adjust permissions based on the user's location, device security posture and the sensitivity of the accessed data.

Tax preparation companies should foster a culture where data protection is a shared responsibility across the organization. They should offer and require comprehensive training programs to enhance security awareness, ensuring their clients’ sensitive financial information is consistently secure. This must also be a requirement for temporary workers. Because of the increased workload during tax season, many organizations hire temporary workers. While this practice is common, it does pose increased data security risks. Temporary workers may have access to sensitive financial information, and without proper safeguards, this information could be compromised. It is vital that organizations conduct proper background checks, require intense training and instill the proactive data protection mindset for temporary workers as well, to reduce the risk of insider threats.

It is also important for these companies to consider the risks AI poses to client data. With AI, it is easier than ever to generate deepfakes and implement large-scale social engineering tactics to obtain taxpayer information by pretending to be tax preparers. This poses a particular risk to more vulnerable populations like the elderly, who may not be aware of these tactics and are increasingly targeted. With this, it is vital that tax professionals are educated on how to properly collect information, only using the secure, approved portal, rather than over the phone or via email. In the unfortunate event that tax filers become a victim of Stolen Identity Refund Fraud, it is essential that they notify the IRS immediately, so they can promptly investigate and pursue the issue on their end. 

Finally, ongoing security and risk assessments are necessary to understand the organization's threat landscape and evaluate the effectiveness of existing controls. These assessments should include penetration testing, vulnerability scanning and risk analysis processes to identify weaknesses and develop strategies for mitigation. 

Protecting customer privacy should be the top priority for any business handling sensitive financial data. Tax prep companies have a responsibility to ensure the security of their clients’ data. They must consider the evolving threat landscape and improve their security protocols as needed. When these companies fail to meet this responsibility, it is important that clients themselves are informed, know how to implement proper security protocols, and continue to advocate for stronger data privacy protections.