Don’t Take the Bait – Responding to a Data Breach

In its tenth and final installment, “Don’t Take the Bait”, the 10-week IRS series on security updates for tax professionals, addresses steps for tax professionals to take in the event of a data incident. The September 15th article also offers tips for helping protect clients and taxpayers.

While the IRS and the tax community as a whole have indeed made strides in the battle against tax-related identity theft, there is still a long way to go. “We need the help of tax professionals across the country to help strengthen this effort,” explains IRS Commissioner John Koskinen. “In addition to working to ensure the safety of their systems, practitioners should promptly report identity theft or data breaches to help protect their clients.”

The IRS recommends that, in the event of a data theft, tax professionals take a variety of steps, contacting a number of people and agencies in order to address the breach. Their recommendations include the following:

  • Contact the local IRS stakeholder liaison.
  • Review the IRS Data Theft Information for Tax Professionals for more details; depending on the specifics of their situation, tax professionals might be recommended to inform the IRS (directly), the FBI, the Secret Service, and/or the local police.
  • Contact states in which the tax professional prepares state returns—reach out to for guidance on how to report victim information to the states and notify the State Attorneys General for each state in which you prepare returns.
  • Consider reaching out to security experts to determine the cause and scope of the breach.
  • Contact your insurance company to report the breach and see if your policy covers any mitigation expenses.
  • Inform the Federal Trade Commission.
  • Notify credit bureaus—some states require that you offer credit monitoring/identity theft protection to your affected clients.
  • Individually contact any victims among your clients via letter.

For more details, read the article in full at