Tax Tips (and other stuff)

Kelly Bullis: Written information security plan for businesses

Kelly Bullis

Kelly Bullis

Share this: Email | Facebook | X

With the constant news barrage of Chinese hackers getting into all kinds of business computer systems, I think it might be timely to review how to reduce your chance of that happening to you.

As a tax preparer, the IRS puts a heavy burden on us to protect client data. The goal is to fight identity theft and tax refund fraud. The Gramm-Leach-Bliley Act (GLBA) is a law that requires financial institutions to protect customer data. Under the GLBA, tax and accounting professionals are considered a “financial institution.”

The GLBA enforcement process requires that a Written Information Security Plan (WISP) be established. The following provisions of a WISP are not bad ideas for every business to consider since almost every business these days has customer private identity information in their electronic devices.

1. Must designate a qualified individual to coordinate its information security program. (Usually, the small business owner is this person.)

2. Identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks.

3. Design and implement a safeguard program and regularly monitor and test it.

4. Select service providers that can maintain appropriate safeguards by ensuring your contract requires them to maintain safeguards and oversee their handling of customer information.

5. Evaluate and adjust the program considering relevant circumstances, including changes in the business or operations, or the results of security testing and monitoring.

6. Implement multi-factor authentication for any individual accessing any information system unless your qualified individual has approved in writing the use of reasonably equivalent or more secure access controls. Also, use strong passwords that are changed regularly.

7. Report a security event affecting 500 or more people to the FTC as soon as possible, but no later than 30 days from the date of a discovery.

IRS has some good resources to help a business understand the WISP concept. Publication 4557 and Publication 1345 (Identity Theft Section).

In summary, a good information system security plan should focus on three areas. First, physical safeguards – keep your data safe from physical threats. Second, technical safeguards – ensure your devices and network are not compromised. Third, administrative safeguards – manage and train your employees. (It is a good idea to create an employee acknowledgement of understanding type document. They sign agreeing to follow your company WISP policies.)

Have you heard? Job 11:18 says, “And you will feel secure, because there is hope; you will look around and take your rest in security.”

FYI: A memorial service for John Bullis is scheduled Saturday, Feb. 1 at 10:30 a.m. at the Carson Presbyterian Church.

Kelly Bullis is a Certified Public Accountant in Carson City. Contact him at 775-882-4459. On the web at BullisAndCo.com. Also on Facebook.