CLIENT CONFIDENTIALITY AND DATA SECURITY POLICY
Types of information we collect: We collect nonpublic personal information about clients that is provided by them or obtained by us with their authorization to prepare their personal income tax returns and provide personal or business accounting, contract reviews, and all business advisory services.
Examples of sources from which we collect information: Client Interviews, Tax Return Organizers, Financial Planning Organizers, request for bank statements and accounting data, examinations and reviews, and Financial History Questionnaires.
To properly prepare client income tax return or provide various business advisory services, we receive information from the client to complete their tax return or accounting & other business advisory services. This information is collected in written form, by phone, on line, by mail and in personal interviews and consultations conducted by us, as well as by information we collect from others with client authorization.
Transaction Information: This is information about client transactions with us and includes information necessary for billing and payment for our income tax preparation, accounting and business advisory services, as well as all correspondence between the client and the firm. Transaction information would also include client payment history with us, billing records and any collection effort engaged in by us for payment of services rendered to the client.
Parties To Whom We Disclose Information
We do not disclose any nonpublic personal information about our clients or former clients to our affiliates or to non-affiliated third parties except as permitted by law, the Code of Professional Conduct of the State of California CTEC Tax preparers and Accountants and Ethics Rules and of the American Institute of Certified Public Accountants (AICPA). We do not have any affiliates to whom we disclose such information except where we are working with a client’s attorney in financial and estate planning, or in the case of litigation, and they have given permission to us to disclose certain information.
Nonpublic Personal Information about current and former clients may be disclosed to both our affiliates and non-affiliated third parties as permitted by law, our Code of Professional Conduct and Ethics Rulings of the AICPA as follows:
1. Complying with a validly issued and enforceable subpoena or summons.
2. In the course of a review of our firm’s practices under the Public Company Accounting Oversight Board (PCAOB), the American Institute of Certified Public Accountants (AICPA).
3. Initiating a complaint or responding to an inquiry made by the Professional Ethics Committee of CTEC or Internal Revenue Services policies on Tax Return Preparers.
4. A review of a professional practice in conjunction with a prospective purchase, sale, or merger of all or part of our practice, provided that we take appropriate precautions (for example, through a written confidentiality agreement) so the prospective purchaser does not disclose information obtained in the course of the review.
5. Participating in actual or threatened legal proceedings or alternative dispute resolution proceedings either initiated by or against us, provided we disclose only the information necessary to file, pursue, or defend against the lawsuit, and take reasonable precautions to ensure that the information disclosed does not become a matter of public record. However, if you are a public figure and have media access to your professional life and public records are recorded in the media by your personal representatives, business advisers, managers, etc, it is not the responsibility of this firm. If you have committed fraudulent acts in any way or have not fulfilled your contract to our firm and are in breach, the firm will defend itself in various professional venues.
6. Providing information to affiliates of the firm and non-affiliated third parties who perform services or functions for us pursuant to a contractual agreement which prohibits the third party or affiliate from disclosing or using the information other than for the purposes for which the information was disclosed: for example, using an outside service bureau to process client’s tax returns.
General Restrictions on Disclosure of Nonpublic Personal Information to Affiliates and Nonaffiliated Third Parties
As tax preparers, we are prohibited by Internal Revenue Code Section 7216 from disclosing a client’s income tax return information without their consent, other than for the specific purpose of preparing, assisting in preparing or obtaining and providing services in connection with the preparation of an income tax return for you. Furthermore, as a member of the CTEC and other accounting boards engaged in income tax preparation or financial statement preparation, we are generally prohibited from disclosing confidential client information about our clients to affiliates and non-affiliated third parties without your specific consent.
Confidentiality and Security of Nonpublic Personal Information
We restrict access to Nonpublic Personal Information about clients to those employees and other parties who must use that information to provide services. Their right to further disclose and use the information is limited by our employee code of conduct, applicable law, our Code of Professional Conduct and nondisclosure agreements where appropriate. We also maintain physical, electronic, and procedural safeguards over Nonpublic Personal Information, including documents that have been digitized and stored in a secure offsite data center in compliance with applicable laws and regulations to guard a client’s Nonpublic Personal Information
CLIENT DATA SECURITY
Statement of The Firm: Safeguarding taxpayer data is a top priority for Icon Tax Group (Icon). The firm feels that it is the responsibility of government, businesses, organizations, and individuals that receive, maintain, share, transmit, or store taxpayers’ personal information. Taxpayer data is defined as any information that is obtained or used in the preparation of a tax return (e.g. income statements, notes taken in a meeting, or recorded conversations).
Whether you are paid or unpaid for your services a one person operation or a large corporation, have one client or thousands, it is critical to protect taxpayer data. Putting safeguards in place helps Icon prevent fraud and identity theft, and enhances customer confidence and trust.
Our security plan is a guide to help our firm who handles taxpayer data to understand and meet our responsibility to safeguard this information. IRS e-file and paper Return Preparers, Intermediate Service Providers, Software Developers, Electronic Return Originators, Report Agents, Transmitters, their affiliates, and service providers can use our security guide to determine and meet data privacy and security needs.
There are a growing number of laws, regulations, standards, and best practices that cover the privacy and security of taxpayer data. This security plan references those that provide guidelines on establishing safeguards for the firm:
- Preserve the confidentiality and privacy of taxpayer data
by restricting access and disclosure;
- Protect the integrity of taxpayer data by preventing
improper or unauthorized modification or destruction; and
- Maintain the availability of taxpayer data by providing
timely and reliable access and data recovery.
HOW ICON SAFEGUARDS TAXPAYER DATA
Icon handles taxpayer information that may be subject to the Gramm-Leach Act (GLB Act) and the Federal Trade Commission (FTC) Financial Privacy and Safeguards Rules. Whether or not we are subject to the GLB Act and the FTC Rules, we benefit from implementing the general processes and best practices outlined in the FTC information privacy and safeguards guidelines.
Icon takes responsibility and have assigned an individual or individuals to be responsibility for the safeguards;
Icon assesses the risks to taxpayer information in our office(s), including your operations, physical environment, computer systems, and employees, if applicable. We continually list all locations we keep taxpayer information (computers, filing cabinets, bags, and boxes taxpayers may bring to our firm);
Icon uses only service providers who have policies in place to also maintain an adequate level of information protection defined by the Safeguards Rule; and
Icon monitors, evaluates, and adjust our security program as our business or circumstances change.
The FTC has fact sheets and guidelines on privacy and safeguards for businesses on their Web site at www.ftc.gov.
To safeguard taxpayer information Icon from time to time determine the appropriate security controls for our environment based on the size, complexity, nature, and scope of our activities as an accounting, tax and business advisory firm. Security controls are the management, operational, and technical safeguards we may use to protect the confidentiality, integrity, and availability of our customers’ information. Examples of our security controls are:
- Locking doors to restrict access to paper or electronic files;
- Requiring passwords to restrict access to computer files;
- Encrypting electronically stored taxpayer data;
- Keeping a backup of electronic data for recovery purposes; and
- Shredding paper containing taxpayer information before throwing it in the trash.
SECURITY CHECK LIST
Icon has adopted a checklist that includes the many activities that are included in an information security program. It is designed to help our firm put in place security procedures and controls to protect taxpayer information. Icon feels that it is important to consider all the safeguards that are applicable to our firm.
Safeguarding personally identifiable taxpayer information is of critical importance to retaining the confidence and trust of our clients. Appropriately handling information security incidents is also very important to retaining the confidence and trust of our clients.
An information security incident is an adverse event or threat of an event that can result in an unauthorized disclosure, miss-use, modification, or destruction of taxpayer information. If Icon believes an information security incident has occurred that affects the confidentiality, integrity, or availablity of our client data or the ability of the client to prepare or file a return, Icon will need to report the incident. The following table includes examples of types of incidents.
Unthorized removal of computers, data/records on computer media or paper files.
Accidental misplacement or loss of computers, data/records on computer media or paper files
A person or computer gains logical or physical access without permission to a network system, application, data or other resource.
Unauthorized Disclosure / Usage
A person violates disclosure or use policies such as IRC sections 6713 & 7216. See Chapter 4, Laws and Regulations, for information on IRC sections 6713 & 7216
Computer System / Network Attack
A virus, worm, Trojan horse, or other code-based malicious entity infects a host and causes a problem such as disclosure of sensitive data or denial of services.
The following are actions for incident reporting:
Individuals (e.g., employees and contractors) who detect a situation that may be an information security incident should immediately inform the individual designated by the business to be responsible for handling customer information security.
The individual responsible for handling customer information security should gather information about the suspected incident.
If you believe the incident compromises a person's identity or their personal or financial information, Iconp will refer to the FTC document, Information Compromise and the Risk of Identity Theft: Guidance for Your Business. Amond other things, this reference will determine when to notify local law enforcement, the Federal Bureau of Investigation, the U.S. Secret Service, the U.S. Postal Inspection Service, affected businesses, and Clients. See the "Safeguarding Taxpayer Date, References to Applicable Standards and Best Practices" table in Chapter 5 of the Internet link to this FTC document.
Laws and Regulations
SAFEGUARDING TAXPAYER DATA - REFERENCES TO APPLICABLE LAWS AND REGULATIONS
TYPE: Federal/Privacy and Security
SUMMARY: The Gramm-Leach-Bailey Financial Modernization Act of 1999 - This statue (otherwise known as the Gramm-Leach-Bailey Act) (GLB Act), among other things, directed FTC to establish the Financial Privacy rule and the Safeguards Rule. More information is available athttp://www.ftc.gov/privacy/privacyinitiatives/glbact.html
SUMMARY: FTC Standards for Safeguarding Customer Information Rule (16 CFR Part 314) - This rule (otherwise known as the Safeguards Rule) requires financial institutions, as defined, which includes Professional tax preparers, data processors, affiliates, and service providers to ensure the security and confidentiality of customer records and information. It protects against any anticipated threats or hazards to the security or integrity of such records. In addition, it protects against unauthroized access to or use of such records or information which could result in substantial harm or inconvenience to any customer.
This Rule requires that financial institutions develop, implement, and maintain an Information Security Program.
The plan should be written in one or more accessible parts and contain administrative, technical, and physical safeguards that are appropriate to the business size and complexity, nature and scope of activities, and sensitivity of customer information handled. The Safeguards Rules is available
Sarbanes-Oxley Act of 2002 (17 CFR Parts 232, 240 and 249) - Section 404 requirements apply to all Securities and Exchange Commission (SEC) reporting companies with a market capitalization in excess of $75 million. It requires companies to establish an infrastructure to protect and preserve records and data from destruction, loss, unauthorized alteration, or other misuse. This infrastructure must ensure there is no room for unauthorized alteration of recrods vital to maintaining the integrity of the business process. More information is at http://www.gpoaccess.gov
SUMMARY: FTC (Privacy of Consumer Financial Information Rule (16 CFR Part 313) - This Rule (otherwise known as the Financial Privacy Rule) aims to protect the privacy of the consumer by requiring financial institutions, as defined, which includes Professional tax preparers, data processors, affiliates, and service providers to give their customers privacy notices that explain the financial institution's information collection and sharing practices. In turn, customers have the right to limit some sharing of their information. Also, financial institutions and other companies that receive personal financial information from a financial institution may be limited in their ability to use that information. The FTC Privacy Rule implements sections 501 and 502(b)(2) of the GLB Act requirements.
The Privacy Rule is available a
Title 26: Internal Revenue Code (IRC) 301.7216.1 - This provision imposes criminal penalties on any person engaged in the business of preparing or providing services in connection with the preparation of tax returns who knowingly or recklessly makes unauthorized disclosure or uses of information furnished to them in connection with the preparation of an income tax return. Internal Revenue Code (IRC) 7216 is available at http://www.gpoaccess.gov
Title 26: Internal Revenue Code (IRC) 6713 - This provision imposes monetary penalties on the unauthrized disclosures or uses of taxpayer information by any person engaged in the business of preparing or providing services in connection with the preparation of tax returns. Internal Revenue Code (IRC) 6713 is available at http://www.gpoaccess.gov.
Internal Revenue Procedure 2005-60 - This procedure requires Authorized IRS e-file Providers to have security systems in place to prevent unauthorized access to taxpayer accounts and personal information by third parties.
It also specifies that violations of the GLB Act and the implementing rules and regulations promulgated by the FTC, as well as violations of the non-disclosure rules contained in IRC Sections 6713 and 7216 are considered violations of Revenue Procedure 2005-60, and are subject to sanctions specified in the Revenue Procedure. Internal Revenue Procedure 2005-60 is available at www.irs.gov
TYPE: State/Privacy and Security
SUMMARY: State Laws - Many state laws govern or relate to the privacy and security of financial data, which includes taxpayer data. They extend rights and remedies to consumers by requiring individuals and businesses that offer financial services to safeguard nonpublic personal information. For more information on state laws that our firm must follow, we work within the state of California laws that govern tax professionals and the California Board of Accountancy.
STANDARDS AND BEST PRACTICESFederal and state governments as well as private industry provdide many information security standards and best practice guidelines to safeguard consumer information such as personal tax data. The National Institute of Standards and Technology (NIST) provides security guidelines and practices for federal agencies that nongovernmental organizations may also use. Below is a list of references on a variety of information safeguard topics that can help our firm understand and comply with laws regulations, and best practices that may apply to our firm or business.
SAFEGUARDING TAXPAYER DATA
REFERENCES TO APPLICABLE STANDARDS AND BEST PRACTICES
"Getting Noticed: Writing Effective Financial Privacy Notices"
"Information Compromise and the Risk of Identity Theft: Guidance for Your Business"
"FTC Facts for Business: Financial Institutions and Customer Information: Complying with the Safeguards Rule"
FTC Disposal Rule (2005) - "FTC Business Alert: Disposing of Consumer Report Information? New Rules Tell How"
"Security Check: Reducing Risks to your Computer Systems"
"Stop. think. Click: Seven Practices for Safer Computing"
NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems: Provides guidance on developing an information Security Plan and includes a sample plan in Appendix A
NIST SP 800-53, Recommended Security Controls for Federal Information Systems
NIST SP 800-61, Computer Security Incident Handling Guide Special Publication
NIST SP 800-30, Risk Management Guide for Information Technology Systems
Private Industry / Security
Industry Standards and Best Practices - Many private industry companies provide best practice advice on protecting information systems and safeguarding customer data. Icon will obtain more information on industry standards and best practice by researching the internet and other legal resources.
GLOSSARY OF TERMS
© 2015 Icon - Icon Tax Group, Inc. - All Rights Reserved
Revision: Michael Lodge - 8/31/15