Security • Unintentional disclosure of private information is rising • Laptops are a favorite target for thieves • Laptops are not the only way sensitive data is lost, but • Laptops are easy to steal, easy to sell
Security • Responsible organization must assume the worst if data is lost or stolen, and notify: • Clients in certain circumstances • Regulatory bodies • AARP Tax-Aide organization levels
Security From IRS Publication 4299: As a condition of IRS loaned equipment, the recipient of loaned equipment agrees to notify SPEC within 48 hours if equipment is lost or stolen. Partners are asked to provide the following: • Serial number, Make, and Model of computer • Description of what occurred • Taxpayer data at risk (include number of records) • Was computer encrypted? • Did the computer have a strong password? (Describe password make-up) • Was or will taxpayers be notified of theft/loss? (if notified, method used)
Security New York General Business Law § 899-aa (Paraphrased): Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization. "Private information" shall mean personal information consisting of any personal information combined with SS #, or account numbers with access codes, or credit cards, etc., when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired.
Security New York General Business Law § 899-aa *; State Technology Law §208 : The (loss of data) notice must contain a description of the categories of information breached and be issued to the affected persons by one of the following methods: a) written notice, b) electronic notice, or c) telephone notification. The entity must also inform the Office of the NYS Attorney General, the Consumer Protection Board and the NYS Office of Cyber Security & Critical Infrastructure Coordination of the timing, content and distribution of the notices and approximate number of affected persons.
Security • Remember that in addition to name, address, and Social Security Number; the data can include bank routing and account numbers. • This year in the AARP Tax-Aide program there were: • Three laptops reported stolen/lost. • One missing form. • Three lost flash drives.
Security • One potential identity theft letter was sent out to a taxpayer where the form was lost. • IRS Pub 4299 has examples of high risk (e.g. lost papers or a lost computer with passwords written on paper in the case) and low risk (e.g. lost computer with encryption and strong passwords) situations. • Discuss the situation with your IRS SPEC to decide whether taxpayer notice is needed.
Security • Read the Security and Confidentiality Section in the Policy Manual • It is divided into three sections • Data Security • Physical Security • Reporting a loss
Security • Physical Security • Forms (W-2s,1099, TaxWise forms/documents) • Computer Storage • Do not store computers in your car or leave unattended in a visible area of a car. • Site set-up • Keep clients from hearing or seeing other client’s information.