The IRS’s Security Summit is preparing cybersecurity scenarios for the payroll and tax software industries that include guidance on data protection and personally identifiable information, authentication, identity proofing, social engineering and phishing, insider threats, third-party services and vendor management, and general tips for protecting businesses. The Security Summit is a coalition consisting of the IRS and stakeholder community. APA members contribute by sharing payroll security risks and working to develop solutions to protect payroll departments from criminal activity.
Personally Identifiable Information
Personally identifiable information (PII) is any combination of data that is unique to an individual, such as name, date of birth, address, and social security number. When this information is obtained by someone other than the employer, it can cause paycheck delivery to the wrong person, insurance fraud, tax fraud, and more. If payroll professionals discover a leak or exposure, they should notify their local IRS Stakeholder Liaison, who will notify the IRS’s Criminal Investigation Division. In addition, victims should be informed of the breach.
Login Systems and Authentication
Payroll departments can also receive attacks through employer login systems resulting in leaks of Forms W-2, PII, and return transcripts or, worse, access to other system users when the account belongs to a payroll administrator. The best solution is to use multi-factor authentication for employer login systems (e.g., having a one-time passcode sent to a phone, using an authenticator application, using hardware that plugs into a USB port and enters a passcode automatically). Passwords should be at least 12 characters with a mix of letters and numbers and avoid common words. If you are affected, contact your IT security immediately.
Available Resources
The IRS provides additional guidance:
- Publication 4557, Safeguarding Taxpayer Data
- Publication 5293, Data Security Resource Guide for Tax Professionals
- IRS Tax Tip 2018-188: W-2 Scams
- IRS Tax Tip 2018-187: Strong Passwords Help Protect Accounts Against Cybercriminals
Alice P. Jacobsohn, Esq., is Senior Manager of Government Relations for the APA.
