Technology Advisor Blog

Professional Tax Preparers:  Do you have a Written Data Security Plan?

Posted by Ann Westerheim on 7/25/19 9:01 AM

Check ListThe IRS has issued a reminder to all practitioners that all "Professional Tax Preparers" must create a written data security plan to protect clients.  

The IRS and Security Summit partners are reminding tax preparers to take time this Summer to make sure the plan is in place.  It's required by Federal Law!

“Protecting taxpayer data is not only a good business practice, it’s the law for professional tax preparers,” said IRS Commissioner Chuck Rettig. “Creating and putting into action a written data security plan is critical to protecting your clients and protecting your business."

The FTC-required information security plan must be appropriate to the company’s size and complexity, the nature and scope of its activities and the sensitivity of the customer information it handles. This is very similar to the Massachusetts Data Protection Law requirements that went into effect in 2010. 

According to the FTC, each company, as part of its plan, must:

  • designate one or more employees to coordinate its information security program;
  • identify and assess the risks to customer information in each relevant area of the company’s operation and evaluate the effectiveness of the current safeguards for controlling these risks;
  • design and implement a safeguards program and regularly monitor and test it;
  • select service providers that can maintain appropriate safeguards, make sure the contract requires them to maintain safeguards and oversee their handling of customer information; and
  • evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.

Its important to note that the plan is to be designed around the company’s size and complexity.  The security coverage doesn't need to be expensive, but it needs to be comprehensive.  There are so many affordable options available to smaller organizations, so don't put this off and risk your clients and your reputation.

Summer is a great time to step up security!  Ekaru has a lot of training materials and affordable security options for small businesses, so if you have any questions about your existing security and risk level, give us a call!  

For more information, you can access the full IRS post here.

Tags: MA Data Security Law, cybersecurity, ransomware

Do you know where your WISP is?

Posted by Ann Westerheim on 3/20/14 8:26 AM

Do you know where your WISP is?March 1 was the 4th anniversary of the Massachusetts Data Protection Law which was introduced to help protect residents against identity theft and fraud.  The law identifies requirements businesses must follow to secure protected information, which includes a resident's first name or initial and last name, combined with a number of specified protected information including drivers license number, bank account number, social security number, credit card numbers, etc. We've all read the headlines about the major retailers such as Target, Hannafords, and TJX who have been in the news over the years for security breaches, but many small business owners may not be fully aware that the law applies to ALL businesses, large and small.

Do you know where your WISP is? A WISP is a Written Information Security Policy.  Its not enough to follow the guidelines identified in the law, you must also have a written policy.  The anniversary of the law going into effect is a good time to assess your own situation with respect to compliance.

The Massachusetts Data Protection Law includes the following requirements:

  1. Secure User Authentication Protocols  (use of strong passwords, and no passwords on post-its under your mouse pad!)
  2. Secure Access Control Methods (access to protected information needs to be restricted to those who need access to perform their jobs)
  3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly (wireless networks must be encrypted, and NEVER send protected information via regular email).
  4. Reasonable monitoring of systems for unauthorized use of or access to personal information (Do you have a way to identify if someone is trying to access your network?)
  5. Encryption of all personal information stored on laptops or other portable devices (Newer laptops are encryption ready so you don't need extra software)
  6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information  (all those updates we talk about every "patch Tuesday" are required by law!)
  7. Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis. (one of the key reasons we advise all clients to sign up for monitoring through managed services).
  8. Education and training of employees on the proper use of the computer  security system and the importance of personal information security (in our experience, the vast majority of problems we see are caused by users who don't fully understand security requirements and may inadvertently work around them).
In addition to complying to all these requirements, you also need to have a written policy that describes how you do this.  We recommend keeping this as simple as possible, but it has to be written down.  Do you know where your WISP is?

Tags: MA Data Security Law, 201 CMR 17.00, Security Requirements

8 Things to Know About the Massachusetts Data Security Law

Posted by Ann Westerheim on 3/28/13 9:32 AM

MA Data Security LawMarch is the anniversary of the Massachusetts Data Security Law which went into effect March 1, 2010:  201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth.  The anniversary is a good time to refresh your team about the requirements!

The goal of the law is to help prevent identity theft and we all have a role to help.

Here are the eight technology requirements included in this law:

1.  Secure user authentication protocols including:

(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(iv) restricting access to active users and active user accounts only; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

Use of STRONG passwords is required (uppercase letters, lower case letter, numbers, and symbols) and NEVER put your password on a post-it by your monitor, or under your keyboard or anywhere else that's easily accessible!

2.  Secure access control measures that:

(i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

If an employee doesn't need access to personal information to do their job, make sure they can't get to it.  This is very important if multiple users share a system.

3.   To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted over a wireless network.

Do not email personal information.  Instead use SSL transmission of data to secure web sites.

4.  Reasonable monitoring of systems, for unauthorized use of or access to personal information;

Are logs routinely checked?  There are several great tools to help you decipher server logs to get the information you need.

5.   Encryption of all personal information stored on laptops or other portable devices;

Laptops MUST have encryption technology.  Other portable devices such as flash drives must also be protected.  Backup tapes (if used) must be encrypted.

6.  For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information. 

7.  Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

Do you know if your security patches and Antivirus definitions are up to date?

8.   Education and training of employees on the proper use of the computer security system and the importance of personal information security.

Users often break basic rules for “convenience” so they can get their work done faster. Ongoing education is needed!

In your next team meeting, review these requirements and make sure everyone understands the importance of compliance.  For more information, visit the Massachusetts Office of Consumer Affairs and Business Regulations web site.  Give us a call if you'd like us to review your site security with you.

 

Tags: MA Data Security Law, 201 CMR 17.00, Security Requirements

Subscribe by Email

Most Popular Posts

Browse by Tag

See all tags...

Connect With Us

Older Blog Posts

For older Ekaru blog posts, go to ekaru.blogspot.com.