The IRS will begin enforcing new security, privacy, and business standards as of January 1, 2011. These standards are meant to better serve taxpayers and protect their personal information used by Online Providers of individual income tax returns who collect, process, and store taxpayer information. While these rules went into effect on January 1, 2010, there was a one-year enforcement grace period, which expired on December 31, 2010.
In summary, these new standards are intended to:
• Set minimum encryption and authentication standards for the transmission of taxpayer information over the internet;
• Require periodic vulnerability scans of the Online Provider’s network and electronic systems used for taxpayer data. These scans need to be conducted by independent third-party vendors in accordance with the applicable requirements of the Payment Card Industry Data Security Standards (PCIDSS);
• Require Authorized IRS e-file Providers to have a written information privacy and safeguard policy consistent with the applicable government and industry guidelines. This applies to Authorized IRS e-file Providers participating in the Online Filing of individual income tax returns that own or operate a Web site through which taxpayer information is collected, transmitted, processed or stored;
• Require Online Providers to have their Web site’s domain name registered with a domain name registrar that is located in the United States and accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). The domain name shall be locked and not be private;
• Protect against the bulk-filing of fraudulent income tax returns; and
• Require the reporting of security incidents to the IRS in a timely manner. Security incidents include the unauthorized disclosure, misuse, modification, or destruction of taxpayer information.
For purposes of these standards, an Online Provider is defined by the IRS as follows: “An Online Provider allows taxpayers to self-prepare returns by entering return data directly on commercially available software, soft- ware downloaded from an Internet site and prepared off-line, or through an on- line internet site. An Online Provider also chooses another Provider Option, either Software Developer, Transmitter, or Intermediate Service Provider as Online Provider is a secondary activity. Although an ERO may also use an internet Web site to obtain information from taxpayers to subsequently originate the electronic submission of returns, the ERO is not an Online Provider.”
For more information about these standards, visit the IRS’ web site at http://www.irs.gov/efile/article/0,,id=201195,00.html