|From: David Paas
Sent: Friday, October 05, 2001 6:14 PM
These comments concern the proposed rule on Standards for Safeguarding Customer Information published in Federal Register at 66 FR 41162 (August 7, 2001). The authors of these comments are Prof. David Paas, J.D., Ph.D., of Hillsdale College, Hillsdale, Michigan, and Ms. Angela Popko, an accounting major at Hillsdale College. The comments below are the personal opinions of the authors and are not the opinions of Hillsdale College. Paragraphs 1 - 7 set the background for the comments. This background assumes certain facts which the commentators believe to be true. Subsequent paragraphs use these facts to critique the proposed Safeguards Rule.
1. These comments examine the likely effects of the proposed Safeguards Rule on small tax preparers. These comments may also apply to similar parties such as accountants and attorneys who engage in tax return preparation on a limited basis. Tax preparers are explicitly covered by the final rule on Privacy of Consumer Financial Information found at 16 CFR Part 313. The proposed Safeguards Rule adopts the scope definitions of the privacy rule, so tax preparers will be covered by the Safeguards Rule.
2. Internal Revenue Service statistics indicate that an increasing number of tax returns are prepared by paid tax preparers instead of the taxpayer. The tax preparation industry in the United States is divided between the large tax preparation concerns (such as H&R Block), accounting firms of varying sizes, law firms, and individual tax preparers. The I.R.S. also lists on its website a number of online companies which allow taxpayers to fill out and electronically file tax returns seemingly without the assistance of any tax preparer.
3. The Yellow Pages of most telephone books disclose a large number of tax preparers who are individuals. They often list themselves as both tax preparers and bookkeepers. Most do not list themselves as either a corporation, limited liability company or limited liability partnership. This may indicate that small tax preparers are not necessarily sophisticated business people. Since tax preparation is a seasonal industry, it is likely that these tax preparers operate very small businesses and often supplement their incomes from activities outside the scope of the proposed Safeguards Rule. It also seems likely that most small tax preparers operate without clerical assistance. The operation probably consists of a single preparer with a computer, tax preparation software, and an electronic filing account with the I.R.S. These preparers may keep both electronic and paper copies of tax returns and supporting materials.
4. Section 6107 of the Internal Revenue Code requires that tax preparers retain tax return information of clients. This may consist of either a copy of the return itself or a list of clients along with their taxpayer identification numbers. Tax preparers must disclose copies of the returns or copies of the list to the I.R.S. when requested to do so. One of the authors of this comment has seen the records of a number of tax preperers. All of these preparers have retained a copy of the return of the client along with copies of supporting documentation. None of the preparers kept just the list of names and taxpayer numbers.
5. The amount and kind of supporting materials retained by many tax preparers can be significant. This information can be sensitive, personal and detailed. Tax preparers have access to client information which often exceeds the information available to banks and credit reporting companies. For example, if a client wishes to claim a medical expense deduction on Schedule A of Form 1040, the tax preparer is required to have evidence of the type and amount of the expense before taking the deduction on the return. The Internal Revenue Code has a number of penalties which apply to tax preparers who fail to substantiate such deductions. The nature of the substantiation is often a copy of the medical bills of the client. These bills along with other supporting material usually disclose extremely private information about the client and can be used to deduce the lifestyle of the client. Other items of income, deductions and credits easily fall within this category of highly private personal information. Tax preparers sometimes retain copies of medical bills and other evidence of deductions to protect themselves in case of an audit.
6. Tax preparers in the United States are not required to be certified, registered or belong to a professional organization (with the exception of California and Oregon which impose some such requirements). Tax preparers are not required to have an advanced degree. There is in fact no education requirement for tax preparers who prepare and file returns and have no desire to represent clients before the I.R.S. This is almost certainly an efficient solution. Many taxpayers who file simple returns such as Form 1040EZ or 1040A use tax preparers either from an abundance of caution or simple anxiety. Any certification or education requirements would inevitably increase the costs to taxpayers without added benefits. But this means that the average small tax preparer has no contact with a professional organization which can advise the preparer of new or changing industry standards.
7. A final Safeguards Rule in a form similar to the proposed Rule could establish a standard of care regarding the security of tax return information. A small tax preparer who violates the final Safeguards Rule could find himself or herself sued for negligence by a client who was damaged as a result of unauthorized access to the client's return information. The Safeguards Rule could easily be viewed by a court as establishing a negligence per se standard of care.
8. The first problem with the proposed Safeguards Rule is how the FTC plans to inform small tax preparers of the requirements of the Rule. The intention of the proposed Safeguards Rule is to increase the security of financial information and does not seem aimed at punitive measures against tax preparers. But small tax preparers are highly unlikely to be aware of the Safeguards Rule. Small tax preparers may visit the I.R.S. website, but they are unlikely to access the F.T.C. site at all. It is almost guaranteed that small tax preparers do not read the Federal Register website with any frequency. It might be wise to request the assistance of the I.R.S. in publishing information about a final Safeguards Rule (as well as the Privacy Rule). References to the Safeguards Rule on the I.R.S. website would be appropriate, as well as references in some of the paper forms and publications of the I.R.S.
9. The Background discussion of the proposed Safeguards Rule indicates a desire to be flexible with regard to small businesses. Many tax preparers qualify as small businesses. But there is a problem. The proposed Rule provides that the information security program should be appropriate to the size and complexity of the institution, the nature and scope of its activities, and the sensitivity of the consumer information at issue. The first factor on size and complexity can be viewed as allowing small tax preparers more leeway than larger firms, but the last factor militates against leeway for any tax preparers. Tax preparers have access to extremely sensitive consumer information and often retain copies of such information in their files. Is it the intention of the proposed Rule to allow size of an institution to "trump" the other requirements so that small tax preparers have leeway in spite of the sensitivity of the information? If this is not the intention of the references to flexibility, then perhaps the range and nature of the flexibility needs to be characterized in detail.
10. Even if flexibility is taken seriously, there are some ways to solve flexibility problems under the proposed Safeguards Rule which are unacceptable under the Internal Revenue Code. Take the example of medical expense deductions on a tax return. The tax preparer could return to the taxpayer all supporting documentation for the deduction. The tax preparer would have only the total dollar amount of the deduction in its records. Flexibility for small businesses might mean that a small tax preparer has done enough in this situation to satisfy the Safeguards Rule. But no tax preparer should accept this solution under the Internal Revenue Code. The Code requires substantiation for deductions and tax preparers are personally liable for returns which contain unsubstantiated deductions. Preparers will want to keep copies of the medical bills as proof that the preparer had substantiation at the time the return was filed.
11. Section 314.4 of the proposed Safeguards Rule provides that a tax preparer "shall" designate an employee or employees to coordinate the preparer's information security program. How is this to be done in a realistic and effective fashion when the tax preparer is self-employed and has no employees? Should the person prepare a letter addressed to himself or herself? And who do you designate other than yourself? If this requirement is waived for the self-employed, then it probably should be explicit.
12. The proposed Safeguards Rule also requires that the small tax preparer identify reasonably foreseeable internal and external risks to the security, confidentiality and integrity of customer information. Large firms with multiple employees have faced risks of the kind contemplated by the Safeguards Rule for many years. Such firms have at least some idea how to evaluate the risks and implement safeguards. But what about the small tax preparer? Suppose the tax preparer works out of a small office in the preparer's home using a computer with a connection to the internet so the preparer can electronically file tax returns. The computer will store tax return information. Some information may also be retained in paper form in a filing cabinet. What kind of risk assessment is appropriate or required by the Safeguards Rule? Should the tax preparer consider the possibility of a burglar entering the home and going through the files? Or a minor child of the tax preparer using the computer to write a school paper or play games and accessing tax return information? What other risks are there? Small tax preparers do not seem to have the risks of larger firms, such as employees accessing files with some sort of malicious intent. Other risks such as burglary seem to be obvious, but the frequency of the risk may not be easily determined by the tax preparer. And many people do reasonable things to protect themselves from burglary without a formal safeguards evaluation process such as carrying insurance. Does the small tax preparer have to consciously evaluate such risks anyway? Is the cost of such an evaluation process outweighed by the benefits gained? Could it be that carrying insurance is sufficient? What about the fact that homeowners do not want to be burglarized in the first place and can be expected to maintain reasonable security to protect their families? Is that enough to satisfy the Safeguards Rule? Or is a formal risk evaluation process required?
13. Computerized tax return preparation and electronic filing present unique and interesting risks, but it is highly doubtful that small tax preparers can either assess the risk or take any useful steps to eliminate them. For example, there is currently some state court privacy litigation involving a spouse who installed spy software on a home computer to gather evidence for a divorce proceeding. The risk of such spy software being installed is very small for most people, especially if the computer owner has no suspicion that the marriage is troubled. But the spy software would give an outsider access to the information on the computer including tax return information of tax clients. Similar problems arise with respect to electronic filing of tax returns. The tax preparer must have an account with an internet service provider such as AOL. Some internet service providers are notorious for lack of security. Is the tax preparer supposed to assess the risk of security breaches at the internet service provider? What if there is only one internet service provider available in the area? The lack of available providers is notorious in many small towns and farm communities.
14. The proposed Safeguards Rule also requires that a covered person design and implement safeguards and regularly test or monitor them. Large companies experience computer hacking and an entire industry has developed to assist these companies in avoiding such problems. But these solutions do not seem to be easily applied to small tax preparers. What is the tax preparer to do with paper tax returns and accompanying paper data? The commonsense approach is to keep the paperwork in a filing cabinet and under some sort of lock. It is doubtful that small tax preparers will have more than one or two filing cabinets for clients. Is it really necessary to have a formal risk assessment with regard to two filing cabinets followed by a written set of safeguards? Moreover, the written safeguards would probably contain procedures as simple as keeping the files locked when not in use. Finally, how is the tax preparer to test or monitor the effectiveness of these safeguards? Ask your children to attempt to break the locks?
15. What about safeguards for tax preparers who use computers and electronically file returns? It is likely that most small tax preparers are unsophisticated about computers except for the tax software they purchased. Most will have no concept of cookies, virus protection, and firewalls. But these seem to be the very issues which safeguards address in the area of computer usage. It would normally be too costly to hire a consultant for a tax preparer who uses a home desktop computer for four months each year to do tax return preparation. The likelihood of a computer break-in is probably too small to warrant the expense. Is it satisfactory to purchase commercially available firewall software such as Norton or McAfee? And if such a purchase satisfies the Safeguards Rule, how often is the tax preparer to update the software? If this is not enough, then what more is required?
16. The proposed Safeguards Rule also requires that the tax preparer test whatever system is installed. But how to do this? Again, the cost of hiring a hacker (even a local teenage computer whiz) could be too high compared to the likely benefits. Any checking of a safeguards system will likely be done by the tax preparer alone. But how do they accomplish a check to see if client data was tampered with? Most tax preparers will be too unsophisticated to discover tampering until the particular data is accessed during a client interview or an I.R.S. audit. But that means the safeguards have failed.
17. The proposed Safeguards Rule also requires that a person oversee service providers such as affiliates. The proposed Rule also requires some sort of contractual agreement by the service provider to protect customer information. Such contracts can probably be negotiated by large firms which prepare taxes such as the major accounting firms, but a small tax preparer can hardly expect a service provider to individually negotiate protection for information. Large firms generate significant fees for service providers, but small tax preparers do not. Small tax preparers have no leverage with service providers. Moreover, the major service provider for small tax preparers will be the internet service provider used to electronically file tax returns. How does the small tax preparer oversee AOL or Microsoft? While sensitive customer information will be transmitted through AOL or Microsoft computer systems to the I.R.S., there is small chance that either AOL or Microsoft will alter its operations for small tax preparers.
18. Finally, some professionals in the tax area do a small number of returns every year for close friends and relatives at little or no charge. These preparers will retain copies of returns and other data. How do the Safeguard Rules apply to them? It seems that if the proposed Rule will apply to them, then these returns will simply not be done anymore. At least a rational tax preparer should seriously consider refusing to do such returns in the future without a significant fee being charged. But is such a result efficient? The likelihood of a security breach at small tax preparers has to be as small as the preparer. If the Safeguards Rule applies to such transactions, then its application should be minimal.
19. It is our belief that the proposed Safeguards Rule creates significant problems for the small tax preparer which outweigh the benefits to be gained from the proposed Rule. Many tax preparers in the United States are self-employed, do not have a separate office away from home, and do not have the ability to conduct elaborate analyses of their operations. To our knowledge, the I.R.S. does not seem to be dissatisfied with the quality of the tax returns filed by such preparers. It our guess that the proposed Safeguards Rule will be ignored by a significant number of such small tax preparers. Other preparers may find it easier to abandon their business.
20. Perhaps another rule could be implemented for the small tax preparer. We are not advocating that small tax preparers be exempted from the requirement that sensitive customer information be protected. The Internal Revenue Code already contains sections imposing civil and criminal penalties on tax preparers who disclose tax return information. State privacy statutes and tort law also apply to tax preparers. But requring a formal letter of appointment of a responsible employee plus an analysis of risks seems beyond what small tax prepares can actually accomplish. Perhaps small tax preparers should be told in the Safeguards Rule that they must actually have in place reasonable safeguards to protect sensitive customer information. The Rule could also list some of safeguards which are acceptable such as firewall software for electronic filing purposes. The Rule could then go on to specify that a tax preparer who expands its operations and becomes bigger would ultimately be subject to the full panoply of the Safeguards Rule including designation of a responsible employee and a formal analysis of risks. It might also be necessary to publish a guide for small businesses so they know what to do under a final Safeguards Rule.
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp