Tax Preparers like all providers of personal financial services, are now required by law to inform their clients of their policies regarding privacy of client information. Tax preparers have been and continue to be bound by professional standards of confidentiality that are even more stringent than those required by law. Therefor, we have always protected your right to privacy.
Types of Nonpublic Personal Information We Collect
We collect nonpublic personal information about you that is either provided to us by you or we obtained by us with your authorization.
Parties to Whom We Disclose Information.
For Current and former clients, we do not disclose any nonpublic personal information obtained in the course of practice except as required or permitted by law. Permitted disclosures include, for instance, providing information to our employees and, in limited situations, to unrelated third parties who need to know that information to assist us in providing services to you. In all such situations, we stress the confidential nature of information being shared.
Protecting the Confidentiality and Security of Current and Former Clients’ Information.
We retain records relating to professional services that we provide so that we are better able to assist you with your professional needs and, in some cases, to comply with professional guidelines. In order to guard your nonpublic personal information, we maintain physical, electronic, and procedural safeguards that comply with our professional standards.
Please call if you have any questions, because your privacy, our professional ethics and the ability to provide you with quality financial services are very important to us.
Faust & Associates CPA’s PA (“Firm” / “we” / “our” / “us”) recognizes the importance of protecting client information and is committed to creating effective administrative, technical, and physical safeguards to protect client information from unauthorized access. We are a certified public accounting firm that provides: accounting, bookkeeping, compilation, tax, financial advisory, and consulting services to businesses, non-profits, and individuals> (the “Services”). In the normal course of business, we receive clients’ sensitive information, which may include social security numbers, tax identification numbers, bank account information, investment/brokerage statement numbers, and other confidential information.
In compliance with applicable federal and state laws, Faust & Associates CPA’s PA has developed this Written Information Security Plan (“WISP” or “Plan”)/Information Security Plan (“ISP” or “Plan”), which sets forth the Firm’s policy and procedures for evaluating and addressing the electronic and physical methods of accessing, collecting, storing, using, transmitting, and protecting client information.
Firm Governance and Compliance
Michael Faust (“Firm Representative”) is designated as the person who shall be responsible for overseeing and updating the <WISP/ISP/Plan> as needed. The Firm Representative reports directly to the shareholders. The Firm Representative may assign or delegate other Firm representatives to oversee and coordinate elements of the Plan. Any questions regarding the implementation of the Plan or with interpreting this document should be directed to the Firm Representative or his or her designees.
The Firm Representative will verify compliance with this policy through various methods, including but not limited to, periodic walkthrough, monitoring, testing, business tool reports, and internal audits. The Firm Representative will report all findings, regulatory and state security law changes, and any other information technology security–related matters directly to the Firm Executive Committee/etc.
Compliance with this policy is mandatory for all employees and independent contractors. Employees should notify their immediate supervisor or Michael Faust upon learning of suspected violations of this policy and the supervisor. Employees who violate this policy (including knowingly not notifying their supervisor or Michael Faust of such suspicions) will be subject to disciplinary action, up to and including termination of employment.
Safeguards for the Protection of Client Information
Our Firm has made reasonable efforts to identify potential internal and external risks to the security, confidentiality and integrity of client information that could result in the unauthorized disclosure, misuse, alteration, destruction, or other compromises of client information.
We have implemented the following safeguards for controlling risks associated with accessing, collecting, storing, using, transmitting, and protecting client information, including the handling and/or disposing of client information, whether in electronic, paper or other form. The first six items (the “Security Six”) were developed by the Internal Revenue Service as part of their “Taxes-Security-Together” Checklist:
Anti-virus software and anti-malware software.
Endpoint Security and Malware.
Firewalls for hardware and software.
Back-ups are made nightly and stored on tape and online backups.
All correspondence and client data is sent via Sharefile by Citrix.
All computer users at the Firm will have their own account and password.
Firm requires passwords to be at least 8 characters (including capital and lower-case letters, numbers and symbols).
Personnel will be prompted and required to update their passwords every 90 days.
Firm prohibits the sharing of accounts and/or passwords with others.
Firm prohibits personnel from using passwords previously used within one year.
An inventory of firm hardware is maintained and updated as needed that lists all hardware (laptops, phones, routers, printers, scanners, copiers, fax machines and other devices commonly used by Firm personnel) used by the Firm that may store client data. The inventory list will identify as appropriate the location, principal user, and any other information deemed necessary by the Firm as a reasonable safeguard to protect client information and comply with this policy.
The Firm maintains the following policies which are incorporated by reference into this document as they support the Firm’s commitment to creating effective protocols for protecting client information:
Record Retention and Destruction Policy (last updated on 01/01/2023), which sets forth the Firm’s protocols and procedures for the protection and physical security of all hard-copy files, electronic files, computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards.
Confidentiality Policy (last updated on 01/01/2023), which sets forth the nature and extent of Firm members’ obligations to hold in strict confidence all client-related information.
Cyber insurance coverage.
The Firm maintains insurance coverage for cyber matters. Questions regarding insurance coverage, cyber resources, and/or the requirements for reporting matters to the insurance carriers should be directed to Firm Representative.
Third-party service providers.
The Firm Representative is responsible for overseeing and monitoring compliance with the Firm’s procedures and safeguards for the sharing of client information with third-party service providers. We maintain internal procedures and safeguards to protect the confidentiality of client information and, as such, it is the Firm’s protocol to secure confidentiality terms with all service providers and to take reasonable precautions to determine that they have appropriate procedures in place to prevent the unauthorized release of client confidential information to others. If the Firm is unable to obtain appropriate confidentiality terms with a third-party service provider, prior to the release of any confidential client information to such third-party service provider the Firm will require written client consent.
FTC’s Safeguard Rules Checklist
In addition to the safeguards noted above, the Firm Representative is also responsible for monitoring and updating the Firm’s Safeguards Rule Checklist, which is incorporated by reference in this Plan in the Addendum. The Safeguards Rule Checklist tool was disseminated by the FTC, promulgated by the IRS in Publication 4557, Safeguarding Taxpayer Data (Rev. 7-2021), and adopted for use by the Firm. The tool is designed to help track the Firm’s compliance efforts with three additional key areas of risk that are important as they relate to information security in relevant areas of our operations: Employee Management and Training; Information Systems; and Detecting and Managing System Failures.
Employee Management and Training
All Firm Partners/Shareholders, Managers, Supervisors and Seniors are tasked with supporting the Firm Representative to ensure that all personnel are aware of and comply with this Plan and other applicable policies and procedures. This includes, but is not limited to, developing and applying appropriate performance standards, training curriculum, and control practices and procedures designed to provide reasonable assurance that all employees understand and support the Firm’s commitment to safeguarding client information. Refer to the Firm’s responses to specific compliance efforts noted on the Firm’s Safeguards Rule Checklist.
The Firm Representative works closely with the Firm’s technology team to assess and mitigate through applicable policies and procedures the risks associated with the Firm’s information systems, including network and software design; information processing; and the storage, transmission, and disposal of client information. Refer to the Firm’s responses to specific compliance efforts noted on the Firm’s Safeguards Rule Checklist.
Detecting and Managing System Failures
The Firm takes reasonable steps to deter, detect and defend against security breaches as noted on the Safeguards Rule Checklist. In addition, the Firm has an Incident Response Plan that addresses protocols in the event of a suspected breach to ensure timely and appropriate responsiveness.
In consideration of our Firm’s size and complexity, the nature and scope of the professional services we render to our clients, and the sensitivity of the information we collect, the Firm has determined that compliance with this Plan meets known current regulatory and legal requirements.
Not each of these recommendations will apply to circumstances found in tax preparer offices, but they still provide a good guide for the creation of a security plan and reinforce IRS recommendations that tax professionals establish strong security protocols.