Data security is a principal concern for tax professionals, who handle and store private financial information to prepare tax returns. Criminals are acutely aware of that fact, and they deploy a dizzying array of phishing scams across traditional and digital media to steal taxpayer data and commit identity theft tax refund fraud.

The persistent threat of data theft is just one reason every tax office needs a data security plan detailing how they intend to protect client information and mitigate data theft events. It’s also required by the Federal Trade Commission Safeguards Rule, which applies to all paid tax return preparers — regardless of office size.

Unfortunately, there isn’t a one-size-fits-all data security plan and knowing where to start can be a significant stumbling block for tax offices. The good news is that breaking down the process into manageable steps can help get the ball rolling:

1. List all staff who handle client data

Begin by designating who will coordinate tax office data security, then create a list of all staff who handle client data. Depending on the size of the office, this might involve identifying each staff member’s responsibilities and the reason they need to interact with client information.

2. Organize office data by type and risk

Create a rubric to help assess the risks posed by different types of information handled by the office. One axis will include information types like client contact information, client personally identifiable information (PII) and employee records, and the other will list risks like lost access, fines, legal fees and damage to reputation. Then assign each information type a score under the risk categories.

3. Inventory devices, software and services that interact with client data

Consider everything in the office that stores, transmits, receives or otherwise handles client data, from smartphones and fax machines to desktop applications and cloud-based services. Then, note the type of data stored or processed by those devices and applications. Keep in mind that tax professionals are also responsible for ensuring all chosen service providers maintain appropriate safeguards.

4. Identify threats and vulnerabilities

List threats to client data and vulnerabilities of office systems, then rank them based on how damaging they could be to the business. Any event that results in losing, changing or destroying client data should be considered, including theft, accidental disclosure, natural disasters and intentional destruction.

5. Address threats and vulnerabilities

Prioritize threats and vulnerabilities, then schedule when each will be addressed; some may require more than one action to resolve. Preventing data theft, for example, might involve installing malware protection, enabling automatic security updates, using multi-factor authentication, and training employees to identify phishing scams and safe web-surfing practices. Just make sure to take care of immediate, high-risk threats first.

Once the tax office security plan is complete, it should be monitored, tested, evaluated and adjusted as circumstances change, from new staff to the latest phishing scams. Remember, if it’s going to help protect client data, it needs to be a living document.

For a free sample data security plan that breaks each of these steps into a separate worksheet, see “Easy Steps to Create Your Mandatory Tax Office Security Plan” on Drake Software’s website.