According to the IRS:

The IRS has developed six new security and privacy standards to better protect taxpayer information collected, processed, and stored by Authorized IRS e-file Providers participating in Online Filing of individual income tax returns.

These new standards are based on industry best practices and are intended to supplement the Gramm-Leach-Bliley Act and the implementing rules and regulations promulgated by the Federal Trade Commission.

So, what does this mean for the average online tax-filer? It means that the company that you e-file through (TurboTax, efile, TaxACT, etc) will have to adhere to stricter policies and standards regarding the handling of customer information.

Most of these policies seem to be standard precautions from a security perspective. However, I can certainly understand how a provider may be unfamiliar with the risk involved with handling such sensitive information. The 6 suggestions are mostly focused on tightening the security around the provider’s web presence: they call for strong EV SSL certificates (SSL 3, 1024-bit RSA), weekly third-party vulnerability scans, a written privacy policy, CAPTCHA-like capability, an ICANN domain name from a registrar located in the USA, and the prompt reporting of security incidents.

These are all good policies and are definitely a step in the right direction. The only issue I see is that these “standards” are currently optional. Although the IRS suggests that providers follow them, they aren’t required yet. In a way, this defeats the purpose of having them in the first place.

This entry was posted on Friday, January 9th, 2009 at 11:49 pm by Nick Staples and is filed under privacy, standards. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.