security

1NTC/TCS Training Dallas 2010Updated for NY State 2010

Security

2 NTC/TCS Training Dallas 2010Updated for NY State 2010

Security

Unintentional disclosure of private information is rising

Laptops are a favorite target for thieves

Laptops are not the only way sensitive data is lost, but

Laptops are easy to steal, easy to sell


Security

Responsible organization must assume the worst if data is lost or stolen, and notify: Clients in certain circumstances Regulatory bodies AARP Tax-Aide organization levels


SecurityFrom IRS Publication 4299:

As a condition of IRS loaned equipment, the recipient of loaned equipment agrees to notify SPEC within 48 hours if equipment is lost or stolen. Partners are asked to provide the following: • Serial number, Make, and Model of computer • Description of what occurred • Taxpayer data at risk (include number of records) • Was computer encrypted? • Did the computer have a strong password? (Describe password make-up) • Was or will taxpayers be notified of theft/loss? (if notified, method used)


SecurityNew York General Business Law § 899-aa (Paraphrased):

Any person or business which maintains computerized data which includes private information which such person or business does not own shall notify the owner or licensee of the information of any breach of the security of the system immediately following discovery, if the private information was, or is reasonably believed to have been, acquired by a person without valid authorization.

"Private information" shall mean personal information consisting of any personal information combined with SS #, or account numbers with access codes, or credit cards, etc., when either the personal information or the data element is not encrypted, or encrypted with an encryption key that has also been acquired.


SecurityNew York General Business Law § 899-aa *; State

Technology Law §208 :The (loss of data) notice must contain a description of the categories of information breached and be issued to the affected persons by one of the following methods: a) written notice, b) electronic notice, or c) telephone notification. The entity must also inform the Office of the NYS Attorney General, the Consumer Protection Board and the NYS Office of Cyber Security & Critical Infrastructure Coordination of the timing, content and distribution of the notices and approximate number of affected persons.


Security Remember that in addition to name,

address, and Social Security Number; the data can include bank routing and account numbers.

This year in the AARP Tax-Aide program there were: Three laptops reported stolen/lost. One missing form. Three lost flash drives.


Security One potential identity theft letter was sent

out to a taxpayer where the form was lost. IRS Pub 4299 has examples of high risk (e.g.

lost papers or a lost computer with passwords written on paper in the case) and low risk (e.g. lost computer with encryption and strong passwords) situations.

Discuss the situation with your IRS SPEC to decide whether taxpayer notice is needed.


Security

Read the Security and Confidentiality Section in the Policy Manual It is divided into three sections

Data Security Physical Security Reporting a loss


Security

Physical Security Forms (W-2s,1099, TaxWise

forms/documents) Computer Storage

Do not store computers in your car or leave unattended in a visible area of a car.

Site set-up Keep clients from hearing or seeing

other client’s information.


Security

QUESTIONS???????

security

Documents