Internal Revenue Service Outlines Critical Cybersecurity Safeguards to Protect Sensitive Data - McDermott Will & Emery

Internal Revenue Service Outlines Critical Cybersecurity Safeguards to Protect Sensitive Data



The Internal Revenue Service and the Security Summit partners recently issued a news release outlining the “Security Six,” a list of essential steps to protect stored employee information on networks and computers. Employee benefits professionals, including those who administer welfare and retirement plans for employees and beneficiaries, should review and implement the “Security Six” in order to protect sensitive data from cyberattacks.

In Depth


In recent years, cybercriminals have exponentially increased cyberattacks and continuously invent new ways to commit data and identity theft. Benefit plan sponsors and plan administrators often share and store sensitive employee data in order to administer benefit plans. Plan sponsors and fiduciaries must consider the importance of strong cybersecurity measures in order to safeguard sensitive personal data. If not, cyberattacks could result in account takeovers, identity theft and data integrity breaches.

On July 17, 2018, the Internal Revenue Service, state tax agencies and the private-sector tax industry—known as the Security Summit partners—released the “Security Six.” The “Security Six” are six basic safeguards designed to protect data that is stored on tax professionals’ computers and networks.

Key Aspects of the “Security Six”

The “Security Six” encourages professionals to implement the following protective measures: 1) antivirus software, 2) firewalls, 3) two-factor authentication, 4) backup software and services, 5) drive encryption and 6) a written data security plan.

Antivirus Software

Antivirus software scans files and a computer’s memory for specific patterns that may indicate the presence of malicious software, or malware. According to the US Computer Emergency Readiness Team, a division of the Department of Homeland Security, antivirus vendors discover new malware daily. This is why it is important for computer users to check regularly for the latest updates of antivirus programs.

Computer users should configure antivirus software to automatically scan specific files or directories in real time and create a prompt at set intervals for complete scans. If the antivirus software does not automatically scan new files, users should manually scan files and media received from an outside source before opening them. This process includes saving and scanning email attachments or web downloads rather than opening them directly from the source.


Firewalls protect against outside attackers by shielding the user’s computer or network from malicious or unnecessary network traffic. The advantage of hardware-based firewalls is that they are separate devices running their own operating systems, so they offer an additional line of defense against attacks when compared to system or host-level protections. Most operating systems include a built-in firewall feature that should be enabled for added protection even if using a hardware-based firewall.

Firewalls primarily help protect against malicious traffic, not against malicious programs, and may not protect the device if the user accidentally installs malware. The Security Summit reminded tax professionals that anti-virus software and firewalls cannot protect data if computer users fall for email phishing scams and reveal sensitive data, such as usernames and passwords.

Two-Factor Authentication

Many email providers now offer customers two-factor authentication protections to access email accounts. Often two-factor authentication means the returning user must enter credentials, plus another step, such as entering a security code to complete the process. Professionals should always opt for multi-factor authentication protection when it is offered on an email account or any other password-protected product.

Backup Software and Services

Professionals should routinely back up critical files to external sources. This means a copy of the file is made and stored either online as part of a cloud storage service or a similar product. Important files can also be copied to an external disk, such as an external hard drive that has multiple terabytes of storage capacity.

Drive Encryption

Professionals should install drive encryption software for full-disk encryption. Drive encryption, or disk encryption, transforms data on the computer into unreadable files for the unauthorized person accessing the computer. Professionals can also use a drive encryption that is a stand-alone security product and encrypt removable media, such as a thumb drive and its data.

Written Data Security Plan

The Security Summit also reminded tax professionals of other important steps, such as developing a written data security plan as required by the Federal Trade Commission and its Safeguards Rule. Revised IRS Publication 4557 includes security recommendations and can assist with creating a data security plan, and IRS Publication 5293 compiles data security information.

Impact of IRS Guidance on Retirement and Welfare Plans

Employees typically provide retirement plan record-keepers and service providers with significant personal information, such as the social security number, address, birth date, bank account information, retirement date, compensation information and asset balances. Similarly, welfare plan administrators store personal information on employees and dependents, including age, income and health history. If a cybercriminal obtains this information from a plan administrator’s computer or network, it can lead to identity theft for plan participants. Because of the important information maintained by retirement plans and welfare plans, they attract cybercriminals. Benefit plan sponsors and plan administrators should prudently follow the “Security Six” safeguards provided by the IRS and the Security Summit.


As cybercriminals continue to develop new methods to obtain sensitive personal data from the networks of professional offices, employee benefits professionals must be both proactive and reactive to new data security threats. It is crucial for employee benefits professionals to make sure they have implemented the “Security Six” safeguards. Installing strong firewalls, antivirus software, backup software, drive encryption, and developing a data security plan, will help protect the sensitive personal information stored on many professional office networks and computers.

We would also like to thank law clerk Charnae Supplee for contributing to this article.