Services
Tax Accounting Payroll Advisory             Our Offices

View Padgett President Roger Harris' congressional testimony on the impact of the Corporate Transparency Act and the BOI reporting requirements here.

Find an office
Skip to main content

A CPA’s Nightmare: Lessons Learned from Navigating a Data Breach During Tax Season

In the world of tax professionals, there’s a saying: “It’s not a matter of if, but when.” This adage, once reserved for IRS audits, now applies to a far more menacing threat: data breaches.

Tax firms possess a trove of sensitive client information, including Social Security numbers, bank account details, and past tax returns. This comprehensive data makes tax professionals prime targets for cybercriminals looking to commit identity theft and file fraudulent returns.

In this Federal Tax Updates podcast episode, Roger Harris interviews Catharine Madeley, a CPA from Austin, Texas, who shares her firsthand experience of a data breach at her firm. Catharine’s story underscores the urgent need for tax professionals to prioritize cybersecurity in an evolving threat landscape.

This article explores why tax professionals are prime targets for cybercriminals, the real-world consequences of a data breach, and how practitioners can effectively prevent, detect, and respond to cyber incidents.

The Consequences of a Data Breach

Catharine shared the details of the breach at her firm, which occurred right before the September 15th filing deadline, one of the busiest times for tax professionals. The breach’s timing amplified Catharine’s already immense stress and workload, forcing her to navigate the incident response while still serving clients.

The impact of a data breach extends far beyond the initial incident. A breach can erode client trust, lead to legal liability, and threaten the very existence of a tax practice.

Catharine’s firm had to dedicate significant time and resources to investigate the scope of the breach, communicate with affected clients, and implement protective measures. The personal toll was also substantial, with Catharine barely sleeping for a month as she juggled the incident response with her normal workload.

Shifting the Mindset on Cybersecurity

Many tax professionals treat data security as a mere checkbox exercise rather than a critical, ongoing priority. As Roger notes, “We’re all aware that when we renew our PTIN, we have to check a box saying we’re supposed to have a written plan. But I think sometimes we don’t take it seriously. We write a plan to have a written plan, not to have data security.”

To navigate the evolving threat landscape, practitioners must embrace cybersecurity as an ethical imperative and invest in robust measures, response plans, and continuous education. This involves:

  • Implementing strong technical controls, such as encryption, firewalls, and multi-factor authentication
  • Regularly training staff on cybersecurity best practices and phishing awareness
  • Developing and testing incident response plans to ensure prompt, effective action in the event of a breach
  • Staying informed about emerging threats and trends through continuous learning and collaboration with cybersecurity experts

Responding to a Breach with Transparency and Expertise

After her firm’s breach, Catharine followed her written security plan, immediately contacting insurance, law enforcement, and the IRS. She recounts, “Stepping back, the first call I made was to insurance. I also went down that written information security plan list: call your state attorney general, call law enforcement, call the IRS.”

Catharine’s cyber insurance provided access to expert resources to investigate the breach and guide her response, underscoring the value of proactive preparation. Catharine maintained trust and strengthened relationships amid the incident by transparently communicating with clients and offering guidance on protective measures.

Catharine’s experience also highlights the importance of leveraging the IRS’s identity theft resources for tax professionals. By promptly registering exposed taxpayers with the IRS, firms can prevent fraudulent returns and protect clients and themselves.

Safeguarding Your Practice in the Face of Evolving Threats

Catharine’s story is a powerful reminder that no tax professional is immune to cybersecurity threats. To protect sensitive client data and uphold public trust, practitioners must shift their mindset, prioritizing cybersecurity as an ongoing, top-level concern.

As the cybersecurity landscape continues to evolve, tax professionals have a choice: view data security as a burdensome requirement or embrace it as an opportunity to strengthen client relationships and differentiate their services. By choosing the latter, practitioners can protect taxpayers and uphold the profession’s integrity.

Listen to the complete Federal Tax Update podcast episode to learn more about Catharine’s experience and gain valuable insights for safeguarding your practice.

New final rule on independent contractors takes effect in March

It’s safe to say that independent contractors or “gig workers” are firmly ensconced in the U.S. economy — especially in certain industries. And we don’t mean only those helpful folks who drop off dinner at the front door or give you a ride home from the restaurant.

Nay, many kinds of independent contractors are available to serve employers, too. They can provide expertise for special projects or fill short-term positions to get your organization through busy times without having to incur hiring costs. Moreover, you don’t need to remit payroll taxes on independent contractors’ compensation, nor must you provide gig workers with fringe benefits. What’s not to like, right?

A moving target

Enter the U.S. Department of Labor (DOL). It has long been on the lookout for employers that, in the agency’s view, misclassify employees as independent contractors. If the DOL successfully makes a case for employee misclassification, the employer in question may be on the hook for substantial back wages, penalties and interest. There can be other legal repercussions as well.

To enforce employee classification, the DOL relies on a final rule that determines whether a worker should be classified as an employee or independent contractor under the Fair Labor Standards Act (FLSA). In recent years, however, the final rule has been a moving target pushed one way or the other by whichever presidential administration is in power.

For example, the final rule set forth during the Obama administration was considered relatively tough on employers. Under what was referred to as the “totality-of-the-circumstances” test, the DOL and courts applied at least five factors to making the employee vs. independent contractor determination, with no single factor controlling.

The Trump administration then revised the final rule to look more broadly at whether, as an “economic reality,” workers are:

  • Dependent on their employer for work, which would generally make them employees, or
  • In business for themselves, which would generally make them independent contractors.

This was regarded as a more employer-friendly version.

6 critical factors

Now, during the Biden administration, the final rule has changed yet again. In October 2022, the DOL proposed regulations that would bring back the totality-of-the-circumstances test with its multiple factors. On January 9, the DOL announced issuance of final regs that rescind and replace the previous regs. The final regs also make some adjustments and clarifications to the proposed regs but still focus on multiple factors — six, to be exact — to determine whether a worker is an employee or independent contractor:

  1. The worker’s opportunity for profit or loss,
  2. Investments by the worker and employer,
  3. The degree of permanence of the work relationship,
  4. The nature and degree of control of work performance,
  5. The extent to which the work is an integral part of the employer’s business, and
  6. The skill and initiative required for the work.

The final rule officially takes effect on March 11, 2024.

Legal challenges possible

The DOL contends that the new final rule protects vulnerable workers who may be misclassified as independent contractors by employers looking to dodge the rules regarding minimum wages and overtime as well as the protections of the FLSA, all of which are applicable to employees. However, many industry groups believe it’s too restrictive, so legal challenges are possible.

As an employer, you may want to review the independent contractor agreements you have in place, along with any prospective ones, in consultation with your attorney. Padgett can help you identify and analyze all the costs and tax implications associated with hiring employees vs. engaging gig workers. Get in touch with us today to get started.

We encourage you to contact us with any questions.

This field is for validation purposes and should be left unchanged.