Backups For Sensitive Client Information – Security Six

Why Backups Are Critical for Tax Professionals

As a tax professional, your clients trust you with their most sensitive information—Social Security numbers, bank account details, and proprietary financial records. Losing any of this data can be catastrophic, leading to legal liabilities, IRS investigations, and irreparable damage to your reputation. Data loss can occur for many reasons: hardware failure, cyberattacks like ransomware, natural disasters (floods, fires), or even simple human error (accidental deletion).

To avoid these pitfalls, having a comprehensive backup plan isn’t optional—it’s mandatory. The IRS’s Security Six (Publication 4557) and the Safeguards Rule require tax preparers to maintain consistent backups and a contingency plan for data disruptions. Without a reliable backup strategy, you risk non-compliance, potential fines, and the loss of irreplaceable client data.

IRS Requirements for Backup and Contingency Planning

Backup Mandate in Publication 4557

IRS Publication 4557 explicitly mandates that tax preparers implement and maintain data backups. The fourth checklist item in Pub. 4557 requires:

1. Contingency Plan: A documented procedure to follow when data becomes unavailable—whether due to hardware failure, malware, or another disruption.
2. Consistent Backups: Regularly scheduled backups of all systems containing nonpublic personal information (NPPI)—tax-return files, accounting ledgers, scanned documents, email archives.

Failure to meet these standards can draw IRS scrutiny. During an audit or security review, you must demonstrate that:

• Backups occur at a frequency aligned with your firm’s data volume (daily, if you enter new returns nightly).
• Backup copies are stored offsite or in a geographically separate data center.
• You’ve tested restores periodically to ensure you can recover from a real incident.

GLBA and the Safeguards Rule

Under the Gramm–Leach–Bliley Act (GLBA) and its Safeguards Rule, any “financial institution”—which includes tax preparers—must develop, implement, and maintain an information security program. A key pillar of that program is data backups:

• Risk Assessment: Identify all systems that store NPPI.
• Safeguard Deployment: Encrypt backups, restrict access, and monitor backup integrity.
• Effectiveness Testing: Validate that backups can be restored without data corruption.
• Periodic Review: Update procedures whenever you introduce new software or modify your IT environment.

Minimizing Risks to Data Loss: Proactive Strategies

Regular, Automated Backups

• Frequency Aligned with Data Volume: If you process returns nightly during tax season, configure backups to run at least once per day—preferably after close of business.
• Automated Scheduling: Use backup software (e.g., Veeam, Acronis, or cloud-native services) to schedule backups automatically, eliminating reliance on manual copying.
• Retention Policies: Define how long to keep each backup. For instance, retain daily backups for 30 days, weekly backups for three months, and monthly archival backups for one year—aligning with any state or federal retention laws.

Offsite and Offline Storage

• 3-2-1 Backup Rule: Maintain three total copies of your data—two local (disk arrays, on-premises NAS) and one offsite (cloud storage or an encrypted external drive in a separate location).
• Geographic Separation: Keep one copy in a remote data center or secure cloud repository (AWS S3, Azure Blob Storage, Google Cloud Storage). The other copy can be an offline external drive stored at a relative’s home or in a fireproof safe in a separate office.
• Immutable Backups: Consider write-once-read-many (WORM) or object-lock features in cloud storage to protect backups from being altered or deleted by ransomware.

Human Error Safeguards

• Role-Based Access Control (RBAC): Limit who can delete or modify backup jobs. Only senior IT staff or trusted partners should have backup-administration privileges.
• Change Control Procedures: Require a documented ticket and two-person review before removing any backup schedule or altering retention settings.
• Periodic Verification: Schedule monthly “test restores” where you recover random files (tax returns, financial spreadsheets) to ensure backup integrity.

Backup Protocols and Methods to Secure Tax Data

Online (Cloud-Based) Backups

• Advantages:
  • Offsite replication: Your data automatically transfers to a secure data center.
  • Scalability: As your tax practice grows, add more storage without purchasing new hardware.
  • Redundancy: Cloud providers replicate data across multiple availability zones.
• Disadvantages:
  • Dependence on internet connectivity and potential service outages.
  • Recurring subscription costs.
  • Potential risk if encryption keys are misconfigured. Always choose a provider that supports client-side encryption where only you hold the keys (zero-knowledge encryption).

Offline (Physical) Backups

• Advantages:
  • No reliance on internet connectivity—ideal for rapid restores if you lose connectivity to cloud services.
  • Immune to remote hacking if stored in a secure, offline location (fireproof safe, deposit box).
  • Lower ongoing costs: Once you purchase an external drive or tape library, the expense is fixed.
• Disadvantages:
  • Requires secure storage space—protected from fire, flood, or theft.
  • Manual rotation schedule: Someone must update these drives regularly (e.g., weekly or nightly).
  • Slower restore times compared to high-speed cloud restores.

Hybrid Backup Solutions

• Best of Both Worlds: Many tax firms implement a hybrid approach—daily incremental backups to an on-premises NAS or tape system for quick restores, plus weekly full-image backups to a secure cloud repository for disaster recovery.
• Replication Tools: Use software (e.g., Veeam, Bacula, or Windows Server Backup with Azure integration) that automatically copies on-premises backups to cloud storage, ensuring you always have both local and offsite copies.

Manual vs. Automatic Backups

• Manual Backups:
  • Involves copying files (PST archives, scanned PDFs, tax return backups) to an external drive.
  • High risk: Relies on staff discipline; easy to forget or misplace drives.
• Automatic Backups:
  • Scheduled jobs ensure nightly, incremental, and full backups occur without manual intervention.
  • Recommended for compliance: The IRS expects documented, consistent backup processes—automated logs provide audit trails.

FTC Data Protection Suggestions for Tax Professionals

The Federal Trade Commission (FTC) extends guidance under the GLBA Safeguards Rule. Adhering to these suggestions helps avoid regulatory penalties and data breaches:

1. Identify and Secure All Sensitive Data Locations:
   • Physical Records: Store all paper returns and W-2s in locked, fireproof cabinets.
   • Digital Records: Maintain an updated inventory of servers, workstations, laptops, and external drives that house NPPI. Restrict access to authorized staff only.
2. Protect Against Physical Threats:
   • Fireproof/Waterproof Cabinets: Archive physical backups and critical hardware in cabinets rated for fire and flood protection.
   • Environmental Controls: Ensure server rooms have smoke detectors, temperature/humidity sensors, and uninterruptible power supplies (UPS).
3. Enforce Strong Access Controls for Computers:
   • Unique, Complex Passwords: At least 12 characters—mixed case, numbers, and symbols—for any account with NPPI access.
   • Multi-Factor Authentication: For any remote or privileged access to backup systems, cloud consoles, or administrative portals.
4. Avoid Storing NPPI on Internet-Connected, Unsecured Devices:
   • Whenever possible, keep sensitive files on encrypted drives not directly accessible via the internet.
   • If using cloud Desktop-as-a-Service (DaaS) or remote file servers, ensure robust endpoint security (EDR) and network-level MFA is enforced.
5. Maintain Secure Backup Records Offsite:
   • Rotate physical backups (external hard drives, encrypted USBs) monthly, storing them at a secondary office, home safe, or safe deposit box.
   • Use tamper-evident seals or tape on backup media.
6. Inventory and Monitor Hardware:
   • Maintain an up-to-date asset register—serial numbers, device models, and purchase dates for every computer and external drive.
   • Periodically audit that all devices are protected by encryption and have active antivirus/EDR software with current signatures.

Ransomware Threats and the Role of Backups

Why Tax Professionals Are Prime Ransomware Targets

Tax practices hold a trove of NPPI, making them high-value ransomware targets. Attackers infiltrate networks—often through phishing emails or exploiting unpatched vulnerabilities—and encrypt entire file shares. Once locked, they demand cryptocurrency ransoms (Bitcoin) for decryption keys. Paying a ransom offers no guarantee of recovery and can fuel further criminal activity.

Backups as the First Line of Defense

• Immutable Backups: Use snapshot-based backups or cloud object storage with immutability features. Once data is written, it cannot be altered or deleted until the retention period expires—protecting against ransomware-encrypted backup sets.
• Air-Gapped Copies: Maintain at least one copy of backups on an offline device (tape library or a drive disconnected from the network) to ensure attackers cannot lock or destroy them.
• Recovery Testing: Quarterly, simulate a ransomware scenario by encrypting a test file, then restore from backup. Verify that the restored data is intact and not corrupted.

Machine-Level Recovery Points

• Full System Imaging: Create nightly system images of your tax-preparation servers—OS, applications, configuration files, and NPPI. In the event of malware, you can restore the entire system to a known-clean state rather than rebuilding from scratch.
• Versioning: Configure backups to keep multiple versions of critical files (tax returns, financial statements). This way, if malicious encryption occurs, you can roll back to an uninfected version from before the attack.

Protecting Your Data from Hardware Failures

Recognizing Hardware Failure as a Leading Threat

Hard drives, SSDs, and even entire RAID arrays can fail without warning. A single drive crash—whether mechanical on HDDs or electrical on SSDs—can render your primary data inaccessible.

Proactive Drive-Health Monitoring

• S.M.A.R.T. Monitoring: Enable S.M.A.R.T. (Self-Monitoring, Analysis, and Reporting Technology) on all HDDs/SSDs. Use tools like CrystalDiskInfo (Windows) or smartmontools (Linux/macOS) to receive alerts when a drive’s error rates or reallocated sectors cross thresholds.
• RAID Redundancy: For on-premises file servers, deploy RAID 1 (mirroring) or RAID 5/6 (parity) so that a single-drive failure does not incapacitate the system. Crucially, rebuild drives within 24 hours of failure to restore redundancy.
• Replace Aging Drives: Implement a drive-replacement policy: retest drives older than three years and proactively replace them before failure grows likely.

Local and External Backups

• Desktop and Laptop Backups: For each workstation—where you store tax documents temporarily—install backup software (Acronis True Image, Macrium Reflect) to create daily incremental and weekly full-image backups to a local NAS or USB drive.
• External Media Rotation: If you use external hard drives, adopt a rotation schedule (Label Drives: Week 1, Week 2, etc.). After copying data, disconnect and securely store midday-drive offsite—preventing simultaneous loss in disasters.
• Disk-to-Disk-to-Cloud (D2D2C): Configure on-premises backup software to first back up to a local backup server (D2D), then replicate that backup automatically to an encrypted cloud repository (D2D2C). Automating this “two-stage” backup reduces reliance on manual processes.

Ensuring Reliable Data Protection Through Best Backup Practices

Implement a 3-2-1 Backup Strategy

1. Three Copies of Data:
   • Primary (live data on your tax server or workstations).
   • Secondary (local backup on NAS or external drive).
   • Tertiary (offsite backup in the cloud or a physically separate location).
2. Two Different Storage Media:
   • Disk-based (RAID on-premises, external HDD/SSD).
   • Tape-based (LTO tape library) or immutable cloud snapshots (AWS S3 with object lock, Azure Blob immutability).
3. One Offsite Copy:
   • Cloud-based (encrypted backups in a secure data center).
   • Physically removed (external drive locked in a fireproof safe at a different location).

Encrypt All Backup Data

• At Rest: Use AES-256 encryption for disk-based backups and enable server-side encryption (SSE) for any cloud storage.
• In Transit: Ensure your backup software uses TLS 1.2+ for all data transfers to the cloud or remote replication endpoints.
• Key Management: Store encryption keys in a hardware security module (HSM) or a secure key vault—never on the same system as the backups.

Automate and Monitor Backup Jobs

• Scheduled Backups: Configure backup jobs to run daily (incremental or differential) and weekly (full). Document the schedule in your WISP.
• Notification Alerts: Set up email or SMS notifications on backup success—or, more importantly, on backup failures or missed jobs.
• Restore Audits: Quarterly, perform a “Restore Drill” for a random set of tax-return files. Document that restores completed successfully within your planned Recovery Time Objective (RTO).

Maintain a Detailed Backup Inventory

• Asset Register: Keep a running inventory of all backup devices—external drives, tape cartridges, cloud buckets, and NAS volumes. Record serial numbers, encryption key IDs, and retention dates.
• Media Lifecycle Management: Track the age and usage cycles of all media. For tapes, retire any that exceed manufacturer’s recommended write cycles (e.g., 1,000 passes on LTO). For disks, replace after three years or when S.M.A.R.T. alerts indicate impending failure.

Develop and Test a Disaster Recovery Plan

• Disaster Scenarios: Identify realistic events—server room flood, power surge destroying multiple drives, or ransomware locking your file server. Outline step-by-step procedures to restore operations.
• Recovery Time and Recovery Point Objectives (RTO/RPO): Define how quickly you must restore services (RTO—e.g., within four hours of a major outage) and how much data loss is acceptable (RPO—e.g., maximum one day’s worth of returns).
• Regular Drills: Biannually, simulate a full server restore from offsite backup. Validate network configurations, application installations, and database integrity. Update your DR plan based on drill outcomes.

Work with a Managed Service Provider (MSP) or Backup Specialist

• Outsource Monitoring: MSPs can monitor backup health 24/7, apply timely patches to backup software, and notify you immediately of any failures.
• Expert Guidance: A backup specialist will help you architect an optimal hybrid solution—balancing on-premises performance with offsite resilience—while ensuring IRS and FTC compliance.

By implementing a robust backup strategy—aligned with IRS Publication 4557, GLBA Safeguards Rule, and FTC recommendations—you safeguard your tax practice against data loss, maintain compliance, and protect your clients’ trust. Regularly test your backups, secure your backup media both online and offline, and stay vigilant against ransomware and hardware failures. With these best practices in place, you can ensure that your clients’ confidential data remains safe and available, no matter what challenges arise.