Federal officials are urging Congress to do something to help the Internal Revenue Service better fight tax preparer data theft.

The Electronic Tax Administration Advisory Committee (ETAAC) – a panel whose members are appointed by the Secretary of Treasury – told Congress last week that the IRS needs to be able to do more to prevent cybercriminals from taking taxpayer information.

In its annual report to Congress (.PDF) the committee made several recommendations aimed at bolstering the tax system’s security and privacy posture.

The committee is urging the IRS to develop and execute a plan to research the state of information security practices and vulnerabilities in the tax professional community. It’s also encouraging Congress to grant the IRS legal authority to establish and enforce its own security standards, including "administrative, technical, and physical safeguards" and to implement "required education and training, and providing ongoing guidance."

One problem, the ETAAC points out, is that there's only been "limited progress" on its 2018 recommendations, something which has translated to more taxpayer information being exposed to cybercriminals "than it should or needs to be."

In last year’s report (.PDF) the committee recommended the IRS establish a common security standard, the IRS’ enforcement authority, and require security continuing education.

"Cybercriminals are smart, persistent and constantly probing for the weakest link. They have been increasingly targeting tax professionals who hold valuable taxpayer information,” one part of the 2019 report reads, “Most recently, the IRS reported a 29 percent annual increase in the number of data thefts reported by tax professionals through November 5, 2018."

The figure is based around the number of reports the IRS received from tax firms around data theft. During the 2018 tax filing season it received five to seven reports a week, 234 reports through November 5, an increase over 2017 when it received 182 reports over the same time span.

The ETAAC understands that there have been obstacles over the past year to overcome - a major tax law change, the United States federal government shutdown of 2018–2019, and resource limitations – but it places a large chunk of the blame on the fact that the IRS can't set its own requirements around security, at least around how it applies to a tax professional.

The IRS is hamstrung in a few ways here; the FTC Safeguards Rule doesn't apply to the business tax area - it's mostly focused on consumers and households - nor does the IRS have enforcement authority under the FTC Safeguards Rule.

To fix this the ETAAC says the IRS needs to better understand how to tax professional ecosystem works and how security practices, from large accounting firms to local offices of large national tax preparation firms to smaller tax practices, operate.

“Currently, there is no clear understanding of the state of affairs in tax professional security. This gap in understanding lends itself to 'one size fits all' solutions that will fail to achieve the desired outcome of improving tax professional security,” the report reads.

The ETAAC suggests that the IRS may want to form guidance based around the role that tax professionals play. The same requirements may not apply to a tax preparer as would apply to an employee who actually electronically files taxes, it suggests.

One of the ETAAC's roles is to provide an annual report to Congress on how the IRS is satisfying laws, like the Restructuring and Reform Act of 1998, and provide recommendations on any legislative changes that may be necessary to help the IRS better assist small businesses and the self-employed when it comes to e-filing their taxes. The ETAAC also regularly performs research into issues that affect electronic tax administration, like identity fraud and refund fraud.