IOOGO Inc. – Commitment to Protecting Customer Data
Published as of January 1, 2019
- Overview and Purpose:
The purpose of this Security Policy is to have certain policies in place to safeguard taxpayer or client data, and to ultimately protect against tax-related identity theft. In order to stay up to date and to keep this Security Policy responsive to the latest cybersecurity threats, we have designated Kristy Campbell, our Chief Operating Officer to periodically (at least once every six months, and more frequently as needed) review the standards contained herein. Such employee will also evaluate the effectiveness of the safeguards in place for controlling risks to taxpayer data, and revise this policy as necessary.
- Risk Identification and Assessment:
Although we are a small business, our clients entrust us with extremely sensitive information. The main risk to our business as tax preparers is the unintentional misuse of taxpayer data and identity fraud. When evaluating service providers, we ensure that any contract with said service provider will include a covenant requiring the service provider to maintain proper data safeguards and oversee any customer information that such service provider may come into contact with, in compliance with the Safeguards Rule.
- Commitment to Continuing Compliance:
As mentioned in Section I, we will regularly evaluate and adjust this Security Policy and related safeguards, on a continuous basis and in regular intervals. Certain extraordinary events, such as material changes in our business or our operations, may be a cause of redrafting of the Security Policy to reflect any such change. We view our commitment to security as ongoing, and this Security Policy will be updated as such.
- Security and Privacy Standards for e-Filers
In accordance with the security and privacy standards laid out in IRS Publication 1345, IOOGO has in place the following standards and procedures (as of the date of publication of this Security Policy, January 1, 2019):
- Extended Validation SSL Certificate;
- External Vulnerability Scan;
- Information Privacy and Safeguard Policies (this Security Policy);
- Website Challenge-Response Test;
- Public Domain Name Registration; and
- Reporting of Security Incidents.
- Workplace Safeguards and Standards:
In addition to our commitment to protect taxpayer data on the back end, we also have measures in place to ensure that our employees understanding how to properly handle sensitive client data. Specifically:
- We will screen and perform background checks before hiring potential employees for a role that handles or has exposure to customer information.
- New employees will be required to sign an agreement agreeing to abide by our confidentiality and security standards for handling customer information.
- Customer information will be shared with employees on a need to know basis.
- Employee-created passwords will be required to comply with IRS guidelines by having more than 8 characters, including a mix of upper- and lower-case letters, numbers, and certain symbols.
- Employees that transmit customer information electronically will be required to adhere to stricter policies to ensure that these transmissions are not made in error.
- Employees who handle customer information will be asked to label any sensitive information as such, and prohibited from removing certain customer data/materials from the workplace without permission from Kristy Campbell, Chief Operating Officer.
- Information Systems:
- Sensitive customer information will be encrypted when uploaded.
- Only certain employees will be able to access secured cloud servers that store customer information,
- We will maintain certain secure backup records and archived data off-site, as required by law.
- For payment systems, we will use SSL or Transport Layer Security 1.1 or 1.2, so that any credit card or other payment information is protected in transit.
- Customers will be advised and cautioned against submitting any confidential or sensitive information in general, and especially not in response to a random pop-up or unsolicited email.
- If required, customer’s information will be disposed of securely in compliance with the FTC’s Disposal Rule.
- Detecting and Managing System Failures:
- We will monitor our website traffic for unusual activity, and keep up to date on the latest cybersecurity threats.
- We will maintain up to date and appropriate programs to prevent unauthorized persons from accessing our records and our customer data. This includes making sure that our software has the latest security patch and our security software has the latest update (via automatic update, if available).
- Because of our flexible working arrangements, we may have employees who work remotely. We will have strong and up to date firewalls to accommodate flexible working conditions (by allowing employees to connect to our network from home) while keeping customer data safe.
- We will keep our employees apprised of any security risks or possible breaches, when appropriate.
- Employee activity with respect to customer information will be logged and monitored, and randomly audited to ensure compliance with this Security Policy.
- If any breach occurs, we will quickly notify the appropriate agencies, and abide by the FTC and IRS rules regarding breaches.
Last updated: December 28, 2018