Tax Preparation Services, Taxpayer Confidential Information and Identity Theft

Potential Liability for Service Provider’s Wrongful Disclosures

In March and April each year, U.S. corporate and individual tax returns must be filed and taxes paid. Due to increased complexities in the tax law and related tax return forms, hiring a tax preparer is no longer a choice, but a necessity, for a large number of Americans. Given this persistent, seasonally peaking and annual recurring demand, licensed tax preparers have long looked to outsourcers for meeting short-term needs annually.

Offshore business process outsourcing can save significant money for Certified Public Accountants and other licensed tax preparers in the United States. Foreign subcontractors in India, the Philippines and the Caribbean are preparing income tax returns for American taxpayers. News reports indicate that few U.S. taxpayers have no knowledge of this practice.

As such offshoring of tax preparation services has become more widespread, legal and ethical issues emerge. Legally, the question is what liability does the U.S. tax preparer incur when hiring foreign subcontractors to process tax returns for U.S. taxpayers. Ethically, the question is whether and when the U.S. tax preparer has a duty to disclose to clients the use of offshore tax preparers.

Ethical Considerations regarding Disclosure of Outsourcing.

AICPA Code of Conduct.
Most tax preparers are certified public accountants (“CPA’s”) or their employees. Enrolled agents, who are licensed by the Internal Revenue Service after taking an examination, and lawyers are also authorized to prepare tax returns. Many business owners hire CPA’s to prepare tax returns because the CPA’s are also qualified to prepare financial statements and conduct audits. Only CPA’s, enrolled agents and attorneys may represent a taxpayer before the IRS for all matters such as audits, collections and appeals.

The Code of Conduct of American Institute of Certified Public Accountants, at its website www.aicpa.org, indicates that outsourcing of tax preparation is entirely ethical, provided client confidentiality is protected.

[Assume that “The member’s firm would control the input of information and the computer service would perform the mathematical computations and print the return.”] A member may utilize outside services to process tax returns. He must take all necessary precautions to be sure that the use of outside services does not result in the release of confidential information.

Need for Special Precautions.
It is not obvious whether, under this AICPA Code of Conduct, a CPA assumes any responsibility as a guarantor of the confidentiality of client information, or merely is required to take precautions and is not liable for any wrongful disclosure after having taken such precautions. The Code of Conduct does not suggest any actual responsibility as guarantor, but a dereliction of duty as to the precautions could result in liability for the loss of confidentiality. Such a limitation of professional liability would be supported by general principles of malpractice, in which the CPA’s duty of care is limited to negligence and not for strict liability in tort.

Standard of Care of Offshore Outsourcing of Tax Preparation Services.
As a matter of professional ethics, there is no difference between offshore outsourcing and domestic outsourcing. However, the standards for what are “all necessary precautions” to protect confidential information might be higher in the case of offshore outsourcing since the tax preparation is not done under the CPA’s supervision. What is “necessary” should reflect the circumstances of the outsourced tax preparation operations. Consistent with general principles of malpractice, the CPA’s standard of care depends on the circumstances. Offshoring of subcontract work suggests that a special duty of care should be imposed to ensure that the actual precautions for protection of confidentiality are reasonable under all the circumstances.

Accuracy of Data Entry.
The AICPA Code of Conduct does not address situations where the tax preparer is actually inputting information received from printed questionnaires submitted by the taxpayers. A practical solution would entail having the client taxpayer or the tax preparer confirm the accuracy of the data entry by the offshore service provider, so that the CPA as tax preparer is not delegating responsibility to a third party for the accuracy of the data entry before the outsourcer processes the data to deliver the tax return.

Preventing Criminal Conduct in Tax Preparation.

Wrongful disclosure of confidential information protected by tax laws is a criminal offense. Under what conditions could CPA be vicariously liable, as a criminal, for letting an outsourcing service provider wrongfully disclose such information?

Criminal Disclosure of Tax Information.
The U.S. Internal Revenue Code of 1986, as amended (the “Tax Code”), makes it a federal crime for any person engaged in the business of preparing, or providing services in connection with the preparation of, income tax returns, or any person who for compensation prepares any such return for any other person, who knowingly or recklessly discloses such information to third parties or uses such information for any non-preparation purpose. This is a federal-law misdemeanor punishable by a fine of $1,000 and prison of up to one year. Exceptions apply for disclosures mandated by law or a court or for disclosure for use in preparing state or local tax returns.

Criminal Intent.
The criminal liability for such actions requires proof of either knowledge of the criminal act, or a recklessness that is tantamount to disregard for the consequences of a prohibited disclosure or use. Prosecution must show the requisite criminal intent. Consequently, no criminal intent occurs by mere ordinary negligence. This law became effective for violations in 1997.

Limited Extraterritorial Enforcement of U.S. Tax and Criminal Laws.
Foreign subcontractors of U.S. tax preparers are subject to this tax-preparer law. There is no geographical restriction to the application of this law, but foreign enforcement is another question. As a matter of international public law (the law of nations), most countries do not enforce foreign laws (particularly on taxation, crime, labor or environmental protection) in the absence of a mutual enforcement convention. Generally, the right of a country to exercise discretion with respect to investigatory, prosecutorial, regulatory and compliance matters and to make decisions regarding the allocation of resources to enforcement of different portions of such laws are considered intrinsic reserved governmental rights of any government. One government is not the tax collector or enforcer of another’s government’s laws. Even in mutual enforcement conventions, extensive levels of discretion may be expressly reserved.

Sufficiency of Protections for Confidential Information.
In an egregious case of recklessness, the U.S. tax preparer could be liable for the offshore outsourced service provider’s violation of the U.S. tax laws. Assuming the subcontract requires compliance with U.S. laws, the U.S. tax preparer might still incur criminal liability for any recklessness in disclosing tax return information to the foreign service provider

Preventing Identity Theft.

Identity theft has become a sore issue, costing billions of dollars in losses each year. Tax preparers, as well as others sending sensitive personal data offshore for processing, must take notice of the emerging legal landscape to protect identities. As of March 10, 2004, several draft federal laws to protect identities were pending, reinforcing existing public policy on privacy rights.

Social Security Act.
Under the rubric of criminal fraud, there are criminal rules for identity theft using a Social Security number. In addition, pending draft legislation would make it illegal to obtain or use “individual’s social security account number for the purpose of locating or identifying such individual with the intent to physically injure or harm such individual or using the identity of such individual for any illegal purpose,” or to “intentionally place such number in a viewable manner on an Internet site that is available to the general public or to make such number available in any other manner intended to provide access to such number by the general public.” Social Security Number Privacy and Identity Theft Prevention Act of 2003, 108th Cong., 1st Sess, proposing to add 42 U.S.C. §408A. Section 302 of this draft law would make it a crime to “disclose, use, compel the disclosure of, or knowingly sell or purchase the social security account number of any person in violation of the laws of the United States.” In the context of outsourcing, due to the requirement of actual criminal intent, such law would not generally cause the U.S. tax preparer to be vicariously liable for the criminal act of an employee of its outsourcing service provider.

CAN SPAM Act of 2003.
Section 9 of the CAN SPAM Act of 2003, effective January 1, 2004, contemplates a nationwide marketing Do-Not-E-Mail registry to be adopted after an administrative report that includes an explanation of any practical, technical, security, privacy, enforceability, or other concerns that the U.S. Federal Trade Commission has regarding such a registry. S.877, 108th Cong., 1st Sess. The act also contemplates a system of rewards for individuals to share in 20% of the fines collected from convicted spammers.

Fair and Accurate Credit Transactions Act of 2003 (“FAIR Act”),
H.R. 2622, 108th Cong., 1st Sess., Sec. 111. The FAIR Act amends the Fair Credit Reporting Act to protect consumers from identify theft. For outsourcing, it is critical to be aware of the definition of “identity theft” as “a fraud committed using the identifying information of another person.” 15 U.S.C. §1681a(q)(3). This definition, which is subject to clarification by regulation, helps consumers hurt by such frauds. Criminal frauds under state laws could arise from “identity theft” under the FAIR Act.

Identity Theft Notification and Credit Restoration Act of 2003,
HR 323, 108th Cong., 1st Sess., would require U.S. financial institutions to disclose to their customers any ” unauthorized acquisition of computerized data or paper records which compromises the security, confidentiality, or integrity of personal information maintained by or on behalf of a financial institution.” See Gramm-Leach-Bliley Act (15 U.S.C. §6821 et seq.), which this draft law would amend to require such notifications. Such notifications would follow existing California law requiring similar notifications in case of security breaches.

Prevent Identity Theft From Affecting Lives and Livelihoods (PITFALL) Act,
HR 3296, S. 1749, 108th Cong., 1st Sess., would amend the Truth in Lending Act, 15 U.S.C. §1643, to prevent debt collectors and creditors from seeking to enforce debts that are the result of identity theft for which a administrative “no-fault” letter has been issued.

Balancing of Risk.
The likelihood of a criminal disclosure or criminal use of sensitive taxpayer information is probably not as great as the probability of identity theft via Internet or credit card scams. However, any wrongful disclosure would have the same serious harmful effects.

Enacting Protective Foreign Legislation.

The trustworthiness of offshore outsourcing for any type of private or personal identifying data has now become an issue in the public mind and for the U.S. and European businesses that hire offshore service providers.

Call to Action for Tax Preparers and their Foreign Service Providers.
Foreign legislation criminalizing abuses of such data, with vigorous political leadership and enforcement activity, will serve the public interest of the foreign government. Indeed, as foreign service providers (and American service providers hiring offshore subcontractors) compete for outsourcing customers, the lack of such data protection, privacy and identity theft laws can only defeat legitimate efforts to solicit transaction processing business.

For foreign contractors providing tax preparation services or other privacy-related data, such new laws would serve to educate the public and provide assurance of security relying on foreign governmental enforcement of foreign laws that criminalize the same wrongful conduct and, indeed, go further by requiring reasonable security in transmission of sensitive information. In late 2003, NASSCOM announced they were working on a proposal for privacy legislation, but enactment is still to come. If such legislation were adopted and enforced in India, for example, then any label “Services Rendered in India” might not have a pejorative impact other than for purely chauvinistic reasons.

Negotiating Contractual Provisions.

Most international outsourcing agreements specify that the service provider will disclose all subcontracting of the work, with certain exceptions. In this case, as a political policy, one might argue that taxpayers (as well as medical patients, bank depositors, insured individuals making claims and all others protected by U.S. privacy laws) should be entitled to know who does their work. Such disclosure might be appropriate not only because of possibility of some perceived increased security risk, but also for tax law enforcement purposes (promotion of the confidence and personal relationship of the tax accountant with its client).

A two-tiered pricing structure could be offered, one for domestic preparation, the other for offshore preparation. In each case, consistent with the AICPA Code of Conduct, certain portions of the tax preparation could be outsourced, and the CPA, enrolled agent or tax lawyer retains legal liability for the decisions made concerning the application of the laws to the particular numbers reflected on the tax returns.

Tax preparers should review their engagement letters on issues of privacy, data protection, identity protection, subcontracting and offshoring. Related provisions in engagement letters, involving scope, pricing, liability and standard of care, might be changed as well.

Best Practices.

The tax preparer incurs certain risks by sending tax preparation support services to an outsourcing services provider. In an environment focused increasingly on privacy rights and preventing criminal activity involving identity theft, there are a number of best practices that should be considered and adopted. Bierce & Kenerson, P.C. has prepared a checklist of best practices that is available at no charge for its clients and prospective clients.

For further information on this checklist please consult one of your outsourcing attorneys at Bierce & Kenerson, P.C. 212 840 0080 or email
kmasi@biercekenerson.com.