Securing Client Data From ID Theft in a Tax Practice

Client Relationships Tax fraud

Ever since the IRS experienced its own electronic security breach in May, many accountants have become all the more conscious of the inherent problem of protecting Social Security numbers in their offices.

A reported 104,000 tax returns were allegedly taken by Russian hackers using the “Get Transcript” function, causing the IRS to temporarily shut down the system. “These third parties gained sufficient information from an outside source before trying to access the IRS site, which allowed them to clear a multi-step authentication process,” reads the IRS’s statement.

The implications for accountants and their firms are twofold. First, if the IRS is being targeted, a firm might be as well. Second, according to the IRS, hackers had prior information on the targeted accounts, including Social Security information, date of birth, tax filing status and street address. However, such an occurrence does have precedence; in 2013, a Connecticut accounting firm suffered a data breach that may have compromised the data of 900 clients.

Accounting technologists are more alarmed than accounting firms, recently reporting, in a Journal of Accountancy roundtable in June, that a cybersecurity storm is coming. Rick Richardson, CPA.CITP, CGMA, of Richardson Media & Technologies, LLC, warns that many accounting practices are not as protected as they should be.

“CPAs and accountants need to know what they are using,” said Richardson. “Accountants cannot defend themselves if they keep information on an insecure portal like Dropbox and something goes wrong. Going to a portal in the cloud is the best answer for secure communication in the cloud.”

Following the Banks Banks and accounts receivable firms are already required to demonstrate physical and computer security to protect sensitive data. Interestingly enough, tax accountants possess more sensitive personal data and do not have any requirements to protect the data. The threat is present for accountants, even if the regulation is not. Following the lead of banks would therefore be a wise decision.

Rather than be the subject of a massive security breach, specialists recommend taking data security preventative steps, beginning with encrypting email. Additional steps include requiring that any outsourced servicers who see sensitive data have proper security in place. This includes tax software vendors, payroll services, document management companies and any cloud providers.

Physical security can take a page from outsourced accounts receivable companies by battening down the hatches, so to speak. Perform a gap analysis that includes taking a survey of where data can find its way out of your office. For example, it may be necessary to replace computers with USB drives, from which a thumb drive could easily remove gigabytes of data.

Accounts receivable firms use cameras and require cell phones to be placed in a locker before anyone enters a data secure area. Each room can only be accessed by a personal code, often using the last four digits of the employee’s Social Security number.

Adobe Acrobat was once considered an effective, secure file exchange solution for firms when sending encrypted PDF files as email attachments. However, Richardson does not agree and encourages other various methods of secure file exchange. Richardson uses Citrix ShareFile.

While no human security effort is going to be completely foolproof, accountants should understand the ins and outs of security in the cloud. A reliable cloud server operation will maintain 24/7/365 security staff on site, as well as redundancy of all data and data center systems.

Security Levels Since data security seems to be the catch-all phrase for IT solutions, it’s wise to determine the actual level of security among cloud computing companies. In many instances, security is little more than what is referred to as “window dressing” security. This happens when a company expresses some assessment as if it means more than it does. For example, the SSAE 16 process performed by CPAs is not a measure of data security or an audit, but rather, a test of financial controls, according to the AICPA. Financial controls are required when working on behalf of banks, but the SSAE 16 review is often perceived as a data security audit. The AICPA realizes that it is being misinterpreted, but according to Erin Mackler, CPA, AICPA’s senior technical manager, Business Reporting Assurance & Advisory Services, “We are not a policing organization.”

Cloud computing companies may state that a firm has performed SSAE 16 procedures to measure financial controls and then claim they are “SSAE 16 certified,” but this is an overstatement. There is no certification process. Even more ridiculous, but in wide use, is the claim of being SAS 70 certified. SAS 70 was replaced by SSAE 16 in 2013. It was also not a certification, audit or a data security assessment.

The alphabet soup of acronyms for versions of data security is growing, and not one provides absolute data security because perfect security does not exist. Whether it is PCI DSS, GLB, HIPAA/HITECH, FISMA or ISO 27002, they each represent a limited scope review of data security controls. After all, if FISMA (Federal Information Security Management Act), the government standard for data security, worked perfectly, NSA security breaches would not exist.

Accountants should know more about cloud security, not just for themselves, but also to pass on the knowledge (if qualified) to their clients. Since every risk can’t be completely eliminated in any environment, it is vital to ensure data security for your firm and anyone who wants to compute for you in the cloud.

Rather than be embarrassed by a data breach, determine if your firm can pass these 19 data security standards. These standards were derived from the baseline level of cybersecurity controls, described in the Cybersecurity Framework and promulgated by the National Institute of Standards and Technology, to help financial institutions identify their risks and determine their cybersecurity maturity:

DATA SECURITY 1. Access to the company’s computer network is protected by firewalls.

  1. Workstation access is specific to each staff member, controlled through passwords and governed through centralized policies controlled through the server.
  2. No workstation with email access can attach files without password authentication.
  3. There are no floppy, CD, DVD drives or USB ports on computers.
  4. FTP access used for file transfers between clients and servers is only available to a select few with automated-logs of activities. Public chat messengers are not allowed on any computers and none of the user machines can download and install any software.
  5. Access to printer, photocopier and fax is also controlled through unique IDs.
  6. Access to required websites is permitted only on a need basis and a log is maintained and reviewed. By default, all websites are blocked and users have to make a specific request, authorized by the managers, to the IT administrator to permit access to any specific website. Management periodically reviews the list of authorized websites.
  7. Screenshots of each computer are logged at periodic intervals and reviewed.

PHYSICAL SECURITY

  1. The processing office premise requires general access security at the entrance. The office premises have separate electronically controlled access to the main office and additional access control for operations areas.
  2. Intrusion detectors are used during off hours.
  3. Direct, automated link to a 24/7 security service provider who monitors the office. Specified management members get calls if the office is opened or closed at times not pre-defined as office hours.
  4. Closed circuit TV cameras throughout the premises are monitored by management.
  5. Invisible alarms will activate for emergencies.
  6. Personal mobile phones are not allowed to be carried into operations area.
  7. Lockers are used by staff to keep their cell phones and electronic devices.

LEGAL SECURITY

  1. Non-disclosure and confidentiality agreements are signed by each employee.
  2. A “Computer use policy” is signed by each employee to enable taking legal action in case of a breach.
  3. Explain to staff that the safety, security and confidentiality of client data are of paramount importance. Top management has utilities by which it can view the monitor of any computer from their own desktop. Explain clearly to all employees that it is the right of the company to do so and the company computers may be accessed randomly without any prior notice to any employee.
  4. Data security includes compliance, reputation, and liability risk. It must work with popular applications, file storage, devices, cloud, and content management systems across all communication channels: trusted, untrusted, private or public.

Data Encryption If nothing else, at least use email and file access encryption with the ability to remotely delete files. Encryption is a means to not allow unauthorized people to see data they shouldn’t see. When a user accesses the cloud, standard security log on requirements are in play. This is especially true in the accounting office, where an accounting professional has to access a customer’s financial files.

Richardson noted that secure file systems “were once out of the realm of smaller firms, but now, affordable systems like Citrix ShareFile are available. Accountants should stay away from recommending data security to clients, unless they use and become well-versed on its use.