Your office files and computers are chock full of sensitive personal and financial data about your clients, from Social Security numbers (SSNs) to banking information. Consequently, tax professionals are increasingly being targeted by identity thieves. For example, the IRS recently warned tax pros of scam emails purporting to come from their software providers that ask for user names and passwords to “unlock” their tax preparation software. Tax pros who respond are actually giving the information to cybercriminals who use the credentials to access the preparer’s account and steal client information [IR-2017-39]. Other phishing scams have involved cybercriminals posing as the IRS or other entities, or even as one of your clients.
Obviously, learning to identify and avoid these kinds of phishing expeditions is imperative to protecting your clients’ data and giving you and them peace of mind. There are steps you can take to help protect your clients’ data.
Secure Your Office
Make sure all physical and virtual client files are protected from unauthorized access. For example:
- Lock doors to file rooms and computer rooms.
- Permit access to client files only on an authorized need-to-know basis.
- Make sure client information, including data on computer hardware or other media, is not left unsecured inside or outside the office, such as on desks or photocopiers, in trash cans, or in employees’ vehicles or homes.
- Provide for secure disposal of client information, such as by shredding unneeded documents or destroying digital media.
Secure Your Systems
While trolling in your trash is not unheard of, your computer systems are likely to be the prime target for identity theft. Here are some steps you can take to help prevent a computer data breach:
- Require separate user names and passwords for each individual with computer access – and disable and remove inactive users.
- Make sure users set up strong passwords with a combination of numbers, symbols, and upper and lowercase letters – and require your staff to make periodic password changes every 60 to 90 days.
- Lock out users after three invalid access attempts – anyone can make a typo, but three strikes and you’re out.
- Monitor computer systems for unauthorized access by reviewing system logs.
- Protect internet-connected computers with a firewall or other barrier device.
- Maintain and update hardware and software on a regular basis.
- Ensure your tax software is secure and has secure features in it, such as masking a client’s SSN when your computer is in a resting state.
Secure Your Storage
Tax law requires you to store client data for years after their returns have been filed, but these records should be separated from your active files.
- Back up client data regularly and store it on separate secure computers or media that are not connected to the internet.
- Remove client information once the retention period expires by using software designed to securely remove the data.
- Store removable media, flash drives, recordings of meeting with clients and any paper records in a secure location.
- Restrict access to stored data.
Secure Your Communications
Take steps to ensure the privacy of communications with clients, the IRS or other professionals.
- Encrypt all email that contains client data.
- Encrypt all client information when communicating across a network.
- Remove personal information before mailing items.
For more tips and tactics, see IRS Publication 4557, Safeguarding Taxpayer Data, A Guide for Your Business.