Identity theft can be a daunting prospect for anyone, with the potential to wreak havoc on your personal and family finances, your retirement, school funding for your kids, and even trouble with the IRS if your information is used by others for work purposes or to file false tax returns.
For accounting and tax professionals who manage financial data and prepare client taxes for a career, however, the theft of client identity and tax data can be even more perilous. For starters, this theft can have the same effect on individual clients as noted above, combined with a sense of helplessness and a certain placement of blame on the tax firm for the data breach. For business clients, their financial accounts could be drained and credit lines opened, which immediately puts the business at risk for closure.
Also, when a breach is discovered, it’s rarely just data from a single individual that is leaked. It’s typically a group of clients, a practice section, or in some instances, the entire client roster. This can result in legal and financial consequences to the firm. Aside from this, the loss of trust would likely result in a mass exodus of clients, which could mark the end of the firm. Data security is vitally important to the future viability of accounting firms and must be treated in the same manner that the military guards nuclear codes.
Here are some foundational guidelines to follow to help ensure your firm doesn’t fall victim to a data breach:
- Have a written data security plan for your firm. The IRS and federal law require that even individual tax preparers have such a plan in place. It doesn’t have to be extensive, but the more you put into it, the more critically you will think about your data security practices. This plan should include the steps you will take to alert clients if your firm’s data may have been compromised.
- Never leave client financial statements, tax forms or other documents out in the open. When you are not at your desk, these documents should be safely filed out of sight. The same goes for when you are meeting with other clients.
- Go digital. Transition your clients so that they are providing you with their tax documents via secure digital format. Any paper documents that come into your firm should be scanned/digitized, and the paper versions shredded and properly discarded.
- Store documents, disks, flash drives or other media containing backups in a safe and restricted-access location.
- Never include personally identifying information in an email, including as an attachment. That means no tax documents or final returns, and no financials that may include bank data or an EIN. Do not accept such emails or files from clients either. Make it mandatory for this information to be submitted via secure portals, or encrypted email systems that are designed to safeguard data. Most professional tax systems and practice management systems offer these types of client portal options.
- Position your computer monitors so that if a client visits, they cannot see the data on the screen. If it is necessary to share a screen view, have a second monitor that can display information they need to see.
- Randomize your passwords. While it’s cumbersome to have different, random and mixed-character passwords for different programs and websites, this is one of the most effective ways to keep those systems safe. Consider using a reputable password manager, such as those reviewed by PCMag.com.
- Always log off or lock your computer when away from your desk, as well as at the end of every workday.
- Ensure correct and limited access rights are given to staff and client users. Immediately remove access when staff leave your firm. When hiring new staff, consider performing background checks.
- Train staff members and educate yourself on the latest tax scams targeting professionals and taxpayers, as well as any new security protocols that will protect data.
Accounting and tax firms are increasingly becoming targets of breach attempts, as the bad guys realize the potential trove of data they manage. Firms should also consider data security insurance, which is available from most insurers providing other firm insurance services.