In a previous article, I discussed ways that accounting firms can decrease the risk of their networks and client data being breached by outside 3d parties. In this one, let’s look at what firms should do if they do fall victim to a hack.
1. Assess the extent of the damage. Once you know that your firm’s systems have been accessed by unauthorized persons, you need to figure out precisely what information may have been accessed. Were the access rights for a single firm user compromised? If so, it may only be the clients and data for which that person had access rights that is now vulnerable. Depending on the department that person works in, the data accessed could vary from lightly sensitive (general business statements, names, partially-redacted information) to very sensitive (Social Security numbers, EINs, bank account information). Unfortunately, if your main server or central database was accessed, the full client roster of the firm may have been breached, in which case you will probably need to consult an IT security firm to help you in your breach assessment, as well as establishing new security measures.
2. Re-secure your technology. Change the passwords for all affected computers, online systems, apps and other systems. If multi-factor authentication is available, use it. Don’t reuse passwords or add a simple character or digit or letter to the compromised password. Here are some best practices to follow. Depending on the severity of the breach, your technology staff or consultant may end up reinstalling or backwards updating your firm and client information from backups.
3. Notify the IRS if tax data is breached. Depending on the nature of the information breached, you may be required to notify local, state and other federal agencies. The IRS stakeholder liaison can assist with notifications, and help prevent bogus tax returns from being filed using your clients’ information.
4. Notify your clients. It is absolutely critical that you notify your clients of the data breach as soon as you are aware of it, as well as update them as needed on the severity and/or nature of the breach. Most states and the IRS require this of professional firms and tax practices. Notify firm business partners as well, if their information may have been compromised in some manner. To learn more, visit the IRS Incident Response Procedure web page.
5. Review your firm insurance. Ensure you stay compliant with any requirements your insurance policy may require, particularly if there are provisions regarding data breaches or business continuity. You may also need to contact your agent.
6. Contact financial institutions. If your firm’s internal data was breached, your firm management information may have also been compromised. If so, contact your financial institutions and work with their account security teams to make all necessary changes. If changes to accounts are necessary, make sure your payroll systems are returned to functional, and that those accounts are able to process paychecks, tax withholdings and other payments. If firm staff information was compromised, they need to be notified as soon as possible, as well.7. Review your data security plan. A data breach, or even just the potential of one, is a test of not only your actual plans, but also of your firm’s ability to act quickly and decisively when it matters the most. Once the threat has passed, and you are working with clients, tech staff and authorities, it is time to see where your prevention efforts failed, and to reinforce those efforts. It is also time to see where human errors may have played a role.
There’s a good chance your firm may experience some form of data breach in the future. The 2 main questions you need to be prepared to answer are: what have you done to limit the impact, and what will you do after?