Are Your Clients’ Data Secure?

Read the Article

Your office files and computers are chock full of sensitive personal and financial data about your clients, from Social Security numbers (SSNs) to banking information. Consequently, tax professionals are increasingly being targeted by identity thieves. For example, the IRS recently warned tax pros of scam emails purporting to come from their software providers that ask for user names and passwords to “unlock” their tax preparation software. Tax pros who respond are actually giving the information to cybercriminals who use the credentials to access the preparer’s account and steal client information [IR-2017-39]. Other phishing scams have involved cybercriminals posing as the IRS or other entities, or even as one of your clients.

Obviously, learning to identify and avoid these kinds of phishing expeditions is imperative to protecting your clients’ data and giving you and them peace of mind. There are steps you can take to help protect your clients’ data.

Secure Your Office

Make sure all physical and virtual client files are protected from unauthorized access. For example:

  • Lock doors to file rooms and computer rooms.
  • Permit access to client files only on an authorized need-to-know basis.
  • Make sure client information, including data on computer hardware or other media, is not left unsecured inside or outside the office, such as on desks or photocopiers, in trash cans, or in employees’ vehicles or homes.
  • Provide for secure disposal of client information, such as by shredding unneeded documents or destroying digital media.

Secure Your Systems

While trolling in your trash is not unheard of, your computer systems are likely to be the prime target for identity theft. Here are some steps you can take to help prevent a computer data breach:

  • Require separate user names and passwords for each individual with computer access – and disable and remove inactive users.
  • Make sure users set up strong passwords with a combination of numbers, symbols, and upper and lowercase letters – and require your staff to make periodic password changes every 60 to 90 days.
  • Lock out users after three invalid access attempts – anyone can make a typo, but three strikes and you’re out.
  • Monitor computer systems for unauthorized access by reviewing system logs.
  • Protect internet-connected computers with a firewall or other barrier device.
  • Maintain and update hardware and software on a regular basis.
  • Ensure your tax software is secure and has secure features in it, such as masking a client’s SSN when your computer is in a resting state.

Secure Your Storage

Tax law requires you to store client data for years after their returns have been filed, but these records should be separated from your active files.

  • Back up client data regularly and store it on separate secure computers or media that are not connected to the internet.
  • Remove client information once the retention period expires by using software designed to securely remove the data.
  • Store removable media, flash drives, recordings of meeting with clients and any paper records in a secure location.
  • Restrict access to stored data.

Secure Your Communications

Take steps to ensure the privacy of communications with clients, the IRS or other professionals.

  • Encrypt all email that contains client data.
  • Encrypt all client information when communicating across a network.
  • Remove personal information before mailing items.

For more tips and tactics, see IRS Publication 4557, Safeguarding Taxpayer Data, A Guide for Your Business.

Dorinda DeScherer

Dorinda DeScherer is an attorney specializing in tax and employment law. She is an honors' graduate of Barnard College of Columbia University and the University of Maryland School of Law. She is currently a principal with Editorial Resource Group, where she specializes in writing and editing professional publications. More from Dorinda DeScherer

2 responses to “Are Your Clients’ Data Secure?”

  1. In the last group – “Secure Your Communications” – the second item is ‘Encrypt all client information when communicating across a network’.

    Does that mean the internal hardwired network?

    • No, we’re not referring to the internal hardwired network. What we mean is, make sure you use SSL (https://) when communicating across the internet. SSL is a security protocol that secures communication between entities (typically, clients and servers) over a network. SSL works by authenticating clients and servers using digital certificates and by encrypting/decrypting communication using unique keys that are associated with authenticated clients and servers.