Tips to Protect Against Identity Theft

Data breaches and identity theft have led to an increase in fraudulent tax filings, and tens of thousands of honest taxpayers have been subjected to delays in their legitimate refund claims, according to the Internal Revenue Service.

Most CPA firms are good custodians of client data, but occasionally a laptop or USB (thumb) drive will go missing with unencrypted confidential data on it. Such losses give rise to potential data breaches, which can be expensive for firms. The more cost-effective approach is to implement robust data security measures. Furthermore, firms that become proficient at security will be better able to assist clients with their own data security needs.
Loss Prevention Tips

Follow these basic loss prevention tips for better security:

Ensure that laptops, desktops, USB drives, servers, smart phones and other devices do not contain any confidential data that is unencrypted.
Consider remote laptop security measures to prevent access to protected files in the event of theft or loss.
Ensure that email messages and attachments containing confidential data are encrypted with file encryption and digital certificates.
Use strong passwords, and do not write them down or share them. Passwords should be “salted” with random bits and symbols such as #, $, and &. Change passwords at least every 90 days.
Physical security should be provided for computers and endpoints, as with any other valuable assets, including building security and access codes, and locking up all servers, laptops, desktops and mobile devices.
Do not download personal software onto business computers because of the risk of downloading viruses or worms along with the software.

Firms should consider engaging in a continuous data security process that operates in three areas:
1) Risk Assessment

Utilize software tools for assessing and analyzing the security of most computer systems. Many software companies also provide security updates to protect from threats that have been identified, and most updates can be applied automatically. Have a computer specialist conduct a more thorough assessment and analysis to highlight vulnerabilities and provide risk reduction tips.
2) Comprehensive Written Plan

A written information security plan:
- outlines the specific ways the firm will protect data;
- sets forth policies, procedures and staff responsibilities, including what staff members are not allowed to do, and what they are required to do (such as immediately reporting any actual or potential security problems);
- covers areas such as the Internet, social media, email usage, and record retention and destruction; and
- details the reporting and other requirements of the states in question and the state agencies to which breaches are to be reported. Some states require firms to be compliant with the state’s privacy laws if the firm has the privacy data of a resident in that state. Some states require a written security plan by law.
3) Regular Staff Training

Teach the written plan to staff to ensure that each employee knows what the firm is doing and what he or she is required to do, including best practices for addressing new and continuing risks (e.g., social engineering, phishing and web application attacks). New laws or regulations should be reflected in changes to the plan. Training sessions to update staff on such changes will make the plan a dynamic, living document that staff uses and relies upon. Better data security measures will help ensure that private information remains confidential and available only to authorized parties. Firms will avoid or reduce the high costs associated with data breaches, and strong data security measures will become selling points that many clients appreciate.

Share this post

Leave a comment

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

Latest Articles

  • 05 Feb

    Five reasons why CPAs believe they will never be sued

    CPAs generally take every precaution feasible to ensure error-free work, but that may not be enough to ensure a firm's security. In our litigious society, it's wise to be prepared for that unexpected bump in the road. To help put this in perspective, here are five common reasons why CPAs d... read more

  • 11 Jan

    January Tip - Documentation Tips for Tax Season

    Jurors (who are members of the public) generally consider CPAs to be experts in documentation, and falling short of that expectation when faced with a liability lawsuit may be viewed by the public as negligent and below the standard of care for the services rendered.

    The fol... read more

  • 17 Dec

    War Story 113

    #113: Difficult Client; Tax Planning and Return Preparation Services — A client with high turnover and disorganization in its accounting and financial staff is not only frustrating, but also a liability exposure if documentation is not thorough.

    read more

  • 17 Dec

    General Data Protection Regulation

    General Data Protection Regulation ("GDPR") is a European mandate that went into effect on May 25, 2018. The regulation is designed to establish uniform data privacy law across the European Union, and applies to any EU established business, including U.S. companies and firms with offices i... read more