When we enter a tax preparer’s office for the first time, we are unknown and have to provide not only our W-2’s and/or business records, we often need to provide copies of prior years tax returns, social security cards for all family members, birth certificates, and other highly personal and private information. The office either makes paper copies or scans the information into some type of electronic filing cabinet. In this era of rampant identify theft, often times we hesitate to provide such information, wondering how secure will our private information be in this accountant’s office. This concern is very valid as hackers are trying to penetrate accountant’s systems now more than ever, because of the amount of private information that is contained in accountant’s computers. How can you as the tax client know how secure your information is? What steps should a tax office take to protect client data?
First, ask about the accounting firm’s privacy policy. Is a copy provided on the firm’s website? Is a copy provided with each tax return? I have the company privacy policy posted on the website and have copies available in our waiting area. This policy should disclose any 3rd parties that have access to your data and describe any outsourcing of services by the firm. As a practice, I keep all work inside my office completed by employees under my supervision.
Second, what physical measures are in place to protect client data? Does the office have a security system with 24-hour monitoring? Not only does this office have 24-hour monitoring, we also place any physical client data in locked desks and file cabinets at the close of business each night. During business hours client data is kept out of sight of any outside parties entering the office for assistance. All original information is returned to the client. Any physical copies no longer needed are shredded into confetti.
Third and probably the most important step is how data is protected electronically. All paid preparers are required by IRS publication 4557 to maintain a written electronic security policy. In harmony with the IRS direction, my office uses a quality internet security software suite that provides a firewall, anti-virus protection, and malware protection. To maintain security at a high level, our router and switch were recently upgraded. High risk and threatening websites are blocked, so employees cannot access places they should not be going. Employees are well trained on the “No-Click Policy”. This policy reduces risk by not allowing the clicking on links and attachments in emails. All clients are required to submit tax information by physical delivery, fax, or by upload to their client portal. Next, what kind of backup systems are used? In the event of disaster, theft, or data loss, will the office be able to restore my data? We keep multiple on and off site secure backups. One last necessary action is complete hard drive encryption. All computers used to access client information must use hard drive encryption. Without hard drive encryption a desktop or laptop computer is vulnerable if physically stolen. Computers that have hard drive encryption require a password even before the operating system, such as Windows 10, starts.
Warning: No system is 100% safe from a data breach. We do take all the precautions possible to protect and maintain client data in the best and most secure environment that we possibly can.
For the security and safety of your data, it is vital that you check with your accountant on the steps they take to protect and secure client data. Click here for my podcast.