As technology has grown at an exponential rate, public accounting firms have employed many new products over the past 15 years that have contributed to financial success. These advances have benefitted the public accounting profession in the areas of increased efficiency, better workflow, and telecommuting options, among others. However, with every advancement in technology comes potential risks of uncertainty and data loss. It is great to focus on the success that technological advances have brought to your firm, but have you placed enough emphasis on protecting the enormous amount of data that has come into your possession or that you are storing for extended periods of time to comply with record retention requirements?
This is an area of concern for many companies and governments given the relative ease of accessing information. If data protection is not already near the top of your priority list, move it up.
We are all aware of the issues that have become more commonplace over the past several years, such as identity theft, fake notices, filing of fraudulent tax returns and refund claims, and computer viruses. You may recall a time when these issues were only discussed during an annual update meeting, but in our current environment we should continually remind and educate firm personnel about the importance of protecting data.
Although the employment and enforcement of internal policies and procedures are key to protecting data for our business, we should also educate clients on these issues. Share with them the security protocols you have in place to give them comfort that their information is safe. It is extremely important to keep clients informed of these security protocols because each security measure comes at a cost, which may indirectly impact fees.
To help minimize the potential risk of data loss, consider the following recommendations for implementation in the near future, if not today.
Develop and enforce internal policies and procedures – Enforcement of the policy is crucial in keeping this high on the priority list and in the minds of personnel as they go through their daily routine.
Eliminate the use of unsecured e-mail – The transfer of information through e-mail has increased the responsiveness to our clients, but if you are sending tax information via unsecured e-mail, this is a potential risk area. Likewise, tell clients to not send you unsecured e-mail. To combat this, use a password on any files that are being sent via e-mail or consider investigating the use of a service provider that can provide a client portal for sending information securely through online space.
Passwords for computers and programs – Office equipment and software programs should be equipped with password protection for each user, and the passwords should be updated every 90 days, or at least semiannually.
Document storage and shredding – Even though the days may get hectic at times during busy season, it is a best practice to only have one client’s information on a desk at a time, and to store all confidential information in a location that can be locked at the end of the day. Permanent storage of documents should be maintained in a location that can be locked. If space does not permit storing information in a locked location, consider the use of a third-party service provider with adequate security and insurance for storing documents. All documents that have confidential information should be shredded internally or by a third-party service provider.
Cybersecurity testing and insurance – Penetration testing should be part of your cybersecurity plan, and done semiannually to ensure that you are not prone to new threats that are constantly being developed. Insurance companies provide policies to cover this area in the event of a breach, so it would be wise to investigate this type of insurance.
Awareness of data breach laws – Stay current or seek out guidance to ensure that your business has an understanding of, and is in compliance with, all federal and state laws and regulations in the event that you experience a data breach. For example, if you work with information that would be subject to the Health Insurance Portability and Accountability Act, the penalties for not being in compliance could be severe.
This presentation is not an all-inclusive list of the security measures that you should implement or already have in place, but rather a highlight of some areas of potential risks. Resources are not unlimited, so you can’t prevent every incident. But it is advisable to invest some resources into protecting this data. Depending on the size of your company and your specific needs, there are many service providers available to help you meet this need.
James E. Marker II, CPA, is a tax manager with Sisterson & Co. LLP in Pittsburgh. He can be reached at email@example.com.
Timothy J. Mantick is an IT manager with Sisterson & Co. LLP. He can be reached at firstname.lastname@example.org.