It sounds so elementary: to protect their firm’s data and clients’ information from identity thieves, tax professionals must use strong passwords and encryption.
And yet, it’s a statement worth repeating. The Electronic Tax Administration Advisory Committee, or ETAAC, noted in its most recent annual report to Congress that many tax professionals do not have a data security plan in place despite a Federal Trade Commission requirement for one.
Tax Security 101
The Internal Revenue Service and its Security Summit partners have made the plea for strong passwords and encryption the third installment in its series of “Protect Your Clients; Protect Yourself: Tax Security 101” reminders for all tax practitioners. The campaign aims to provide tax pros with the basic information and resources they need to build a security system that works for them.
All this is necessary because cybercrime continues to evolve despite the counter-effort by the IRS and the Security summit. Data thefts at tax pro offices is on the rise and thieves are still using data stolen from tax offices to create fraudulent tax returns that are harder to detect.
Knowledge is power and our knowledge of what makes a password strong is changing as well. In fact, the latest advice from security experts is not to use a password at all, but a passphrase. The IRS puts it this way:
Previously, experts suggested something like “PXro#)30” but now suggest a phrase like “SomethingYouCanRemember@30.” By using a phrase, you don’t have to write down your password and expose it to more risk. Also, people may be more willing to use strong, longer passwords if it’s a phrase rather than random characters.
Strengthen Your Passwords
It is critical that all tax practitioners establish strong, unique passwords for all accounts, whether it’s to access a device, our tax software products, cloud storage, wireless networks, or encryption technology. Here’s how to get started:
- Use a minimum of eight characters; longer is better.
- Use a combination of letters, numbers and symbols, i.e., XYZ, 567, !@#.
- Avoid personal information or common passwords; opt for phrases.
- Change default/temporary passwords that come with accounts or devices.
- Do not reuse passwords, e.g., changing Bgood!17 to Bgood!18 is not good enough; use unique usernames and passwords for accounts and devices.
- Do not use email addresses as usernames, if that is an option.
- Store any password list in a secure location, such as a safe or locked file cabinet.
- Do not disclose passwords to anyone for any reason.
- Use a password manager program to track passwords, but protect it with a strong password.
Whenever you get the option, choose to use a multi-factor authentication process. A lot of email providers are now offering two-factor authentication to access email accounts. Tax professionals should always choose this option to help prevent accounts from being taken over by hackers and putting clients and colleagues at risk.
Two-factor authentication helps by adding an extra step—an extra layer to protection. Usually, this type of authentication adds to the usual username-and-password login process by then sending a security code via text to the account owner’s cell phone (specified when the account was set up). The theory here is that a thief may get your username and password but it’s unlikely he’ll also have your cell phone.
Recognizing this, some software providers opt for two- or even three-factor authentication. Whatever your software offers, take advantage of the highest level of security available and opt for multi-factor authentication for products such as email and cloud storage accounts.
Another part of the security equation is data encryption. Identity thieves work hard to crack network security systems or dupe users into divulging passwords so they can steal client data. The stolen information can be held for ransom or used to file bogus tax returns with wildly inflated refunds.
Encryption ensures that even if the data is accessed by unauthorized users, it will be unreadable without the use of the encryption key provided by special software.
Here are a few basic steps about encryption and protecting client data stored on computer systems:
- Use drive encryption to lock all files on computers and on all devices. Drive or disk encryption often is a stand-alone software product. It converts text on files into an unreadable format for anyone who makes an unauthorized access. Entering the password unlocks the files for legitimate users.
- Backup encrypted copies of client data to external hard drives (USBs, CDs, DVDs) or use cloud storage. If using external drives, keep them in a secure location. If choosing cloud storage, encrypt the data before uploading to the cloud.
- Avoid attaching USB drives and external drives with client data to public computers.
- Avoid installing unnecessary software or applications to the business network; avoid offers for “free” software, especially security software, which is often a ruse by criminals; download software or applications only from official sites.
- Perform an inventory of devices where clients’ tax data are stored, i.e., laptops, smart phones, tablets, external hard drives, etc.; inventory software used to process or send tax data, i.e., operating systems, browsers, applications, tax software, web sites, etc.
- Limit or disable internet access capabilities for devices that have stored taxpayer data.
- Delete all information from devices, hard drives, USBs (flash drives), printers, tablets or phones before disposing of devices; some security software includes a “shredder” that electronically destroys stored files.
- Physically destroy hard drives, tapes, USBs, CDs, tablets or phones by crushing, shredding or burning; shred or burn all documents containing taxpayer information before throwing away.
Remember that security plan we talked about at the beginning? All professional tax preparers are required to have a written data security plan by the Federal Trade Commission and its Safeguards Rule. So how do you get one?
Tax professionals can get help with security recommendations by reviewing the recently revised IRS Publication 4557, Safeguarding Taxpayer Data, and Small Business Information Security: the Fundamentals by the National Institute of Standards and Technology.
And check out the Federal Trade Commission’s Protecting Personal Information, A Guide for Business for nuts-and-bolts help in creating your security plan. The IRS also has helpful information in Publication 5293, Data Security Resource Guide for Tax Professionals.