Everyone knows that data thieves lurk around the Internet, trying to get access to clients' information. But are companies taking steps to prevent themselves from being the next victims? While Sarbanes-Oxley and the Gramm-Leach-Bliley Act provide a laundry list of guidelines as to what financial institutions and their affiliates that are subject to those laws must do to safeguard client data, several best practices exist which all companies should put in place regardless of whether they are required to do so.
Like what you see? Click here to sign up for Accounting Today's daily newsletter to get the latest news and behind the scenes commentary you won't find anywhere else.
At the Internal Revenue Service's National Tax Forum in New York this summer, Carolyn Davis, senior program analyst at the technology programs branch of the Electronic Tax Administration, gave conference attendees tips on securing taxpayer data from potential culprits:
Appoint security administrators. Appoint someone to assess the risks you have in your company-external accounting and internal access, and systems you have in place.
Write a security plan. This should cover administrative, technical, and physical safeguards. Think of what-if scenarios. For sole practitioners who work at home, what would be the impact on your business if someone stole your computer or paper returns? Then, test the plan. "It's not enough to just write a plan and put it on your shelf. You have to make sure you implement it," Davis says.
Inform your staff. Train employees about the plan more than once. Eighty percent of breaches are from disgruntled employees, according to Davis. "[Businesses] need agreements from employees that they understand what they need to protect and the consequences they would face if they don't," she says.
Limit access. "The receptionist at the front door doesn't necessarily need to see a tax return," Davis says. Do you allow employees to bring in cell phones with cameras, which could be used to capture images of those returns? Can they load software onto their computers?
Encrypt information. This serves as an extra layer of protection if a laptop is stolen. If a server backs up the data, make sure it's password protected and has limited access. File-sharing software can be particularly dangerous. "If you have it, make sure it's configured in such a way it's not looking at all the information on your PC and sent out to everyone in your email," Davis warns.
Don't overlook physical safeguards. "Locking rooms and cabinets is very simple and doesn't cost a lot of money, but it certainly saves a lot of money," Davis says.
Is the storage place protected from destruction? "A lot of tax returns went floating down the streets of New Orleans after Katrina. A lot of the preparers had no idea who those clients are, where their clients are, or where their tax returns are," she says. "You need to think about a backup and make sure the place you store it is also safe, perhaps a remote location or another city."
Data disposal. Permanently deleting information from a computer isn't always possible and paper documents destroyed in a horizontal shredder can be pasted back together. Use a crosscut shredder, and make sure everything is removed from the recycle bin before donating hardware to charity or throwing it in the trash.
Inventory hardware. "You need to know who has that PC and what's on it and who do you need to (alert) if that computer walks out the door," Davis said. "People aren't always after the data, just the nice shiny machine. But if they have a way of getting in and see all that info sitting there, they have a nice way of creating identity theft."
Safeguard systems. Change passwords periodically, make them difficult to figure out, and keep them to yourself. The IRS recommends a combination of eight letters and numbers. Install password-protected screensavers to prevent employees from seeing the documents you are working on if you get up from your desk or start talking on the phone. Change external passwords when employees leave the company.
Don't store customer information on a computer that's connected to the Internet. Store it offline and transmit it encrypted, especially when sending tax returns. Maintain updated firewalls, anti-virus software, anti-spyware, and security patches. Provide central management of these security tools so individuals in the network don't have to do it themselves.
Alexandra DeFelice is Associate Editor of Accounting Technology and can be reached at email@example.com.