Let This Be a Lesson
IMGCAP(1)]When discussing data security, it’s common enough to refer to the most recent major breaches. High-profile hacks at retailer Target and insurance giant Anthem have been regular reference points lately, but it’s easy to guess that one or both of them are hoping the Internal Revenue Service will take their place as the poster child for data disasters.
And while singling out large companies and government agencies certainly makes it clear that even the biggest of organizations are vulnerable, it can also make it seem like a problem that only affects major players, so it wouldn’t be the worst thing in the world if adding the IRS to the list brings this issue a little closer to home for the profession.
In case you missed the events that put the IRS on the list of bad examples, it turns out that earlier this year determined hackers gamed the service’s online “Get Transcript” feature to steal the returns of approximately a hundred thousand taxpayers. As we went to press, the IRS had shut down the feature and was investigating, as well as offering free credit tracking for all those affected. But the interesting part to me is that the hackers had to have a lot of personalized information about those taxpayers to make their attempt in the first place — everything from home addresses to Social Security numbers.
Where did the hackers get all that information? There were lots of sources, no doubt, but it put me in mind of an incident a couple of years back where identity thieves broke into the physical offices of a tax preparer in the Washington, D.C., area and stole hard drives full of client information. The fact is that data isn’t just valuable for itself — it’s also valuable as a way of unlocking other data. So while you might think that the IRS breach only tells you that criminals target large organizations, it also means they can target you, too, along with all the client data you have on hand. And theft isn’t the only danger you face; loss or destruction of client data can be just as bad.
With all that in mind, I thought this would be a good opportunity to offer a few tips on keeping all those valuable 1s and 0s safe:
- Get strong passphrases. The usual prompts to include numbers and special characters are pointless, because they leave you with an eight-to-12-character password you can never remember. Instead, create a passphrase that you can remember easily — instructions are a quick Internet search away.
- Lock down the data. Set and follow strong data protection policies, including restrictions on what can be put on thumb drives, laptops and other portable devices.
- Protect data in transmission. If your firm and your clients are ready for them, institute client portals, so you can receive source documents and other data securely — and share tax returns, financial statements and anything else clients may need in the same way. And if you or they aren’t ready for portals, at least make sure that you’re encrypting your e-mails. It’s a really simple way to protect everything.
- Be able to destroy it. If your policies allow client or firm data to be stored on mobile devices like smartphones and tablets, make sure the “Remote Wipe” capabilities are enabled on all such devices, so they can be cleared of all data if they’re lost or stolen.
- Back it all up. This is less about preventing crime than enabling disaster recovery, but if you have your data properly backed up in a remote location, you’ll be in a much better position to deal with any sort of loss or breach.
In the end, Target and Anthem may benefit from the IRS hack by being pushed off the list of recent breaches, but you can benefit from it, too, by being kept off the list of future ones.