Firm leaders are aware of the importance of using secure methods to exchange documents and sensitive information with clients and to transmit tax returns. But how aware are clients when it comes to understanding why they need to use secure methods to send information to their accountants, tax preparers and bookkeepers?
Well, it turns out that most clients are oblivious to the risks! The proof is that many clients use unencrypted email and texts to send extremely sensitive information and documents to their accounting, bookkeeping and tax firms. Even if they are replying to a previously encrypted email from their accounting professional, they just hit "Reply" and send without encrypting it.
Since email has been the standard for communicating in the business world for decades now, it's not going away anytime soon. But it needs to be managed carefully and supported with secure systems.
Ideally, the firm will provide a secure single portal system for clients to use that is not based on email. However, when an email is sent by a client, ideally the firm can bring those client emails into the same single portal, and then store it and any documents and personal identifiable information there. The original email is deleted from the staff inbox.
Doing this creates visibility for staff (no more data silos caused by individual email inboxes) and, more importantly, the PII is protected. Responding back (using the single portal app instead of email) draws the client into the secure loop and creates healthy habits. It also creates critical visibility for staff since the contents of the email and the reply are now shared securely for staff to collaborate on.
In absence of a secure system that clients and staff will use, horror stories abound. One accountant recently received a pay schedule from her client with over 100 names and full Social Security numbers in an Excel file. This was sent as an attachment to an unencrypted email. When she questioned her client and told them never to do that again, the response was, "You got it OK, so what's the risk?"
Firm leaders must take the risk of client behaviors seriously, since a breach not only has dire consequences but comes with legal obligations as well. Breaches must be reported immediately to the relevant authorities and the threat must be stopped and investigated. For tax-related breaches the IRS stakeholder liaison, the Federal Trade Commission, and various state and local law enforcement agencies must all be contacted. There may be fines levied on the firm (in the case of non-compliance with the FTC Safeguards Rule), and the loss of reputation along with the cost to remediate the breach may be catastrophic. Additionally, cyber insurers are now looking very carefully at all the security measures in place at a firm before they pay out on a claim.
Breaches also have very serious consequences for the persons whose information has been stolen. Cyber crime syndicates will assemble complete dossiers on individuals and then wait for the right time to strike. The crimes range from simple identity theft, whereby a person's Social Security number and other credentials are used to obtain bank loans or file fraudulent tax returns in order to scam a refund, all the way to taking over someone's title on their home and then borrowing against it until the house is foreclosed. Bank accounts have been drained, credit scores decimated, and innocent people's lives have been ruined. These are the absolute last things that a firm would want to happen to their clients and their clients' employees and families.
So when a firm leader assesses the risk of client behaviors to their firm, they need to keep in mind the ripple effect.
Getting safer
The first step is to understand the legal requirements that the IRS and FTC place on a firm. It is now prohibited by law to transmit personally identifiable information via unencrypted methods. Take training (
Deleting emails that contain personally identifiable information is also required by law, so having a secure system to hold the communication and the PII, but not have it be stored in email, is critical.
Because of that, firm leaders need to consider the systems they give clients to securely communicate with the firm and to securely send and receive documents and signatures. A menu of secure single-point solutions can be assembled to cover the relevant actions that need security:
In 2023 and beyond, firms need to think about client communications in a different way. Luckily there are lots of options. The bottom line is that leaders need to understand the risks and then work to make communicating via unencrypted email and texting an exception to the rule versus the current modus operandi for staff and clients. The risks are just too great to continue doing it "the way we always have."
