Every year since 2015 the IRS Security Summit has held a campaign to raise awareness among taxpayers and tax practitioners of the most common threats to information security. The 2021 campaign just ended and featured information on protecting taxpayers and tax practices from pandemic-related tax scams, protecting tax data at home and at work (including remote work), helping taxpayers and tax professionals avoid e-mail-based phishing campaigns, and the always popular recognizing and preventing identity theft. None of these issues are new. Possibly because they are merely the symptoms of a much more serious disease.
Preparing tax returns is only one part of running a successful tax practice. Protecting client data is an equally important part of the job. Nevertheless many tax practitioners see maintaining information security as simply another annoying administrative task on which they don’t want to spend time and money. That type of thinking can have disastrous consequences for the practitioners and their clients because it increases the likelihood of falling victim to scams, phishing, data breaches, and identity theft. Keep reading for five important warning signs that your tax professional may not be taking information security as seriously as they could be.
Too Much Paper
Tax practitioner offices exist on a spectrum from completely paperless to “old school” all paper offices and everything in between. The problem isn’t necessarily the paper itself but, as with electronic information, how it is handled and stored. Practitioners who eschew electronic files because of security concerns but who have stacks, cabinets, or boxes of files all over their office may not be providing any better protection for client data than a practitioner who is lax about their cyber security.
If your tax practitioner has an office filled with paper files, take time to consider who has access to those files regularly: staff, the cleaning crew, other clients? Ask yourself what would happen in the event of a break in at the office. How easy would it be to steal your information or to simply scatter it to the winds or drop it into the closest dumpster for anyone to find? At a minimum all paper-based client information should be secured in locked cabinets or drawers when not in use. Even better is when the storage locations include provisions for disaster such as fire or flooding. Also consider what is being done with discarded paper information. Is it stored for shredding or recycling? Does the practitioner have a policy in place to determine what can be recycled versus what must be shredded? They should.
Information currently in use should also be protected from casual observers to the greatest extent possible. For example, does your tax professional have a “clean desk” policy when they leave for lunch or a conference or even the restroom? Does the receptionist leave client information visible on their desk when they have to step away from it? This kind of casual negligence can be indicative of a more general lack of concern with physical protection of client information.
No one likes change. Change is hard. Sometimes tax practitioners avoid upgrading their computers not only because of the cost but because of the work involved in setting up new computers and the learning curve associated with changes to operating systems. Cloud-based software solutions are making the work of upgrading computers less of an issue, but sometimes those who are reluctant to upgrade their physical computers are equally reluctant to embrace cloud-based solutions which creates a lose-lose scenario for taxpayers who use these tax professionals.
In general, if your tax professional is running computers with an operating system that is no longer supported by the vendor that’s a big red flag. Unsupported operating systems no longer receive necessary software security patches. If your tax professional is ignoring the need to maintain the software that runs their computers, they could be ignoring other important security maintenance tasks such as updating virus definitions and running regular virus scans, regularly backing up data, or installing security patches to their tax, accounting, web browser, or other office software.
Too Much Free Software
Tax professionals tend to be a thrifty bunch. But there’s a difference between thriftiness and foolhardiness. Running a tax office requires software for many different tasks: spreadsheets, appointment scheduling, video meetings, anti-virus, tax return preparation, bookkeeping and payroll, team and project management, client management, e-mail, PDF creation and editing, etc. The possibilities are endless as is the expense. For newer tax practices, and even some more established ones, the temptation to use free apps and free versions of popular vendors’ software can be strong.
Unfortunately, with any software product (free or paid) is extremely difficult to do a deep dive into the privacy policies and practices of the vendor to determine exactly how the information stored in the software is being used. Nevertheless, when something is free it becomes increasingly likely that the vendor or developer is often using or selling data gathered by the software or app. If your tax practitioner appears to be making too much use of free software (especially e-mail and file sharing), your personal information and data could be at risk.
No Secure File Upload
Conscientious practitioners are going to encourage (if not insist) on the use of secure file sharing software for sending and receiving documents. Typically practitioners clearly state that they will not assume any liability for information disclosure or theft if a client chooses to use an unsecure means of document delivery. Security conscious practitioners always discourage clients from providing information via e-mail or text message. Some practitioners may even refuse to accept information not submitted through their secure portal. Others may accept information provided via e-mail or text, but only occasionally and usually reluctantly. Why? Because e-mail is not secure. Neither are password protected attachments. Actual e-mail and file encryption is rare and not particularly easy to implement. Conscientious tax professionals are always going to have a secure means for sharing information. Often that is a file sharing tool that is integrated with their bookkeeping or return preparation software. Sometimes it is part of their client management software. Sometimes it is a stand alone product. Again, practitioners have many options, but not having a means for secure file upload and download (or using a free file-sharing tool) is another big red flag.
Non-existent or Inadequate Written Security Plan
Did you know that any person who prepares a tax return for pay is required to have a written information security plan? No? Unfortunately many paid return preparers are also unaware of this requirement. Even those who are aware may be so focused on cyber security that they do not consider basic physical security precautions (locks on doors and drawers) or operations security (proper training of staff that helps avoid them becoming the victim of phishing scams). Data recovery in the event of a disaster is also expected to be part of the security plan as is consideration of disclosure of client information to vendors.
Lack of a written security plan often means the practitioner has not bothered to review what client information is being made available to their vendors, let alone how those vendors may be using the information. It can be an indicator of even more serious problems such as a lack of basic cyber security precautions. Nayo Carter-Gray, Enrolled Agent owner of 1st Step Accounting, recalls being horrified at hearing a practitioner admit that she was not running virus software on her work computer. It’s highly likely that that practitioner was not even aware of the requirement to have a written information security plan. It’s clear that she wasn’t thinking much about securing her computer or protecting her clients’ information.
Taxpayers should feel comfortable asking their tax professionals about office security including how their information is stored and secured as well as how it may be being disclosed to various vendors. Tax professionals may not be highly specific in their answers in order to avoid giving away the keys to the castle, but they should provide enough information so that taxpayers can be confident that the castle is being well guarded.