Recent incidents at small accounting firms have many accountants worried, and for good reason. For no fault of yours, the entire reputation and goodwill you have built up for your accounting practice could suddenly be at grave risk.
How does it happen? What can you do to protect yourself?
How It Happens
For instance, look at the incidents reported by privacyrights.org. In the financial services category, the top two, when I checked, were accountants: Gary W Janke and Chiorini, Hunt & Jacobs, Certified Public Accountants (CHJ). And both illustrate the common causes of loss: theft at the office and hacked email account.
Gary's report describes how a thief broke into the back-office building at night, causing the alarm to sound and police be dispatched. But in the brief period before the police arrived, the thief escaped with a couple of old computers containing tax filing information for clients: social security numbers (SSNs), date of births, names, addresses, bank account numbers and other data. It also included dependent's names and social security numbers.
That's right - Gary had a burglar alarm, it worked as expected and police promptly responded. Yet, the computers were stolen.
It is not surprising that the thieves are getting sophisticated. The amount of money involved for each computer stolen is huge. Stolen identities with SSNs sell for $100-200 on the black market. And dependent or children's identities are especially sought after since those identities can often be used unnoticed. So just 100 retail tax clients add up to $10000 - 20,000 worth of easy money. Add their spouses and dependents and you easily cross $40,000. And since the computer has data from multiple years, more than 100 clients are often stolen at once.
Accounting firm CHJ's reported that data was leaked from one of their email accounts. Leaked data included copies of tax returns, containing full name, birth date, telephone number(s), address, Social Security number, or W-2s, 1099s and various other tax related documents, and direct deposit bank account information including routing numbers and account numbers.
Indeed email is not secure. Joint research by University of Michigan, Google, and University of Illinois Urbana Champagne, measured over 700,000 mail servers, and found that most had glaring loopholes that allow attackers to reroute emails to their servers. Their investigation of Gmail in particular showed that up to 20% of all messages were attacked.
And its not just your own email, data may leak from the client's email as well. Fortunately, there are easy alternatives to email that keep both you and your clients safe.
For a more up to date list of recent breaches, check your state's Office of the Attorney General's website. The websites for some states, and the HHS, are listed below:
- California Attorney General's Office
- Indiana Attorney General's Office
- Maine Attorney General's Office
- Maryland Attorney General's Office
- Montana Attorney General's Office
- New Hampshire Department of Justice
- Oregon Attorney General's Office
- Vermont Attorney General's Office
- Washington Attorney General's Office
- State of Wisconsin
- Health & Human Services (HHS.gov)
To add another state, please post your state's link in the comments below.
While you and I can empathize with these victims, not all of their clients will. Is it business as usual after the leak? Hell no!
How many clients leave will vary in each case. Sixty percent of small businesses close down after a data breach, according to this report by the US Securities and Exchange Commission.
Even for businesses that survive, there is a huge time and money cost:
- Investigations: Cooperating with investigations and law enforcement will lead to business down time and productivity loss.
- Reporting: The law requires the breach to be reported. There is both a money cost to reporting (sending out the letters) and a reputation cost. The breach report becomes public record and is posted online in many states. It can show up to any clients or prospects searching for your business name online. Delaying your reporting is not advisable because once a client suffers identity theft, investigations of their case may lead law enforcement officials to your office, and then penalties may be due in addition to reporting requirements.
- Fines: In some states, businesses can be fined for data negligence. In Texas, for instance, the fine can be up to $250,000.
- Forensic Review: If a breach is even suspected, depending on your business type, you may be required to be reviewed by a team of forensics security examiners, costing up to $20,000. You may have to spend significant time and effort to co-operate with the investigation as well as fix your own systems to avoid future breaches.
- Credit monitoring for every client: The report above from CHJ shows that besides reporting and investigation costs, CHJ also paid for their client's identity monitoring service for two years, for every client. This kind of free monitoring is now a standard expectation after a breach.
Do not let it happen to you!
What can you do to prevent it? At the very least, do two things:
Encrypt your computers. If Gary's computers were encrypted, the theft of his computers would not have been a data breach incident. No reporting would have been required.
If you have a Windows Pro or Ultimate computer, it comes with BitLocker, but it is not turned on by default. Just turn Bitlocker on, as explained here in easy steps.
If your version of Windows does not have Bitlocker (Windows 10 Home does not), you can use the free encryption tool from VeraCrypt. Its free but has one extra step compared to Microsoft BitLocker: VeraCrypt will require you to create a recovery disk (so you need a DVD burner or a spare USB drive). Also, VeraCrypt will not make use of the TPM chip if your computer has one. Setting up VeraCrypt is easy: download and install VeraCrypt, go to the menu option System, select Encrypt System Partition/Drive and then follow the instructions in the wizard.
Use a document portal to send and receive attachments containing client data. This used to be expensive and complicated to setup, but Encyro's easy to use document portal has changed all that. You do not have to setup any client folders or accounts. You simply get a free account and start sending documents or messages to your client's email address. Everything else, including client folder creation, is automatic. Clients can receive documents securely, without creating an account (optionally, they may create a free account). You continue to send documents the same way regardless of whether the client creates an account or not. Encyro even works with your Facebook account - so you need not create an extra password. This video explains more.
If you want to develop a more comprehensive security strategy, review this quick summary of IRS guidelines for Tax Preparers.