The accounting industry continues to be transformed by changing technology, where staff members work from, and an increasing number of outsider threats.
With a head spinning number of challenges and changes, the industry needs to be more vigilant than ever about ensuring the security of client data.
California accounting firms are subject to a wide range of regulations, standards & guidance. Depending on the specific services an accounting firm provides, legal requirements differ.
There’s no shortage of regulators and advice providers out there. Entities include:
- The IRS
- California Franchise Tax Board (and other states’ equivalents)
- California Board of Accountancy
- A firm’s professional insurance company
- The FTC
- The EU (for firms with clients that do business in the Eurozone)
- Summary of Key Safeguards for Accounting Firms
- Anti-virus and anti-malware software
- Ensure strong employee passwords
- Use multi-factor authentication
- Use firewalls
- Monitor your network
- Encrypt local computer data
- Back up and archive client financial data
- Physically destroy old hard drives
- Receive client personal and financial data securely
- Send client financial data securely
- Cyber insurance coverage
- Access the Office Network via a VPN
Any accounting firm that does professional tax preparation is familiar with IRS Publication 4557 “Safeguarding Taxpayer Data” and the FTC’s Safeguard Rule.
By “safeguarding”, the IRS means taking the many steps to prevent data from getting into the hands of people who should not have access to it. “Identity thieves” are called out as the principal villains.
Under federal law, financial institutions need to comply with safeguard rules set by the FTC. “Financial institutions” is a broad definition that includes professional tax preparers.
There is an extensive list of FTC recommendations. Some of these are operational tasks such as documentation and employee training. Others fall under the domain of proper implementation and maintenance of information technology.
There is also the extensive 46 page IRS Publication 1345, “Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns.”
All tax preparers are familiar with the Data Security Responsibilities section of IRS form W-12.
“I am aware that paid tax return preparers must have a data security plan to provide data and system security protections for all taxpayer information.”
While a lot of regulations & recommendations are specific to taxpayer information, accounting firms would do well to comply with the same set of standards for other services that involve managing sensitive client data.
Summary of Key Safeguards for Accounting Firms
We have assembled a collection of a number of specific steps that accounting firms are required to take or should take with regard to securing client data. This is not an exhaustive list. Depending on the nature of your firm’s services, some of these may not be a legal requirement—simply good business practices.
We go into greater detail on some of the IRS and FTC areas of guidance. In some cases, we point to common approaches to safeguarding data. We also reference solutions from certain suppliers.
Small to mid-sized accounting firms often rely on outside IT service providers (MSPs) to help them with both compliance and best practices. Accounting firms that use outside MSPs should select providers that both have experience working with accounting firms and that themselves have appropriate safeguards in place.
Anti-virus and anti-malware software
Today, this category of software is more commonly referred to as “endpoint protection.” It has evolved from computer anti-virus into many layers of protection across different devices, including mobile phones.
The IRS rightly cautions tax preparers to, “never select ‘security software’ from a pop-up advertisement while surfing the web.”
It’s important to pay for a well-regarded brand of endpoint protection software. Also, users should not be relied upon to update the software. That’s where remote monitoring and management (RMM) systems come into play. Part of an RMM’s job is to proactively update software.
Ensure strong employee passwords
The IRS gives some basic advice on how to create strong passwords. However, Publication 4557 stops short of telling you what tools to deploy to prompt users to create strong passwords.
Requiring firm-wide use of password management software is the best way to ensure that employees actually create strong passwords and that they create a different password for each online account.
Use multi-factor authentication
Multi-factor authentication helps to prevent data loss and unauthorized access to software applications.
Traditional two-factor authentication channels—email and text—have vulnerabilities. Mobile authenticator apps and hardware keys provide a higher level of security.
Solutions such as Duo MFA from Cisco help with company-wide adoption of multi-factor authentication.
The purpose of a firewall is to create a barrier between your internal network and incoming traffic from the outside world. The goal is to block malicious traffic such as viruses and malware.
The firewall itself is a hardware device that monitors both incoming and outgoing network traffic. It either allows or blocks packets of data based on a set of security rules.
As part of the hybrid workforce, there are now two levels of firewalls to properly implement and maintain—office and home firewalls. Small business firewall appliances such as Meraki from Cisco have advanced security options that include:
- Firewall rules based on geographic location
- Content filtering
- Intrusion detection & prevention
- Advanced malware protection
Vendors like Ubiquiti and Mikrotik sell home firewalls with advanced features.
Monitor your network
Another FTC requirement is network monitoring. The term “network monitoring” is mainly used in the industry with respect to monitor the performance of different devices on a network.
On the other hand, an Intrusion Prevention System (IDS) is more specific to monitoring network traffic for malicous network activity and then alerting an administrator or user. An example of this is Cisco’s open source project which is dubbed Snort.
Encrypt local computer data
According to Microsoft, “encryption helps protect the data on your device so it can only be accessed by people who have authorization. If device encryption isn’t available on your device, you might be able to turn on standard BitLocker encryption instead.”
Bitlocker encryption does not work with Windows 10 Home. Windows 10 Pro is required for setting up encryption.
The highest level of Bitlocker encryption is USB Key mode. In this mode, a user must insert a USB device into the computer that contains a startup key in order to be able to start up the PC.
Mac user (yes, there are a few in the accounting firm world) can enable FileVault to protect local client files.
Back up and archive client financial data
CPA firms need to have a multi-level backup plan, which includes offsite backups.
The FTC safeguard rules state, “Maintain secure backup records and keep archived data secure by storing it off-line and in a physically-secure area.”
In addition to allowing for full system images and client database backups, cloud backup vendors like Datto allow for fast recovery of deleted or crypto-locked client files.
You can also back up your cloud files beyond the standard redundancy that cloud vendors provide.
Cloud accounting providers have backup and disaster recovery (BDR) plans.
Physically destroy old hard drives
It’s not enough to reformat a drive that contained client data and then take that drive to electronics recycling. Drives need to be completely wiped and physically destroyed.
There are hard drive destruction services such as Shred-it. Shred-it has a number of California locations.
Your MSP may be able to help you with physical drive destruction.
Receive client personal and financial data securely
Taxpayers often send financial and personal information to their tax preparer insecurely—as plain text emails with unencrypted attachments. While a tax preparer is not technically responsible for securing client information until after they receive the information, the FTC guidance states, “Caution customers against transmitting sensitive data, like account numbers, via email.” Email is a risk for data leakage.
There are several ways for a client to share sensitive information with their accounting firm securely, outside of email.
If both an accounting firm and a client have shared access to a cloud drive folder on Google Drive Dropbox, Egnyte or Box with multi-factor authentication enabled, insecure email transmission is taken out of the picture.
Send client financial data securely
Accounting firms need to send clients documents that contain confidential financial information and social security numbers.
Tools like SafeSend can be used. SafeSend gives a client secure access to information such as prepared tax returns. There is no confidential information within the email or attached to the email.
Cyber insurance coverage
In Publication 4557, the IRS suggests, “check with your professional liability carrier about data theft coverage.”
Cyber liability insurance is a level of business protection that many businesses, including accounting firms, have been adopting. This is for a number of reasons, including the fact that some accounting firms’ business clients require cyber insurance as a condition of doing business with them.
Access the Office Network via a VPN
When work-at-home began in March 2020, some accounting firms were caught in a position in which staff were not able access office-based client/server applications such as Lacerte. They were also not able to get at files stored on network machines.
The IRS states, “a secure Virtual Private Network (VPN) should be minimum standards for remote access to the firm’s office network.”
With today’s hybrid workforce (people working from home and from the office), it’s important for staff to have VPN access to office-based and cloud-based client/server applications.
Principals at accounting firms have a lot to implement in order to comply with federal regulations.
Because of the FTC safeguard rule and because of today’s hybrid workforce, some accounting firms are moving to an “all cloud” model. This model makes data access more convenient for staff and it eliminates the risks associated with certain client data residing on local machines.
Smaller firms are increasingly working with an MSP, since it can be difficult for a single, in-house resource to implement and manage all of the technology required to support federally published safeguards.