The accounting industry continues to be transformed by changing technology, where staff members work from, and an increasing number of outsider threats.
With a head-spinning number of challenges and changes, the industry needs to be more vigilant than ever about ensuring the security of client data.
California CPA firms are subject to various regulations, standards & guidance. Depending on the specific services an accounting firm provides, legal requirements differ.
There’s no shortage of regulators and advice providers out there. Entities include:
- The IRS
- California Franchise Tax Board (and other states’ equivalents)
- California Board of Accountancy
- AICPA
- A firm’s professional insurance company
- The FTC
- The EU (for firms with clients that do business in the Eurozone)
Any accounting firm that prepares tax returns professionally is familiar with IRS Publication 4557, “Safeguarding Taxpayer Data,” and the FTC’s Safeguard Rule.
By “safeguarding”, the IRS means taking many steps to prevent data from getting into the hands of people who should not have access to it. “Identity thieves” are called out as the principal villains.
Under federal law, financial institutions must comply with safeguard rules set by the FTC. “Financial institutions” is a broad definition that includes professional tax preparers.
There is an extensive list of FTC recommendations. Some of these are operational tasks such as documentation and employee training. Others fall under the domain of proper implementation and maintenance of information technology.
There is also the 46-page IRS Publication 1345, “Handbook for Authorized IRS e-file Providers of Individual Income Tax Returns.”
All tax preparers know the Data Security Responsibilities section of IRS form W-12.
“I am aware that paid tax return preparers must have a data security plan to provide data and system security protections for all taxpayer information.”
While many regulations & recommendations are specific to taxpayer information, accounting firms would do well to comply with the same set of standards for other services that involve managing sensitive client data.
Summary of Key Safeguards for Accounting Firms
We have assembled a collection of several specific steps that accounting firms are required to take or should take about securing client data. This is not an exhaustive list. Depending on the nature of your firm’s services, some may not be a legal requirement—simply good business practices.
We go into greater detail on some of the IRS and FTC areas of guidance. In some cases, we point to standard approaches to safeguarding data. We also reference solutions from specific suppliers.
Small to mid-sized accounting firms often rely on outside IT service providers (MSPs) to help with compliance and best practices. Accounting firms that use outside MSPs should select providers with experience working with accounting firms and have appropriate safeguards in place.
Anti-virus and anti-malware software
Today, this software category is more commonly called “endpoint protection.” It has evolved from computer anti-virus into many layers of protection across different devices, including mobile phones.
The IRS rightly cautions tax preparers to “never select ‘security software’ from a pop-up advertisement while surfing the web.”
It’s essential to pay for a well-regarded brand of endpoint protection software. Also, users should not be relied upon to update the software. That’s where remote monitoring and management (RMM) systems come into play. Part of an RMM’s job is to update software proactively.
Ensure strong employee passwords
The IRS gives some essential advice on how to create strong passwords. However, Publication 4557 stops short of telling you what tools to deploy to prompt users to create strong passwords.
Requiring firm-wide use of password management software is the best way to ensure that employees create strong passwords and that they create different passwords for each online account.
Use multi-factor authentication
Multi-factor authentication helps to prevent data loss and unauthorized access to software applications.
Traditional two-factor authentication channels—email and text—have vulnerabilities. Mobile authenticator apps and hardware keys provide a higher level of security.
Solutions such as Duo MFA from Cisco help with company-wide adoption of multi-factor authentication.
Use firewalls
The purpose of a firewall is to create a barrier between your internal network and incoming traffic from the outside world. The goal is to block malicious traffic, such as viruses and malware.
The firewall is a hardware device that monitors incoming and outgoing network traffic. It either allows or blocks data packets based on security rules.
As part of the hybrid workforce, there are now two levels of firewalls to implement and maintain properly — office and home firewalls. Small business firewall appliances such as Meraki from Cisco have advanced security options that include:
- Firewall rules based on geographic location
- Content filtering
- Intrusion detection & prevention
- Advanced malware protection
Vendors like Ubiquiti and Mikrotik sell home firewalls with advanced features.
Monitor your network
Another FTC requirement is network monitoring. The term “network monitoring” is mainly used in the industry to monitor the performance of different devices on a network.
On the other hand, an Intrusion Prevention System (IDS) is more specific to monitoring network traffic for malicious network activity and then alerting an administrator or user. An example is Cisco’s open source project which is dubbed Snort.
Encrypt local computer data
According to Microsoft, “Encryption helps protect the data on your device so it can only be accessed by people who have authorization. If device encryption isn’t available on your device, you might be able to turn on standard BitLocker encryption instead.”
Bitlocker encryption does not work with Windows 10 Home. Windows 10 Pro is required for setting up encryption.
The highest level of Bitlocker encryption is USB Key mode. In this mode, a user must insert a USB device into the computer that contains a startup key to be able to start up the PC.
Mac users (yes, there are a few in the accounting firm world) can enable FileVault to protect local client files.
Back up and archive client financial data
CPA firms need a multi-level backup plan, including offsite backups.
The FTC safeguard rules state, “Maintain secure backup records and keep archived data secure by storing it off-line and in a physically secure area.”
In addition to allowing for complete system images and client database backups, cloud backup vendors like Datto allow for fast recovery of deleted or crypto-locked client files.
You can also back up your cloud files beyond the standard redundancy that cloud vendors provide.
Cloud accounting providers have backup and disaster recovery (BDR) plans.
Physically destroy old hard drives
It’s not enough to reformat a drive containing client data and then take it to electronics recycling. Drives need to be wiped entirely and physically destroyed.
There are hard drive destruction services such as Shred-it. Shred-it has several California locations.
Your MSP may be able to help you with physical drive destruction.
Receive client personal and financial data securely
Taxpayers sometimes send financial and personal information to their tax preparer insecurely—as plain text emails with unencrypted attachments.
While a tax preparer is not technically responsible for securing client information until they receive it, the FTC guidance states, “Caution customers against transmitting sensitive data, like account numbers, via email.” Email is a risk for data leakage.
There are several ways for a client to share sensitive information with their accounting firm securely, outside of email.
If an accounting firm and a client have shared access to a cloud drive folder on Google Drive, Dropbox, Egnyte, or Box with multi-factor authentication enabled, insecure email transmission is taken out of the picture.
Send client financial data securely
Accounting firms must send clients documents containing confidential financial information and social security numbers.
Tools like SafeSend can be used. SafeSend gives a client secure access to information such as prepared tax returns. There is no confidential information within the email or attached to the email.
Cyber insurance coverage
In Publication 4557, the IRS suggests, “Check with your professional liability carrier about data theft coverage.”
Cyber liability insurance is a level of business protection that many businesses, including accounting firms, have been adopting. This is for several reasons, including the fact that some accounting firms’ business clients require cyber insurance as a condition of doing business with them.
Access the Office Network via a VPN
When work-at-home began in March 2020, some accounting firms were caught in a position where staff could not access office-based client/server applications such as Lacerte. They were also not able to get at files stored on network machines.
The IRS states, “A secure Virtual Private Network (VPN) should be minimum standards for remote access to the firm’s office network.”
With today’s hybrid workforce (people working from home and the office), it’s vital for staff to have VPN access to office-based and cloud-based client/server applications.
Conclusion
Principals at accounting firms have a lot to implement to comply with federal regulations.
Because of the FTC safeguard rule, and because of today’s hybrid workforce, some accounting firms are moving to an “all cloud” model. This model makes data access more convenient for staff, and it eliminates the risks associated with specific client data residing on local machines.
Smaller firms are increasingly working with an MSP since it can be difficult for a single, in-house resource to implement and manage the technology required to support federally published safeguards.
