You might think that you are securing your client data, but are you really? Surely Nieman Marcus thought they had full data security, but they recently were forced to notify 4.6 million of their customers of potential exposure of their personal and financial disclosure. Do you have an adequate data security plan? What should you do if your practice is victim to a data breach or information theft?
Data Security Plan
All accounting and bookkeeping professionals should have a written data security plan that is reviewed and updated. Depending on the size of your practice, the type of services you offer and the client data and information you access and retain, your data plan may need to be quite robust.
There are six components to a data security plan.
1. Install and update antivirus software that scans files and memory for malware
2. Use firewalls to shield your computer or network from malicious traffic or malware
3. Use two-factor authentication to secure email, accounting software or any password-protected product
4. Routinely back up critical files to a secure external hard drive or cloud storage service
5. Encrypt files on computers and removable media
6. Write down your data security plan as required by the Federal Trade Commission's Safeguard Rule 5
If you are unsure of how to create a data security plan, reading and following the action items in the articles about the first five steps above will get you most of the way there. The sixth step, writing down your data security plan, can feel a little daunting. At Woodard, we want to make that easier for you.
For now, make sure you are subscribed to The Woodard Report. Next week, we will provide an Excel workbook that will walk you through conducting a data security evaluation and implementing your data security plan. The workbook itself will serve as your written documentation of your plan. Keep an eye in your inbox over the next week for this valuable resource!
What steps should you take if your practice is the victim of a data breach or information theft?
The IRS provides specific steps you should take (in the order provided) if your practice is a victim of data theft.
1. Contact the IRS
It is critically essential that you contact your local IRS Stakeholder Liaison as soon as possible. Your liaison will then notify all relevant parties at the IRS to block or limit fraudulent tax returns in the names of your clients.
Stakeholder Liaison Area | Phone | ||
---|---|---|---|
Area 2 (CT, DE, MA, MD, ME, NH, NJ, PA, RI, VT, WV) |
(412) 404-9151 |
||
Area 3 (AR, AL, DC, IN, KY, LA, MI, MS, OH, OK, TN, VA) |
(405) 982-6807 |
||
Area 4 (FL, GA, NC, NY, SC, TX) |
(216) 415-3518 |
||
Area 5 (AZ, CA, HI, NM, NV) |
(203) 492-8630 |
||
Area 6 (AK, CO, IA, ID, IL, KS, MN, MO, MT, NE, ND, OR, SD, UT, WA, WI, WY) |
(206) 946-3703 |
2. Contact law enforcement
After you contact your local stakeholder liaison at the IRS, you need to report the data theft to law enforcement. You will need to contact either the FBI or the Secret Service. In addition, you will need to file a report with your local police.
3. Contact each state in which you prepare state returns
Unfortunately, if data from your practice is stolen, there may be an impact on tax accounts in all of the states where you file state tax returns for your clients. And that means you need to notify two authorities for each and every state:
- State Tax Agency - Use the Federation of Tax Administrators' state tax agency contact listing.
- State Attorneys General - Use the National Association of Attorneys General contact listing
4. Contact other experts
- Data security experts - they will need to investigate the data breach, including a determination of the cause and scope of the breach, develop steps to stop the breach, and then create a plan to prevent future breaches
- Insurance company - the breach should be reported to your insurance company, who will determine if your policy covers the expenses involved in mitigating the breach
- Credit and identity theft protection agency - depending on the state, you may be required to offer credit monitoring and ID theft protection to your clients
- Credit bureaus - notify them that there has been a compromise and that your clients may reach out to them
- Federal Trade Commission - download this Data Breach Response guide; additionally, you can contact the FTC at idt-brt@ftc.gov
5. Contact your clients
You will need to contact all of your clients to notify them of the data breach. However, work with law enforcement on when you should send the letter.
Don't miss the valuable data-security plan resource next week!
Make sure you are subscribed to The Woodard Report. Next week, we will provide an Excel workbook that will walk you through conducting a data security evaluation and implementing your data security plan. The workbook itself will serve as your written documentation of your plan. Keep an eye in your inbox over the next week for this valuable resource!
Do you have questions about this article? Email us and let us know > info@woodard.com
Comments: