Vestige and McGuireWoods law firm are presenting to the SAME BOSTON POST on October 3. Topic: What to Know Before the CMMC Auditor Arrives.


CPA’s: How are YOU Protecting Your Clients’ Data?


CPA’s: How are YOU Protecting Your Clients’ Data?

Author photo
by Mary Brewer

Tax Information Is Valuable To Your Clients…AND To Potential Thieves

Accounting firms routinely collect sensitive information from both clients and employees, including Social Security numbers, bank account information, earnings and business information, and credit card numbers. Targeting accounting professionals can result in a wealth of information for a cybercriminal.

Accounting firms, regardless of the number of clients, face the risk of cyber-attacks.  Since larger corporations typically have entire departments dedicated to risk management, hackers are very interested in smaller organizations.

Review the 12-point client data protection checklist below to learn how to protect this sensitive information and find out why investing in cyber security for accountants is essential.

12 Point List Accounting Professionals Should Have In Place For Adequate Client Data Protection

  1. Physical Security

    • Utilize access restrictions such as employee key cards, visitor logs, badges, and security cameras.
    • Secure all client information including paper documents and physical devices.
    • Make sure all client information is secured during non-business hours.
  2. E-mail

    • Learn to recognize phishing emails, particularly those pretending to be from the IRS, e-services, a tax software provider, cloud storage provider or prospective client.
    • NEVER open an embedded link or attachment from a suspicious email.
    • Beware of emails marked “urgent,” “respond now,” or “update your account now.” A legitimate business will never request personal or sensitive information via email, unless through a secured mail service.
    • If your clients are emailing financial information, explain that email correspondence must be sent using encryption protocols.
    • A secure client portal can be used for data transmission activities.
  3. Data Security
    • Install anti-malware/anti-virus security software on all devices (including laptops, desktops, routers, tablets and phones) and keep software set to automatically update.
    • Protect your network with a firewall and make sure it is updated with the latest patches.
    • Encrypt devices such as laptops, desktops, tablets and phones, to ensure information protection if lost, stolen or improperly discarded.
    • Do not allow employees to download client data onto their personal laptops or devices.
    • Wipe or destroy old computer hard drives that contain sensitive data (including USBs, CDs, tablets, phones, and tapes).
    • Before disposing of printers, check if data is stored on a hard drive or in internal memory, and remove sensitive data.
    • Shred or burn all documents containing taxpayer information.
  1. Password Protection Protocol
    • Require strong passwords of 8 or more characters.
    • Consider installing a password management application.
    • Change all default passwords from accounts and devices (including printers, wireless routers).
    • Do not reuse passwords.
    • Enable a multi-factor authentication process for user access, meaning username/password plus an additional security code, which is sent as a text or email. Use this same protocol for contractors, vendors or outside individuals who require access.
  1. Backup Plan
    • Backup all business-critical data on a regular basis, preferably automatically.
  2. Disaster Recovery/Business Continuity
    • Write an effective step-by-step plan to recover from a disaster situation, and quickly resume business functions.
    • Make sure all employees are aware of their responsibilities, and practice on an annual basis.
  1. Wi-Fi Security
    • Limit or disable internet access capabilities for devices containing taxpayer data.
    • Make sure your Wi-Fi network is secured with strong passwords and encryption protocols.
    • Keep guest networks separate from your internal network.
    • Prohibit data access through unsecured networks, such as coffee shops or other public Wi-Fi.
    • Require that remote employee home networks are secure and utilize a VPN connection.
  1. Outside Services
    • Check the IRS e-services account weekly. If a discrepancy is found, notify the IRS immediately, so that clients are protected against fraudulent returns being filed in their names.
    • Common clues to data theft:
      • A client files a tax return electronically, but it is rejected, due to a previously filed return, which contains their SSN.
      • Clients who haven’t filed tax returns receive authentication letters/refunds.
      • The IRS notifies clients that their accounts were accessed, disabled, or a new account was created.
      • The number of returns filed with the tax practitioners electronic filing identification number exceeds the number of clients.
  1. Access privileges
    • Use the principle of “least privilege” when assigning access rights for software or network folders containing sensitive information. This method gives users minimum access to perform his or her job responsibilities.  Furthermore, restrict access to taxpayer data on a need-to-know basis.
    • Conduct routine reviews of access authority when an employee leaves the firm or changes roles.
    • Limit data access through mobile devices.
  1. Outside audits
    • Hire an outside firm to review your systems and verify security methods. This can include ethical hacking or penetration testing of the network, to search for vulnerabilities that could be exploited by malicious hackers.
    • Social engineering/phishing tests can be performed to ensure employee vigilance against outside attacks.
    • Alerts can be created when unusual network or data traffic patterns are detected.
  2. Cyber Liability Insurance
    • A current cyber liability insurance policy demonstrates your firm’s commitment to due diligence in providing for clients’ cyber security needs.
    • Accounting firms should also review their cyber liability policies to understand exactly what is covered (or not). Insurers can offer suggestions and advice to take proactive steps to prevent data theft from occurring.
  3. Employee Training and Education
    • It is important to regularly educate employees on security best practices, called Cybersecurity Awareness Training, with on-going reminders.
    • Employees should be aware of the methods being used by hackers to acquire information, and remain vigilant at all times.

Be Diligent – This is Your Responsibility!

Vestige offers Cybersecurity Services to CPA firms. Let our team of cyber security experts evaluate your company, and identify ways to keep your client data secure and prevent a CPA data breach.

By Mary Brewer, MBA, BS, AAS