That’s me in super sneaky spy mode.
At the end of the day yesterday I was mailing some paperwork to a couple of clients (yes, we still do that here, especially for clients with limited internet access). I had to create mailing labels for the envelopes. We have a dedicated label printer to help with that job. When I upgraded the office computers this December, I also very carefully went through and updated firmware, drivers, and software for all of our peripheral devices including the label printer. Well, wouldn’t you know the label printer has new software. Software that wants to connect to MS Outlook 365. I hit the connect button and then it asked for my login information to MS Office 365. And then I stopped. Why? Because I had to give that a think:
- When I connect my Office 365 account to the vendor software for the label maker, just how much access are they getting?
- Do I trust that they are only going to use information within Outlook itself or by entering my MS Office 365 credentials do they have tentacles into my other Office applications as well?
- Even if I trusted that the “connect” software was only looking at the Outlook contact information, do I have any idea what the vendor is doing with that data or their requirements to keep it private?
I had no answers to these questions. Still don’t. So, while it’s an order of magnitude less convenient for me, until I can find answers or a workaround where I can control who’s doing what with the data, we’re typing each label for printing. Here’s why…
Every paid tax preparer has to have a written information security plan (or WISP). It describes our security protocols and our processes in the event of a data breach, unauthorized disclosure, or disaster. #Taxpros reading this, yes, your WISP needs to include disaster recovery provisions in addition to data breach and disclosure. Data breach (hacking, etc.) and unauthorized disclosure are two different dogs. Paid tax return preparers are required to obtain specific consent for certain disclosures of their clients’ information. Many, possibly most, #taxpros think of this as needing consent to talk to the parents of an independent adult child about that child’s taxes (when they are paying for return prep) or for talking with a client’s financial advisor to optimize their retirement account withdrawals or for providing a copy of a tax return to a mortgage broker. But there’s more to it than that.
Any time a paid preparer discloses private (not necessarily sensitive, not necessarily confidential) client information to another party they are supposed to have specific consent. Of course there are exceptions, return preparation software being the most obvious. I did not include my label machine’s vendor in my client consents for this year. I did ask for specific consent for my scheduling application, my mass e-mailing software, my client management software, my billing software, the application I used to send texts to clients, etc. Why? Because that’s what I’m required to do. And, yes, I think to an extent it is overkill. I think the IRS is way behind the times with respect to understanding just how automated and how connected tax office operations have become. I did my best to ensure that I was complying with the spirit of the IRS requirements without getting my office and my clients so bogged down in authorization paperwork that no time was left over to actually prepare tax returns. I took a hard look at the software subscriptions I was using to automate my practice and was careful to only include in each of them that client information that was absolutely necessary (for example, the mass e-mailing software only has e-mail addresses, no physical addresses or phone numbers, the texting software only has phone numbers and birthdates for sending birthday texts). I didn’t just create a spreadsheet from my tax software or Outlook and import that into each application.
Why am I telling you all of this? Because my social media is filled with tax professionals (new and experienced) who are using automation tools (and their cell phones) in their practices. And it is becoming clear to me just how many are only looking at convenience and not security. The vibe I’m getting is something along the lines of “well everyone else is doing it so it must be OK/safe.” It really isn’t. Security and convenience are always a balancing act. Some things at Tax Therapy are more difficult (or more manual) than they have to be because I have thought through the security consequences and decided to err on the side of a bit more manual processing. If your #taxpro has given it some thought and decided that they can accept or mitigate the potential risks of a given technology, that’s fine. Every practice is different and has different resources to devote to IT, software evaluation, etc. It’s all of those #taxpros who aren’t even giving the security side a second thought that I’m concerned about. And if you’re a taxpayer using a paid preparer, you should be too.
Paid tax return preparers are not allowed to sell your data. But what happens when they provide your data without your specific consent to a vendor who then sells it or uses it to sell you more products? I’m looking at you, Intuit! I’ve been reading that clients of preparers who use Intuit’s suite of professional products are being solicited to use one of Intuit’s DIY products when they sign in to, for example, retrieve their W2s and 1099s or complete their tax professional’s annual client organizer. Not cool. Not cool at all.
I can’t run my office profitably without a certain degree of automation. There’s only so many days in tax season, only so many hours in a day, and only so much brain time in a given set of hours. But Tax Therapy clients can rest assured that I have devoted a huge portion of my (not inconsequential) brain power to ensuring that I’m only disclosing as much of their data as I absolutely have to to a given vendor and that I am getting their consent to do so each year. Tax professionals, what about your office? Taxpayers, what about your #taxpro?