That’s me in super sneaky spy mode.

At the end of the day yesterday I was mailing some paperwork to a couple of clients (yes, we still do that here, especially for clients with limited internet access). I had to create mailing labels for the envelopes. We have a dedicated label printer to help with that job. When I upgraded the office computers this December, I also very carefully went through and updated firmware, drivers, and software for all of our peripheral devices including the label printer. Well, wouldn’t you know the label printer has new software. Software that wants to connect to MS Outlook 365. I hit the connect button and then it asked for my login information to MS Office 365. And then I stopped. Why? Because I had to give that a think:

  • When I connect my Office 365 account to the vendor software for the label maker, just how much access are they getting?
  • Do I trust that they are only going to use information within Outlook itself or by entering my MS Office 365 credentials do they have tentacles into my other Office applications as well?
  • Even if I trusted that the “connect” software was only looking at the Outlook contact information, do I have any idea what the vendor is doing with that data or their requirements to keep it private?

I had no answers to these questions. Still don’t. So, while it’s an order of magnitude less convenient for me, until I can find answers or a workaround where I can control who’s doing what with the data, we’re typing each label for printing. Here’s why…

Every paid tax preparer has to have a written information security plan (or WISP). It describes our security protocols and our processes in the event of a data breach, unauthorized disclosure, or disaster. #Taxpros reading this, yes, your WISP needs to include disaster recovery provisions in addition to data breach and disclosure. Data breach (hacking, etc.) and unauthorized disclosure are two different dogs. Paid tax return preparers are required to obtain specific consent for certain disclosures of their clients’ information. Many, possibly most, #taxpros think of this as needing consent to talk to the parents of an independent adult child about that child’s taxes (when they are paying for return prep) or for talking with a client’s financial advisor to optimize their retirement account withdrawals or for providing a copy of a tax return to a mortgage broker. But there’s more to it than that.

Any time a paid preparer discloses private (not necessarily sensitive, not necessarily confidential) client information to another party they are supposed to have specific consent. Of course there are exceptions, return preparation software being the most obvious. I did not include my label machine’s vendor in my client consents for this year. I did ask for specific consent for my scheduling application, my mass e-mailing software, my client management software, my billing software, the application I used to send texts to clients, etc. Why? Because that’s what I’m required to do. And, yes, I think to an extent it is overkill. I think the IRS is way behind the times with respect to understanding just how automated and how connected tax office operations have become. I did my best to ensure that I was complying with the spirit of the IRS requirements without getting my office and my clients so bogged down in authorization paperwork that no time was left over to actually prepare tax returns. I took a hard look at the software subscriptions I was using to automate my practice and was careful to only include in each of them that client information that was absolutely necessary (for example, the mass e-mailing software only has e-mail addresses, no physical addresses or phone numbers, the texting software only has phone numbers and birthdates for sending birthday texts). I didn’t just create a spreadsheet from my tax software or Outlook and import that into each application.

Why am I telling you all of this? Because my social media is filled with tax professionals (new and experienced) who are using automation tools (and their cell phones) in their practices. And it is becoming clear to me just how many are only looking at convenience and not security. The vibe I’m getting is something along the lines of “well everyone else is doing it so it must be OK/safe.” It really isn’t. Security and convenience are always a balancing act. Some things at Tax Therapy are more difficult (or more manual) than they have to be because I have thought through the security consequences and decided to err on the side of a bit more manual processing. If your #taxpro has given it some thought and decided that they can accept or mitigate the potential risks of a given technology, that’s fine. Every practice is different and has different resources to devote to IT, software evaluation, etc. It’s all of those #taxpros who aren’t even giving the security side a second thought that I’m concerned about. And if you’re a taxpayer using a paid preparer, you should be too.

Paid tax return preparers are not allowed to sell your data. But what happens when they provide your data without your specific consent to a vendor who then sells it or uses it to sell you more products? I’m looking at you, Intuit! I’ve been reading that clients of preparers who use Intuit’s suite of professional products are being solicited to use one of Intuit’s DIY products when they sign in to, for example, retrieve their W2s and 1099s or complete their tax professional’s annual client organizer. Not cool. Not cool at all.

I can’t run my office profitably without a certain degree of automation. There’s only so many days in tax season, only so many hours in a day, and only so much brain time in a given set of hours. But Tax Therapy clients can rest assured that I have devoted a huge portion of my (not inconsequential) brain power to ensuring that I’m only disclosing as much of their data as I absolutely have to to a given vendor and that I am getting their consent to do so each year. Tax professionals, what about your office? Taxpayers, what about your #taxpro?

 

This one is mainly for all my new friends in Facebook’s Tax 101 group (especially the people who are new to flying solo). Still, it is good advice for most business owners and just regular people too although not all of it may apply to your particular situation.

  1. Change your passwords annually. Change the login passwords on your work machine and those for your critical cloud services (tax software, accounting software, client management software, etc.) and use long passphrases (at least 16 characters) where possible. Don’t want to keep track? Consider a password manager such as Last Pass (not an endorsement, just a suggestion). Here are a couple you might not think about—change the password on your router and your WiFi login (or ask your IT person to do it). Your router/modem are the gateway to your computers. My router has the password on a sticker on the side—of course I changed that. And then I change it annually as part of my office security protocols.
  2. And speaking of your WiFi...use the strongest password encryption your modem allows and stop broadcasting your SSID. Your SSID is your network identifier. It lets people “see” the available networks in the area. You’re a tax shop. Don’t broadcast your network to any rando who’s driving around the neighborhood.
  3. Add multi-factor authentication to anything that allows it. That way even if your passwords are compromised whichever baddie ends up with them will also have to have your phone or your e-mail account credentials or something else to get into your cloud accounts.
  4. Purge old files. Paper and electronic files. I’ve heard #taxpros bragging that they have a copy of every return they’ve ever done. Either on a drive somewhere or in a file cabinet (the horror!). You know what that does? It increases your exposure in the event of a data breach by an order of magnitude. Data breaches aren’t all electronic. What happens if your files are on paper and angry burglars bust up your file cabinets and send those papers flying down the street (happened with my Aunt’s personal paperwork—not fun). Do you really want to have to pay for ID theft protection for a client from five years ago if they aren’t still a client? Do you really want to have to notify clients who are long gone in the event of a breach. Make a purge plan part of your written information security plan (WISP)—you do have a WISP, right? You are required to have one if you get paid to prepare tax returns.
  5. Update your virus software and run a deep scan of your computer hardware. I recommend doing this at least quarterly, but you definitely want to do it before the clients come knocking this filing season.
  6. Encrypt your hard drives and flash drives, especially any drives that can be lost or stolen easily (so flash drives, removable storage, laptop HDDs).
  7. Turn off your machines! Now, this is more practical for some people than others, but basically if a machine is on and visible (see Tip #1) people can try to break into it. You can’t break into a machine that is off. Sure, you can set “time out” times for devices on your router (and you should). Turning the machines off if you really don’t require them to be on 24/7 just adds an extra layer of protection. I even unplug my router if I’m going to be away from the office more than a couple of days.
  8. Implement a “clean desk” policy. For those of you who are fully paperless, the Windows + L key is your friend (it locks your screen immediately). If you aren’t paperless, be sure that if you step away from your desk or leave for the evening that client information is not easily accessible to anyone who might have to come into the office. I mean, my landlord is allowed to enter my office during a building emergency. I don’t want them seeing my stuff!
  9. Consider (or reconsider) how you are collecting and storing your clients’ personally identifying information. Many amazing applications allow you to conveniently collect all sorts of client data with only a click or two. But you need to know if what you are using is secure. Does it encrypt the data? Is that data passed through or stored somewhere in the cloud? What happens if the company who owns/runs the application has a breach? Are you liable? To what extent? Who knows?! Certain information I simply will not collect using a web-based form because I don’t know enough to answer those questions. You need to decide for yourself and your firm where the line is between automation/convenience and security. And, like all things tax, “it depends”. It’s going to depend on the size/volume of clients your firm handles. It’s going to depend on your risk tolerance. Technology is wonderful and can help us all become more profitable, but it’s important to use it mindfully.
  10. Remember there are three basic types of security: cyber security, physical security, and operations security. Most of these tips are cyber and physical. Operations security is looking at your office processes and procedures and your staff and ensuring that your processes/procedures keep your office secure and that your staff is trained and not actively or inadvertently compromising your well thought out procedures by their actions.

Good #taxpros don’t rely on luck to keep information safe. Security is an active process! Stay active in the new year!

In an earlier post I discussed the various types of paid tax professionals and at the end I mentioned that, at an absolute minimum, your preparer needs to hold a valid preparer tax identification number (or PTIN). Ghost preparers are paid preparers who do not hold PTINs. They are often (but not always) small, independent, tax season only preparers using software meant for personal preparation (such as TurboTax) to illegally prepare returns for other individuals for pay.

Update (February 8, 2019): Read what the IRS has to say about ghost preparers here.

The main difference between a true ghost preparer and, let’s say, your aunt who files your return using her copy of TurboTax and you slip her $50 bucks for her help is that ghost preparers hold themselves out as actual tax professionals, often to family and friends, but often to others as well.

The problem with ghost preparers (and for that matter your aunt) is that they have absolutely no accountability to the IRS or to you, the taxpayer, for their work. They do not have to comply (or even pay attention to) safeguarding your personal information from disclosure or theft. They do not have to abide by any ethics rules. And they do not have to help you (often they are not allowed to help you) if you receive a notice from the IRS for an audit or any other issue that pertains to your tax return. Their responsibility ends once your return is filed whether correctly or incorrectly or, worse still, fraudulently.

So how do you avoid using a ghost preparer to prepare your income tax return? Before you give the preparer any information make sure s/he has a PTIN. If the preparer doesn’t know what you’re talking about run, don’t walk, to another preparer. The IRS Return Preparer Office has a searchable directory that you can use to determine if your preparer has a PTIN but it does not include those who do not have not obtained any professional credentials or qualifications. If you’re still unsure, check out this article by The TaxGirl (Kelly Phillips Erb).

Think you’ve seen a ghost preparer? The easiest way to tell is to look at the signature area of your tax return. Under the signature block there is an area that says “Paid Preparer Use Only”. That block should have your preparer’s name and contact information. Older returns may have the preparer’s PTIN; newer returns often have the PTIN masked. If it says “self prepared” your preparer is a ghost preparer. Remember, if your return preparer used your return to commit fraud his or her name isn’t anywhere on the return. You effectively own that fraud.

So please, be careful when choosing a #taxpro. Of all the options available you should be able to find one who both meets your needs with respect to the level of complexity of your return and your price requirements. Remember you are entrusting this individual with your identity and most if not all of the details of your financial life (and many of the details of your personal life). It’s too important a decision to make quickly or based on price alone.

Can I? Sure. Will I?

The main reason we will not e-mail you copies of your tax return (or any other sensitive tax information) is that it is illegal for us to do so unless the e-mail is encrypted. Not password protected…encrypted. I’ll be the first to admit I am not an information security expert, let alone an information security professional, but I am pretty paranoid. Simply sending you a password-protected PDF file is not enough to meet the required standards. The type and level of encryption required to send tax documents via e-mail probably eliminates the reason for doing so in the first place, namely convenience.

I have many clients tell me that they “don’t trust the mail” and would rather use e-mail. E-mail may seem (may be) more reliable than postal mail or a commercial carrier such as Federal Express but it is nowhere near as secure. With a hard copy mail carrier your information leaves its destination in a sealed envelope (I like to use Tyvek envelopes because they are also less easily ripped and don’t disintegrate when wet). It also arrives in that same sealed envelope and it is usually pretty easy to tell if it has been mishandled or tampered with somewhere along the way. E-mail provides no such security. Once your “envelope” leaves your mail program it is routed through whatever computers make most sense to the internet. And unless you are a cyber security expert, there is no way to tell just how many stops your message made or if it was opened and read along the way before arriving at its destination. It’s similar to the difference between mailing a letter in an envelope and mailing a postcard. That’s why we are required to encrypt your private information if we are going to send it via e-mail. That ensures that anyone who tries to read it can’t (your “postcard” message is written in a really strong code that can only be decoded if the person who sent the postcard originally gives you the key to unlock the code). Again, most people are looking for a convenient way to send/receive documents electronically and all this code making and breaking is extremely inconvenient.

Clients can, of course, e-mail their documents to us but I recommend that they don’t. I prefer that they don’t. I won’t even look at e-mailed documents from non-clients. To make it easier for new and existing clients to send and receive electronic documents Tax Therapy maintains a secure file portal that is integrated with our tax software. A secure file portal is an internet location where each user registers and is provided access to only those documents intended for him/her. It is the best option for electronic delivery of documents (to me or to you).

We appreciate the opportunity to meet your tax preparation needs and want to assure you that your privacy and information security are extremely important to us.

This post brought to you by someone on my FaceBook tax forums and by National Tax Security Awareness Week (December 3-7, 2018). This happened back in 2016 but unfortunately stuff like this still goes on today.

Said person was seen complaining that his tax software provider (also my tax software provider) was no longer supporting, wait for it—Windows XP. Yes, that’s right, Windows XP. In case you missed the memo, Windows XP was released in August 2001 (no, that’s not a typo) and Microsoft stopped selling it in 2008. Microsoft stopped supporting it in April 2014. That’s almost two years ago [now four years ago]. What’s the big deal you ask? Well, to put it succinctly, security patches. The “support” Microsoft stopped providing to XP users in 2014 was, among other things, security patches.

I try to run a tight ship and to provide value for my customers, so I’m not constantly upgrading my computers and software. I do, however, take information security and identity theft extremely seriously. Indeed I see them as one of the largest threats to the viability of my tax practice. Identity theft issues erode my customers’ trust in the computers and software that are necessary to my job. Should my practice ever experience a data breach, the costs of complying with the laws concerning customer notification and restitution could make it difficult for me to continue in business (even with good insurance in place). Consequently, I consider it negligent to be running software that is no longer getting security patches.

Given the prevalence of identity theft and the sensitivity of the information used to prepare your tax return it is important for you to consider how your paid preparer protects that information. While it is unlikely that you will get your preparer to divulge all of the details of his or her security plan, he or she should be willing to answer some questions, for example:

  • What version of Windows are you using?
  • Are you running a firewall, anti-virus, and anti-malware?
  • How often do you update your virus definitions and run scans?
  • What are some of the other measures you take to protect my information?

If your tax professional cannot or will not answer these questions it may be time to start looking for a different preparer. I also have concerns about professional preparers who use free internet products to save costs but that is a post for another day.