Editors: Steven F. Holub, CPA, MBA, and Kenneth M. Parker, CPA
In the course of providing professional services, CPAs need to gather many pieces of sensitive, personal information from clients. This includes financial information, tax identification numbers, financial account numbers, and other crucial financial data. If unauthorized third parties obtained this data, they could cause damage to the client ranging from simple embarrassment to identity theft. Therefore, it is critical for CPAs to maintain control over the transfer of data to assure that their clients’ confidential information is not compromised. Technological advances have expanded the options for electronic data transfer, which is convenient for both CPAs and their clients. The advantages of electronic data transfer include:
- Data does not have to be physically delivered to the CPA’s office, either by the client personally or by a third party (such as the post office or a private common carrier);
- Data transfer is instantaneous; and
- Data that originates in an electronic format may be processed more efficiently and accurately by the CPA than if it has to be input electronically from paper.
However, most clients do not understand that various methods of electronic transfer require security to protect the client’s private information from being intercepted. Clients may think the method they use to send vacation pictures to family and friends is also suitable for transferring tax records. That is not the case, and, therefore, CPAs must educate themselves and their clients about the risks and benefits of various data-transfer methods and which methods are appropriate or inappropriate.
Risks of Client Data Transfer
Many clients may want to transfer data to their CPA via email, since most people now regularly use email to communicate in professional and personal matters and files of any type may be sent conveniently via email. It may be simple to send data attached to an email, but this transfer method is risky because it is inherently insecure.
Unless the sender takes special precautions, email is sent in an unencrypted form, which means it can be read if it is intercepted. If an unencrypted message ends up in an unintended party’s hands, the contents of the message and its attachments can be compromised. The results could be very harmful to the client.
An unscrupulous individual could sell access to personally identifiable information or attempt to use the information to steal the client’s identity. While almost all email programs support the use of a security certificate, which enables email users to send information encrypted and to determine that the information is being sent to the correct place, the system is not used much outside of certain industries. While “installing a certificate” provides good security, most clients probably will not use security certificates because they may not know what they are.
Lack of Control Over Transmission
To the sender, an email appears to go directly from the sender’s computer to the recipient’s. However, in reality the message is relayed through various servers and sites on its route to the final destination. At each step along the way, the message can be intercepted.
Many clients use email accounts that are hosted by third parties. While internet service providers and large email providers have policies and controls to guard against employees’ misuse of email data, these protections are not foolproof. It is also unlikely that many clients are aware of the controls, if any, their provider has in place.
Losing Control of Credentials
Clients often access their email via various public networks. Hotels, coffeehouses, bookstores, and many other businesses provide internet access to customers as a convenience. However, many clients have not configured their email to require a secure login to the mail server. This means the client’s credentials will be transmitted “in the clear” over such a network. While corporate IT departments configure employee laptops with such security issues in mind, laptops that are not so configured are vulnerable. Since many email systems retain large numbers of received and sent messages, a compromised email account can allow a surreptitious third party to access data sent by the client to the CPA and any data the CPA has sent to the client.
Options to Send Data
The CPA firm also must ensure that the data it sends to the client electronically is secure. It is important for the firm to have access to secure transfer options and to ensure that all members of the firm (including administrative staff) are aware of the need to use only these methods to transmit sensitive data.
Many CPA firms use portals. A portal is a website hosted by a third party on which client information can be posted for clients to retrieve. CPA firms should consider several factors when evaluating the implementation of a portal and selecting a portal vendor.
Levels of security: At a minimum, the website that will hold the data should require the use of secure internet connections. This ensures that data is encrypted in transmission and reduces the risks involved if the data is intercepted as it flows from the portal to the client. The method for transmitting secure data to the client should be considered. By far the least secure methods involve some sort of “security by obscurity,” where any security vulnerability that exists will hopefully be difficult for hackers to discover. A minor step-up in security would be for a site to require the client to provide his or her email address to gain access. A password should also be required. If a client is able to choose his or her own password, he or she will be more likely to use the site, but there is a high likelihood that the client will choose an insecure password.
Even if the password the client selects clears a basic password test, the client likely uses the password on other sites. A number of recent attacks on the internet have been aimed at gaining access to a site’s members’ email addresses and passwords. While the sites being targeted often have little of value, dishonest individuals are fully aware that those same email/username/password combinations could gain them access to a number of other sites because people commonly use the same usernames and passwords on many sites. A system in which the firm controls and generates the password is more secure. That eliminates the problem of insecure passwords, but it raises others.
First, the password must be transmitted to the client. No matter how secure and “strong” the password may be, if it is transmitted in an unencrypted email, a dishonest individual simply needs to see that email to get full access. Thus, the password should always be transmitted via some method other than the method used to transmit access instructions.
Second, such a secure and complex password, since it is used nowhere else, makes it less likely the client will make use of the portal. People generally like convenience, and typing a long, complex, and unique password to access a site that is only used annually at tax time is hardly convenient. Thus, firms may find that clients strongly resist using the portal system in this case.
Finally, to be truly secure a password should not be a word found in a dictionary. The best passwords contain both uppercase and lowercase letters, symbols, and numbers. Longer passwords are also much better than shorter ones—in fact, password length is the most significant influence on the relative security of the password.
USB Thumb Drives and Laptops
USB thumb drives, which are small, removable data storage devices that connect to computer USB ports, are a common and convenient way to transfer data. They must be encrypted if client data is to be transferred using these devices. Some form of protection, such as BitLocker-To-Go, can be used to provide protection. This will prompt the user, when plugging a USB thumb drive into a computer, to encrypt and password-protect the thumb drive. This is an important part of security for any firm that uses USB thumb drives.
In addition, encryption of laptops with protection, such as BitLocker, will protect data on that computer from anyone who should not have access to the laptop. This is extremely important when a computer is lost or left under uncontrolled circumstances. When a client asks to use one of the firm’s laptops, it is essential that the laptop drive be encrypted before sending it to him or her and that the client be made aware of the security risks involved if he or she loses the equipment.
Encrypted PDFs and Security Envelopes
Most clients of CPA firms have a PDF reader installed on their computers—most often the Adobe Acrobat Reader for their particular operating system. The PDF format supports encryption of data that can be accessed only by entering the required password.
To encrypt the file, the CPA needs more than the free Acrobat Reader program. The full versions of Acrobat provide this feature, as do many third-party PDF manipulation programs. CPAs using Apple computers will find that the OS X operating system’s Preview has the built-in ability to encrypt PDFs. Tax software providers may provide the option to generate a PDF from the tax software and apply password protection to the file.
The PDF file format has become a de facto standard for the exchange of documents that are not meant to be changed by the recipient, which is what most CPA firms are looking to deliver. This ubiquity of use means that almost all clients are able to handle PDF attachments, and virtually all PDF reader software supports decrypting attachments. One item to watch for with encrypted PDFs is to ensure the sender uses a truly secure encryption. The Acrobat security dialogue will allow the CPA to encrypt PDFs at various levels of compatibility. Some CPAs might be tempted to select the most compatible choice, which will work with all versions of Acrobat 3.0 and above. However, that option uses very weak encryption that is easily broken.
The version 5.0 and later options use much more secure methods of encryption—version 5.0 uses 128-bit AES, and versions 9.0 and later use 256-bit AES. Either should provide more than enough security if the password is sufficiently complex. As with portals, the password should be transmitted separate and apart from the transmission of the file. Faxing a password to the client over a line where that person is sure to be the recipient is a viable option. Similarly, the CPA may require the client to call in to obtain the password.
One drawback of encrypted PDFs is that unless the client has a version of Acrobat other than the free reader, the user will not be able to save an unencrypted version of the file. Users may find that inconvenient once they have the file, since they may not always have the password readily available. Similarly, only PDFs can be encrypted using this solution. If other data must be transmitted to the client (e.g., a data file containing adjusting journal entries to be imported into the client’s ledger system), then another solution is necessary. Adobe does offer a solution. If a CPA firm owns a recent copy of either Acrobat Standard or Acrobat Professional, there is an option to create a security envelope.
In Acrobat X Pro, the option to create a security envelope is found in the Protection section of the Tools pane on the right edge of the window, under the “More Protection” option. The user is then led through the process of creating a security envelope and can select the option to provide password security. While the document is shown as a PDF, any type of file may be included in the envelope. The client will need to provide the password to open the individual files in the envelope, but once the file is open, it can be saved to the client’s system without a password.
File Drop Sites
Another option is to use a third-party site that accepts secure file transfers. What these amount to are “one-time use” portals. Various vendors offer such products. One problem is that the level of security varies. Too often the default security may consist of nothing more than transmitting a special link to a recipient via an email. This “security” means that if the email is intercepted, the dishonest party only needs to visit the website to grab the file. CPAs need to ensure that, at the very least, the site offers an option to use true password protection for access to the transferred file and that the protection is used by the firm for all transfers. If a password is used, a separate transmission method must be used to send both the information for access to the file and the password.
Options to Send Data
A similar problem exists for transferring data from a client to a CPA firm. Clients may think nothing of simply attaching scanned copies of all materials to an email, or transmitting Social Security numbers, credit card numbers, and other sensitive data in the body of an email. CPAs should educate clients about why this is not a good idea and provide a secure method to transmit this information.
Just as the CPA firm may encrypt data, so can the client. However, this may not be a suitable solution for a number of reasons. First, many software products that claim to offer to password-protect documents may not use very secure techniques in doing so. A Google search for “password crackers” turns up a number of vendors that sell programs offering to remove passwords from many popular products. While in recent versions, many products have gotten better—as was discussed earlier with regard to Acrobat—clients are not likely to be aware of the quality of encryption for the products they use. Secure transmission of passwords to the CPA is an issue the client may not manage well. A client may think nothing of encrypting his or her tax data using high-quality encryption in a recent version of Acrobat but then putting the password to open the file in the same email used to transmit the PDF.
Just as portals allow CPA firms to deliver data, they also can serve as a location for clients to send data to the CPA. The key advantage is that they provide a one-stop location for sending data.
Also, since almost all portals create dedicated pages for each client, the client may retain the ability to review data already sent to the CPA. The same issues discussed in the prior section on portals apply to using portals to receive data.
Additionally, CPA firms need to monitor the portals to respond to the client when a new file is uploaded. A CPA firm can find itself in an embarrassing situation if no one in the firm has noticed the client has delivered all required information. Furthermore, many sites retain files on the site only for a limited time for security reasons. A firm that does not check regularly for new uploads may need to contact the client well after the original upload to ask that the data be uploaded again.
Dedicated Drop Links
A number of services offer to maintain a dedicated link for uploading files to a firm. Some give the CPA firm a dedicated, branded page, while others (generally less expensive) use a generic upload page with the client indicating the email address of the CPA to receive the file. In either case, the file can be accessed only by the CPA who logs in to the site and enters the password. Because the CPA controls the password, information on transmitting files can be sent to the client in plain text emails with no special security. When a file is uploaded, the CPA normally is notified via email.
The biggest problem with this method is that the data has to be put into a form that can be uploaded. This is becoming much less of a problem since clients increasingly have the ability to scan the necessary documents. Again, the sites may make the information available for a limited time. So, as with portals, someone needs to monitor the drop link for emails and act promptly when information is received.
CPAs can provide a valuable service by proactively educating clients regarding security issues with electronic transfers and providing a reasonable method of accomplishing those transfers.
Used properly, electronic transfers provide a convenient and secure method to transfer data from a client to the CPA. But if proper security is not used, clients may end up taking unnecessary risks by having their private information intercepted when attempting to communicate with a CPA.
Steven Holub is a (retired) tax partner with Cherry Bekaert LLP in Tampa, Fla., and is currently a national director in the firm’s Professional Practices Department. He also is a former chairman of the AICPA Tax Division Tax Practice Management Committee. Kenneth Parker is with Parker and Associates, CPAs, in Jackson, Miss. Edward Zollars is a partner with Thomas, Zollars & Lynch Ltd. in Phoenix. Mr. Parker is chairman and Mr. Zollars is a member of the AICPA Tax Practice Management Committee. For more information about this column, contact Mr. Zollars at email@example.com.