From the April 2012 Issue.
5 Things to Consider with Online Document Security
In last month's column, "Five Reasons Cloud-Based Backup is Better," I wrote about how I believe online backup of data, including client and firm data, is more reliable and safe than backing up files to another computer, device or CD, especially ones that are housed in the same office or building. It’s also a lot easier and can even be automated, which removes the biggest factor for potential problems: Human error.
Whether using an online service for general data backup and recovery purposes, or using other paperless document utilities, such as online document management systems or workflow productivity tools, there are several security issues that users should at least be aware of. This is particularly true for tax and accounting professionals who handle the most sensitive of client data.
For those who are still reluctant or skeptical of the security of online data, the odds are that, even if you or your client don’t use online portals, much of that same information is still “out there,” because banks and financial institutions store the data on connected and redundant servers. No security system is perfect, of course, but despite the occasional media story about a potential leak or hack of information, data stored on your own PC is still much more likely to be stolen or lost due to technical problems.
So, what should you think about dealing with paperless files? The answer is pretty much the same things you should be aware of when using any web-based systems. Fortunately, “awareness” doesn’t mean you have to become an expert at these issues, just knowledgeable enough to ask some good questions.
The most common mistake professionals can make is sending an email to a client with sensitive information (SSN, TIN, account numbers, etc.) in either the message of the email or in an attached file. Over the past 15 years, even novice technology users have come to rely on email for day-to-day business and personal communications, and it is invaluable for tasking, broad messaging, scheduling and other general tasks. But never, ever (ever) email an official client document to anybody, including the client or others in your firm unless you have a built-in Outlook plug-in like CPA SafeMail from cPaperless, or if your document management solution has a similar secure tie-in to your email program.
There is one exception to this, which is encrypting your client emails, but doing so manually and on a one-at-a-time basis is tedious, time consuming and prone to user error. What’s the risk? Potential loss of client data, of course, but also potential fines, as many states ramp up digital protection laws. In Massachusetts, firms can be fined up to $10,000 for each breach of security.
You still need to deliver returns, reports and other documents to your clients, of course, and in the paperless world, this means using a secure portal or document management system that automatically encrypt files before they even leave your computer, and stay that way until a client logs into their side. You can read our review of portals at www.CPAPracticeAdvisor.com/10457012, and our review of document storage and management systems will be coming in our May and June issues.
Along the same lines as the inherent lack of security of email, the documents themselves may be insecure whether they are in paper or digital format, and in some states can face the same penalties. What am I talking about? Mostly Social Security, Taxpayer ID and account numbers. There is rarely any reason for these numbers to be printed (paper or digitally) on a client’s copy of tax returns or other documents, at least not in their entirety. Most modern practice management and tax systems have features that either mask sensitive information automatically, or have a user setting to do so (such as hiding all but the last four digits of an SSN, for example.)