In the age of identity theft and computer hacking, your clients need the peace of mind that you will keep their sensitive information safe. You also need security policies and procedures in place in order to ensure that you are in compliance with the many state and federal laws, such as Gramm-Leach-Bliley, FACTA, FERPA, EEA, and others.
Sensitive data can be stored in almost any form: paper documents, computer files, scraps of paper thrown in the trash with a phone number jotted down, filing cabinets, old hard drives, flash drives, texts, emails, and other electronic communications. Sensitive data can be found at the office as well as at the homes of remote employees.
So what can you do, as an accountant, to protect your clients from identity theft and yourself from non-compliance, which could lead to penalties and lawsuits? Develop a detailed security plan to properly store and destroy all client and company personal and financial information.
Your plan should include clear policies regarding the storage and destruction of client information. The policies should fit your firm, depending on the number of employees and the types of documents you keep. Below are some suggestions that you can modify to your needs.
Storing client information
Develop a clear chain of custody for hardcopy documents with someone in authority, so that when a client’s documents are accessed, that person knows who took them, when they were taken, and when they were returned. The documents should be kept in a secure location with a limited number of people having the key or password for entry. Employees should not leave client information on their desks unattended – if they walk away, the documents should be placed into a locked drawer.
All computers that contain customer or employee data must be password protected, with password access on a need-to-know basis. Never tape a password to your computer so anyone who needs it can access it! All electronic communications with clients – the electronic transfer of tax documents, discussion of finances, or personal data – must take place over a secure connection. Make sure you are constantly updating your company’s firewalls.
Make a policy against the use of texting for business purposes. There are secure apps for cell phones that can allow your clients and your employees to communicate with each other conveniently and securely.
All policies defined for the office should also apply to your employees’ home offices. Their cabinets should be locked. Nothing should be left on the desk for something to happen to them or the kids to spill something on them, or any other home life mishap. All office trash must be kept separate from household trash for proper disposal.
Destroying client information
Shredding is the best way to destroy data, both paper and electronic. Hiring a shredding company is more secure than using an office shredder. Office shredders do not shred very thoroughly, and once you throw something out, it becomes public property. Identity thieves are willing to take the time to put the puzzle back together. Professionally shredded papers are too fine to reassemble and a good company will have them incinerated or otherwise destroyed after shredding.
Professional shredding companies also have the means to thoroughly destroy your old electronic devices, such as hard drives, computers, phones, and flash drives. Identity thieves have ways of recovering data that you thought you had deleted, so it’s important to take this step.
A reputable company will provide you with a certificate of destruction, which complies with regulations and can withstand an audit. You will want this certificate if ever you have to prove that your document management was secure.
Your offsite employees should be required to comply with these policies, as well. They can bring their trash or electronics to the office for disposal with the rest of your firm’s old files.
Take these steps in order to ensure that your clients’ and employees’ personal information is safe from theft. This will keep you in compliance, limit the risk of a security breach, and decrease the likelihood of legal action against you, should identity thieves try to attack you. Most thieves are looking for the easy victim. If you have protection in place, they’ll look elsewhere.