Everyone always harps on the necessity of privacy when discussing health care, government, and banking communications.  It is surprising how little attention is paid to email security with regards to accounting and tax preparation.   There is a real danger of identity theft, unintended information disclosure, as well as invasion of privacy when using tax preparation services or organizations that do not use secure email.  Why is this?

We have a professional accountant on our staff who has been helping businesses and individuals with tax preparation for more than 20 years.  She has put together a list of things that accountants and tax preparation organizations typically send or receive over normal insecure email:

• Tax Returns (Individual/Corporate/Partnership/Non Profits/Payroll etc.)
• W-2 forms, 1099 Forms and K-1 forms (all have your social security number)
• Bank Statements
• Credit Card Statements
• Investment Brokerage Statements
• Financial Statements (Balance Sheet, Income Statements, etc.)
• HUD Closing Statements (Real Estate Settlement Sheets)
• Stock Transaction Statements of Realized Gains/Losses (aka Cost Basis Statements)
• Bank Information for Direct Deposit of tax refunds (Bank Name, Routing Number,
  and Account Number)
• Photocopy of voided check for direct deposit of tax refunds
• QuickBooks backup files
• Bank Activity downloaded as an “.iif” file to be imported into QuickBooks
• IRS and State Taxing Authorities Correspondence
• CPA Audit Journal Entries, Trial Balances etc
• Automobile Purchase Agreements and Loan Agreements
• Payroll Information and W-4 forms
• 1099-MISC information (names, addresses, social security numbers, and yearly amount)

Wow! These documents provide all sorts of information to prying eyes – your social security number, bank account numbers, business details, clients’ and vendors’ names and contact information. The list goes on and on.  Together with a little social engineering,  this information could enable anyone to get into your accounts, create credit cards in your name, assume your identity, take over online accounts, and more.

Accountants and agents who accept and send this information over insecure email, or even worse, via free public email accounts like Gmail, Yahoo, AOL, etc., often show little concern for the potential impact that any single security gap can have on their clients.

Those who take these issues with the seriousness that is warranted by the recently publicized incidents of data security breaches, offer a serious value-add to their services.

What do accountants need to do to mitigate data privacy breaches?

The easy thing to do is to never send sensitive documents over email (or insecure FAX).  That, by itself, will go a long way to safeguarding client data.

However, if you want or need to use email to facilitate quick and inexpensive paper-free communications, you, as an accountant, need to ensure that:

• All sensitive information sent to your clients is encrypted in transit to them and that only the intended recipient can open the “package”.
• All sensitive information that your clients send to you is encrypted starting from their computers all the way to your desktop.
• Privacy can be guaranteed in a way that is not “painful” …  i.e., not too cumbersome to be a problem in and of itself.

Knowing what needs to be done and finding a cost-effective way to do it are two very different issues. LuxSci’s SecureLine service allows users to accomplish both tasks … 1) sending secure email to anyone and receiving secure email from anyone … 2) without anyone needing to install special software and with a price tag that is very small … as low as $2/month/accountant. And it doesn’t have to cost your clients anything!

What about just sending an encrypted file?

Many tax preparers (even at big companies) who do “something” to mitigate the email security issue, will send a “password protected” file.  Then they will call the recipient and tell them the password over the phone.  This mechanism usually has some serious drawbacks:

1. It is common for the “password” to be some simple word, like “green”, that is in the dictionary and which is used for ALL of their “secure email correspondence”.
2. The message itself is still sent insecurely.  Anyone who can intercept the message can have access to the password-protected file.  They can then proceed to break into it.  How?
   • If the encryption used is poor (or non-existent), it will be simple for an experienced hacker to unlock it.
   • If the password chosen is poor, it can easily be detected by simply trying all the words in the dictionary, along with common variations on them.  This is both fast and easy to do these days.

So, how secure is that “password protected file?”  You can answer part of that yourself by looking at what the “password” being used is.  Also, a quick search on Google shows lots of tools out there for “password recovery” for Word, Excel and other files!  I.e. one of the first search results we saw was Password-Studio.  Anyone could get one of these programs and have a good chance of quickly unlocking a password-protected file.  Not too secure, huh?

How does SecureLine work?

• You create an email with any number of attachments and select SecureLine to send it to your client.
• Your client gets a notice of the secure message and goes to LuxSci’s SecureSend Portal by clicking on a link contained in the notification email.
• Once in the SecureSend Portal, your client answers a question that you have agreed upon which allows them to access and download the information and/or documents sent by you to them.  Your clients can even reply back to you securely from the SecureSend Portal.
• Your clients can also initiate a secure email to you by going to a website link that you provide to them.  And that linked website can be Private Labeled with your own domain name, logo, and graphics.  There, the client uses your LuxSci email address to send you an encrypted message using a simple web-based interface.
• You can view the message in your normal LuxSci web-based email or in your email program (i.e. Outlook or Thunderbird).   You can also reply securely to your clients from web-based email or Outlook (or other programs) right away.

Both scenarios are secure, end-to-end encryption. Neither option requires your client to “setup” anything.   Your clients only need one email address that you provide to them.  Sounds easy?  It is!

This is much better than using a “password-protected file” as the message and files are never sent over the Internet and can never be intercepted and subject to direct attack.  They remain encrypted and safe on a secured server until the recipient comes along and proves that (a) s/he received the message, and (b) can answer the security question that you have provided.

If you would like to discuss how SecureLine might apply to and be customized for your organization, please contact LuxSci Sales.  The cost/benefit of LuxSci’s SecureLine email will be apparent to you very quickly! The increased business and enhanced reputation for your business will be directly related to your proactive use of secure email.

Similar Posts:

• SecureLine Escrow Message Pickup Simplified
• Send a Secure Email to Anyone
• Receive Secure Web Form Submissions in a Secure Email
• Receive Secure Emails from Anyone
• What is Social Engineering?