Is your Accountant protecting your privacy and identity?

April 15th, 2015

Everyone always harps on the necessity of privacy when discussing health care, government, and banking communications.  It is surprising how little attention is paid to email security with regards to accounting and tax preparation.   There is a real danger of identity theft, unintended information disclosure, as well as invasion of privacy when using tax preparation services or organizations that do not use secure email.  Why is this?

We have a professional accountant on our staff who has been helping businesses and individuals with tax preparation for more than 20 years.  She has put together a list of things that accountants and tax preparation organizations typically send or receive over normal insecure email:

  • Tax Returns (Individual/Corporate/Partnership/Non Profits/Payroll etc.)
  • W-2 forms, 1099 Forms and K-1 forms (all have your social security number)
  • Bank Statements
  • Credit Card Statements
  • Investment Brokerage Statements
  • Financial Statements (Balance Sheet, Income Statements, etc.)
  • HUD Closing Statements (Real Estate Settlement Sheets)
  • Stock Transaction Statements of Realized Gains/Losses (aka Cost Basis Statements)
  • Bank Information for Direct Deposit of tax refunds (Bank Name, Routing Number,
    and Account Number)
  • Photocopy of voided check for direct deposit of tax refunds
  • QuickBooks backup files
  • Bank Activity downloaded as an “.iif” file to be imported into QuickBooks
  • IRS and State Taxing Authorities Correspondence
  • CPA Audit Journal Entries, Trial Balances etc
  • Automobile Purchase Agreements and Loan Agreements
  • Payroll Information and W-4 forms
  • 1099-MISC information (names, addresses, social security numbers, and yearly amount)

Wow! These documents provide all sorts of information to prying eyes – your social security number, bank account numbers, business details, clients’ and vendors’ names and contact information. The list goes on and on.  This information could enable anyone to get into your accounts, create credit cards in your name, assume your identity, take over online accounts, and more.

Accountants and agents who accept and send this information over insecure email, or even worse, via free public email accounts like Gmail, Yahoo, AOL, etc., often show little concern for the potential impact that any single security gap can have on their clients.

Those who take these issues with the seriousness that is warranted by the for the protection of customer data offer a serious value-add to their services.

What do accountants need to do to prevent data privacy breaches?

The easy thing to do is to never send sensitive documents over email (or insecure FAX).  That, by itself, will go a long way to safeguarding client data.

However, if you want or need to use email to facilitate quick and inexpensive paper-free communications, you, as an accountant, need to ensure that:

  • All sensitive information sent to your clients is encrypted in transit to them and that only the intended recipient can open the “package”.
  • All sensitive information that your clients send to you is encrypted starting from their computers all the way to your desktop.
  • Privacy can be guaranteed in a way that is not “painful” …  i.e., not too cumbersome to be a problem in and of itself.

Knowing what needs to be done and finding a cost-effective way to do it are two very different issues. LuxSci’s SecureLine service allows users to accomplish both tasks … 1) sending secure email to anyone and receiving secure email from anyone … 2) without anyone needing to install special software and with a price tag that is very small.  And it doesn’t have to cost your clients anything!

What about just sending an encrypted file?

Many tax preparers (even at big companies) who do “something” to mitigate the email security issue, will send a “password protected” file.  Then they will call the recipient and tell them the password over the phone.  This mechanism usually has some serious drawbacks:

  1. It is common for the “password” to be some simple word, like “green”, that is in the dictionary and which is used for ALL of their “secure email correspondence”.
  2. The message itself is still sent insecurely.  Anyone who can intercept the message can have access to the password-protected file.  They can then proceed to break into it.  How?
    • If the encryption used is poor (or non-existent), it will be simple for an experienced hacker to unlock it.
    • If the password chosen is poor, it can easily be detected by simply trying all the words in the dictionary, along with common variations on them.  This is both fast and easy to do these days.

So, how secure is that “password protected file?”  You can answer part of that yourself by looking at what the “password” being used is.  Also, a quick search on Google shows lots of tools out there for “password recovery” for Word, Excel and other files!  I.e. one of the first search results we saw was Password-Studio.  Anyone could get one of these programs and have a good chance of quickly unlocking a password-protected file.  Furthermore, most password-protected files generated by standard programs are not very well encrypted. Not too secure, huh?

How does SecureLine work?

SecureLine supports a number of different encryption modes from the very simple TLS or advanced PGP and S/MIME encryption methods.  However, we find that accounts prefer the simplicity and clear security of our “Escrow” secure message pickup method:

  1. You create an email with any number of attachments and select SecureLine to send it to your client.
  2. Your client gets a notice of the secure message and goes to LuxSci’s SecureSend Portal by clicking on a link contained in the notification email.
  3. Once in the SecureSend Portal, your client registers (1st time only) or answers a question that you have agreed upon which allows them to access and download the information and/or documents sent by you to them.  Your clients can reply back to you securely from this secure portal.
  4. Your clients can initiate a secure email to you by going to a website link that you provide to them. (That website can be Private Labeled with your own domain name, logo, and graphics, if you like.) There, the client uses your LuxSci email address to send you an encrypted message using a simple WebMail interface.
  5. You can view the message in your normal LuxSci web-based email or in your email program (i.e. Outlook or Thunderbird).   You can also reply securely to your clients from web-based email or Outlook (or other programs) right away.

Both scenarios are ensure secure, end-to-end encryption. Neither option requires your client to “setup” anything.   Your clients only need your one email address that you provide to them.  Sounds easy?  It is!

This is much better than using a “password-protected file” as the message and files are never sent over the Internet and can never be intercepted and subject to direct attack.  They remain encrypted and safe on a secured server until the recipient comes along and proves that (a) s/he received the message, and (b) can answer the security question that you have provided.

If you would like to discuss how SecureLine might apply to and be customized for your organization, please contact LuxSci Sales.  The cost/benefit of LuxSci’s SecureLine email will be apparent to you very quickly!

The increased business and enhanced reputation for your business will be directly related to your proactive use of secure email.