Securing Client Data
It is getting to the point where you cannot listen to the news without hearing about the latest data breach and personal info being stolen. What got me today - the SEC got hacked. Why that impacted me more the Equifax thing is still a mystery, but here is my concern.
We have a ton of vital client info in our possession and more and more keeping that information is becoming a liability. Even my professional practices insurance company is covering us for data breaches. So, if the guys with million dollar security system budgets can’t get it right, what hope do we have. Well for starters, we can at least cover the basics.
Paper files – keep them locked up. I know we are all thinking about cyber security, but physical security is important as well. About three years ago, we had 8 four-drawer file cabinets full of client info like name, address, social and taxable income. In the last few years, we have made a conscious effort to reduce the amount of paper hanging around the office. So, now we shred all non-current data. We also put locks on our file cabinet. We did the “after market” locks, so there are these big clunky metal bars on the outside of the cabinet with ugly pad locks on top. They don’t look great, but if someone wanted to steal our physical files, it would at least take them a while to get at them.
Our computers are password protected. Screen locks, program passwords, systems that time out if left alone for XX number of minutes. For example, to get to our tax data file, you would need four different passwords (and one of those passwords changes every 60 days). Yup, takes a ton of time to get into your system should you walk away from your desk, but that is the environment we live in. To take it one step further, I am going to take the advice of our IT guy and encrypt the computers. Not 100% sure exactly what that entails, but we learn as we go.
We password protect PDF’s that are sent out via email. Adobe Acrobat has a password encryption function that will add a password to your document. You can take things one step further and get a secure file transfer system like Sharefile, One Drive, EgnYte, or onehub just to name a few. That way you can upload a file and the client can have access to the file without having to go through the time consuming process of password protecting (and forgetting what password you assigned to what file).
Keep all your software current. Experts will pretty much agree that an out of date computer will put you at risk. Software that is so out of date hat it is not even supported anymore is an even greater risk. Here is where our firm can use some improvements. Let me explain.
A few years back when Windows 10 came out and Microsoft was allowing everyone to download the new operating system for free, we went for it and downloaded Windows 10. All hell broke loose. For whatever reason, it completely messed up our tax software. After hours and hours on the phone with tech support (who insisted that they were compatible with Windows 10), we threw up our hands, and went back to Windows 7. Now, I keep hearing about the improved security features of Windows 10, so I am willing to try it again. Except I will wait until after October 15th since I am in no mood to provoke the computer gods.
Anyway, I rattle all this stuff off, but in all honesty, these four simple steps took us years to implement. Some parts were easy (padlocks on the file cabinets) and some were really hard and had a huge learning curve, but the harsh reality is that being a custodian of client information requires us to take additional steps to protect that info. I don’t know, maybe our first step is to look at documents a bit differently. Before just chucking something in the trash, we should take a look – is there a social security number, is there an account number, if so, put it in a shred pile and not in the recycle bin. That change in mindset can lead to other things like changing our computer protections, which can lead to other aspects of securing our and our clients data.