How To Satisfy IRS Pub 4557 Guidelines with Client Portals
Are you sure that your client portal is secure? IRS publication 4557 provides guidelines to protect both your business and your clients’ data. Some of those guidelines are in fact legal requirements. Specifically, the Gramm–Leach–Bliley Act (GLB) requires all financial services including accounting firms and financial advisors to safeguard client data. The FTC’s guide to compliance specifically includes security considerations for client data when sent to or received from clients or others.
Email is not secure and does not meet compliance requirements. To stay secure, many accounting firms, tax professionals, bookkeepers and financial service professionals use client portals.
The question is: How secure is your client portal?
Not all portals include all safeguards: some only protect data during transfers and not in storage. Others do not use remote data backups to protect against major events. In this post, we review three of the most basic security requirements for secure client portals, without relying on technology jargon.
To be secure, files or messages you send to or receive from clients should be transferred encrypted. If your portal claims the use of SSL encryption, 256 bit SSL technology, or specifically mentions encryption in transit, then most likely your client portal does use encryption during file transfers. All portals reviewed in this comparison of top 11 client portals for accountants do report the use of encryption for data transfer and hence, satisfy this requirement.
Files that you transfer using a client portal are stored on the portal provider’s servers or the cloud. To be secure, these files should be encrypted. Unfortunately, encryption in storage is not as commonly employed as encryption in transit. Many client portal implementations attempt to protect the data by restricting access to their servers. However, if a server is stolen, mistakenly removed along with other servers during repairs or replacement, or has its hard disks replaced, data can be breached. Regardless of whether the data is misused or not, any data that is not encrypted and lost through any means is considered a data breach. State laws require you to inform all your clients in case of a data breach. Such an incident can quickly erode the trust that you have earned from clients over years. In fact 60% of small businesses shut down after a data breach, according to the SEC.
In the review of the 11 client portals mentioned above, some of the portals did not report the use of encryption for stored data. Check the list to find out if your current portal is among the ones that are vulnerable. The summary tables for integrated portals and standalone portals will help you quickly get this information.
If you need to sign up for a secure portal that does encrypt data during storage, feel free to sign up for a free trial of Encyro (no credit card or payment needed to sign up).
Distant Off-site Backup
Major events such as fires, flooding, or equipment breakdown in a server room or data center can destroy data stored and all its backups at that location. Additionally, weather event such as hurricanes, snowstorms and others can affect an entire region spanning several miles or tens of miles. A nearby off-site location such as a corporate office located in a different building than the server room, may be affected simultaneously. Hence it is necessary to backup data at a remote location that is far away, ideally hundreds of miles away.
Specifically, Checklist 4 in IRS Publication 4557 requires you to build a contingency plan for data in case of a disruption, as well as to maintain data backups.
Among the 11 portals in the comparison mentioned above, only 2 in each category report the use of off-site backups, and some with a long one week delay. Only the 2 in the standalone category use an off-site backup with daily or more frequent copying of data. And among these two, only one, Encyro, reports that the off-site backup is located hundreds of miles away. Encyro also reports the lowest backup delay (30 minutes), so that in case of a major event, more fresh data will be preserved for you.
A remote backup is a key component of data loss prevention and if your current client portal does not include this protection, you may wish to consider a service that does. Choose from the options in this table or sign up for a free 30 day Encyro trial.
The IRS Guidelines for tax practitioners (IRS Pub 4557) provides 7 checklists summarized with corresponding action items, here. The Checklists 4 and 5 in IRS Pub 4557, cover information systems and computer systems security.
Accounting and tax professionals are especially vulnerable after the tax season when their data assets are loaded with sensitive information such as social security numbers, income and bank statements, and family details for many new and old clients. It is a good time to review your data protection safeguards now.