Protecting client info - E-mail password policies

Software. Marketing. Training. Running your business.
#1
Wiles  
Posts:
5052
Joined:
21-Apr-2014 9:42am
Location:
CA
I am having a discussion with another CPA that insists that all e-mail attachments be password protected.

My rebuttal to this is what about the text of an e-mail that says the same thing. How is that to be protected?

For example, let's say I want to send a client a schedule of estimated tax payments. No SSN's; just a schedule of dates and amounts. If I type the schedule into the text of the e-mail, it is not password protected. If I attach a pdf showing the exact same thing, he insists this must be password protected.

I am asking him to explain the difference. He can only reply saying "All attachments must be password protected."

Is there a difference here? Or am I just beating my head against the wall?
 

#2
wel  
Posts:
116
Joined:
3-Sep-2016 4:29am
Location:
USA
IMO, it depends upon the attachment. If the attachment contains confidential taxpayer info, SSNs, etc. - then password protect. If the attachment is an IRS Circular E, or a blank 1040-ES voucher (with no info on it) - the attachments contain no confidential info and there's no reason to password protect.
 

#3
Wiles  
Posts:
5052
Joined:
21-Apr-2014 9:42am
Location:
CA
How about my example above? Would you password protect the pdf that shows their estimated tax payment schedule?

If so, then what would you do with same info in the text of an email?
 

#4
CathysTaxes  
Moderator
Posts:
3557
Joined:
21-Apr-2014 9:41am
Location:
Suburb of Chicago
Only if the estimated schedule has the client's EIN.
Cathy
CathysTaxes
 

#5
Posts:
3694
Joined:
21-Apr-2014 11:24am
Location:
North Carolina
To answer your specific example, I would not treat a list of dates and payment amounts as confidential. However, it is a matter of policies and procedures. If one has an office policy to password-protect PDF files, that is what should be done without exception. I have heard this in CPE classes often enough, although it was specifically in the context of demonstrating sound policies to avoid preparer penalties.

I never send attachments via email. It is our office policy to use our secure portal and we strongly encourage clients to do the same for incoming stuff.
 

#6
ATSMAN  
Posts:
2094
Joined:
31-May-2014 8:34pm
Location:
MA
If a client is asking for a document for internal use or information purpose that has EIN or SS#, I X out all the digits or just leave the last 4. I have a full Adobe editor so I can do that. I also encrypt the attachment with a password UNLESS the client specifically requests not to encrypt the attachment.

For documents that are to be filed or submitted to financial organizations, it is ALWAYS encrypted. They can decrypt it and forward it if they want. The other option is hard copies and arrangements have to be made for mailing or pickup.
 

#7
Posts:
2887
Joined:
21-May-2018 7:50am
Location:
Northern MI and Coastal SC
Depends on nature of what I am sending. By CONFIDENTIAL, that means it includes identifying information for the individual or entity. If such identifying information is missing, I generally do not take extra measures. I would not deem basic estimated payment information as confidential if it is just dates and amounts, but one could conclude that if it were to end up in the wrong hands, by merely referencing client or their e-mail address, it could be deemed confidential since it is possible to then identify the client.

While I do password protect confidential PDF documents, it is insufficient. The default password protection of PDFs from software applications such as FileCabinet and UltraTax is insufficient protection. Adobe Acrobat CAN actually encrypt a document, but a lot of applications only rely on simple password protection which can be easily cracked. Accordingly, my new habit is to send documents via encrypted e-mail. Very simple for me since the encryption is a plug-in to my Outlook, and my clients just have to open up the same website they use for my encrypted portal.

I fully agree with SumwunLost...follow office policy/practice, because failing to do so will be brought up if a legal issue ensues.
 

#8
Wiles  
Posts:
5052
Joined:
21-Apr-2014 9:42am
Location:
CA
Thank you all for your input. I agree regarding following office policy. The purpose of this discussion is to develop the office policy.

Maybe it's the rebel spirit inside of me, but I despise any policy that says we always do this or never do this, when nobody can answer why.

Why is it OK to send information in the text of an e-mail, but password protect the same information just because it is in the form of an attachment?

If not all information is being protected, then shouldn't we promote an understanding of what should be protected?

Take, for example, a corporate EIN. Should that information be protected? Is this information common knowledge?
 

#9
smtcpa  
Posts:
515
Joined:
28-Jul-2014 5:16am
Location:
Richmond, VA
I don't understand the concept of password protecting a PDF if it's ok to send the same info via an unsecured email.

In actuality, password protected PDF files are not that safe. I have spoken with other CPAs/EAs that say there are very inexpensive programs that can open that protected PDF. I never email anything confidential. Always through our portal.
 

#10
Posts:
2887
Joined:
21-May-2018 7:50am
Location:
Northern MI and Coastal SC
Wiles wrote:Take, for example, a corporate EIN. Should that information be protected? Is this information common knowledge?


Generally, no. So consider it protected unless you have evidence otherwise that it is not.

I loathe illogical policies and decisions. To say to protect an attachment, but not the body of an e-mail that contains the same information, is asinine. If the information being communicated is at all sensitive, then take appropriate measures to protect it, INCLUDING body of e-mail regardless of if there is an attachment.
 

#11
Wiles  
Posts:
5052
Joined:
21-Apr-2014 9:42am
Location:
CA
CornerstoneCPA wrote:Generally, no. So consider it protected unless you have evidence otherwise that it is not.

Would you consider the 30 W-2s handed to their employees and the 20 1099s sent to their contractors as evidence otherwise?
 

#12
Posts:
2887
Joined:
21-May-2018 7:50am
Location:
Northern MI and Coastal SC
Wiles wrote:Would you consider the 30 W-2s handed to their employees and the 20 1099s sent to their contractors as evidence otherwise?


Still treat it as confidential, unless it is information readily available to the public by law...e.g., non-profits where the EIN is available on 990s and the IRS EO website.

It's like receiving a check. Ok, I now have the entity's routing and account number. Can I freely distribute? Nope, still considered confidential and I need to take effort to safeguard that information.
 

#13
makbo  
Posts:
6840
Joined:
23-Apr-2014 3:44pm
Location:
In The Counting House
We read about preparer offices being hacked via remote access software, and we hear about phishing emails, and we hear about compromised logins to the IRS or other tax agencies.

But, I've never heard of an intercepted email attachment as being the source of data used by a fraudster. While it's true that there are an unknown number of intermediate mail servers between sender and recipient, for the most part those are controlled by professional organizations. The lonely network admin sitting in a cage in a server farm somewhere probably isn't looking for tax data among the millions of email attachments, assuming we at least mask SSNs and birthdates.

However, Google software might be scanning attachments looking for advertising opportunities, I suppose. NSA is probably taking a look, too.
 

#14
Wiles  
Posts:
5052
Joined:
21-Apr-2014 9:42am
Location:
CA
Good points, makbo. I agree.

I think the biggest risk with e-mail is the unintentional transmission of client information to a third party. Of course, this is true with all forms of communication - fax, mail, telephone, conversation.

The harm is not the malicious use of that information by the unintended recipient. It's the badwill it creates with the client when they discover that somebody else received their information.
 

#15
Frankly  
Moderator
Posts:
2455
Joined:
21-Apr-2014 9:08am
Location:
California
Wiles wrote:Maybe it's the rebel spirit inside of me, but I despise any policy that says we always do this or never do this, when nobody can answer why.
It's for "security purposes". It's for your own good. If you don't do it you're going to be arrested.

CornerstoneCPA wrote:I loathe illogical policies and decisions.
If it's for "security", no logic is necessary, only paranoia.

makbo wrote:But, I've never heard of an intercepted email attachment as being the source of data used by a fraudster.
The recipient's 12 year old kid might read his dad's e-mail. Other than that, it's never happened. But it could happen. You never know when these things happen.

These things happen
 

#16
Posts:
2887
Joined:
21-May-2018 7:50am
Location:
Northern MI and Coastal SC
An e-mail being intercepted is not the concern for most people. Most of us take sufficient measures to work with reliable service providers and, hopefully, to have a high level of assurance that our own PCs and servers are free of malicious software. The real issue is human error--unintentionally sending to incorrect person or attaching incorrect file.

One of my tax clients is with a regional bank. She used her work e-mail to send me personal tax information. Instead of attaching the scanned tax docs, she accidentally attached a list of recently opened bank accounts with the names of the holders and current balances. I notified her of the error and it took a few months going back and forth with their security and legal department before the matter was settled via an affidavit concerning MY actions and security policies. Only reason it actually took so long was their affidavit contained language I was not willing to agree to (full indemnification of bank), and so I just made them wait until they gave in and completely removed the language.
 

#17
CathysTaxes  
Moderator
Posts:
3557
Joined:
21-Apr-2014 9:41am
Location:
Suburb of Chicago
I hate it when people use their employer email account to send personal information.
Cathy
CathysTaxes
 

#18
Frankly  
Moderator
Posts:
2455
Joined:
21-Apr-2014 9:08am
Location:
California
CornerstoneCPA wrote: The real issue is human error--unintentionally sending to incorrect person or attaching incorrect file.

That could be mighty embarrassing to be sure. But it's not much of a security risk unless you happened to send it to one of your dark web hacker type tweeker correspondents.

The story about the bank panic is a good example of an overblown reaction to a minor incident. You could have simply told her she sent the wrong file and that you deleted it. End of story. But security and legal types get paid to panic over such things. It's their job.
 

#19
CathysTaxes  
Moderator
Posts:
3557
Joined:
21-Apr-2014 9:41am
Location:
Suburb of Chicago
CornerstoneCPA wrote:An e-mail being intercepted is not the concern for most people. Most of us take sufficient measures to work with reliable service providers and, hopefully, to have a high level of assurance that our own PCs and servers are free of malicious software. The real issue is human error--unintentionally sending to incorrect person or attaching incorrect file.

One of my tax clients is with a regional bank. She used her work e-mail to send me personal tax information. Instead of attaching the scanned tax docs, she accidentally attached a list of recently opened bank accounts with the names of the holders and current balances. I notified her of the error and it took a few months going back and forth with their security and legal department before the matter was settled via an affidavit concerning MY actions and security policies. Only reason it actually took so long was their affidavit contained language I was not willing to agree to (full indemnification of bank), and so I just made them wait until they gave in and completely removed the language.

I would have told them that you did nothing wrong and if they didn't leave you alone, you'd sue them, or threaten to go public. I'm sure their customers would love to know how secure their info is.
Cathy
CathysTaxes
 

#20
Wiles  
Posts:
5052
Joined:
21-Apr-2014 9:42am
Location:
CA
CornerstoneCPA wrote:Still treat it as confidential, unless it is information readily available to the public by law...e.g., non-profits where the EIN is available on 990s and the IRS EO website.

Let's discuss whether a business EIN is worthy of protection. In this discussion, I believe we have identified three forms of risks related to client information:
1. Malicious use by active interceptor
2. Malicious use by unintended recipient
3. Client badwill, but no malicious use

I have my biases about these risks with respect to an EIN. I just do not see any real world malicious use nor client badwill generated by exposing a client's EIN. Of course, we can all come up with some wild ideas. But, I am talking about the real world.

Anybody care to rebut?
 

Next

Return to Business Operations and Development



Who is online

Users browsing this forum: Google Adsense [Bot] and 35 guests