With cyber attacks hammering away at caches of protected data worldwide at a record-breaking pace in 2017 (791 breaches in the first half of the year), and often succeeding even against banks of information containing hundreds of millions of names, how is the “small business” possibly expected to protect its data?
This is one of many questions touched upon in late 2017 as the IRS hosted National Tax Security Awareness Week, which focused on tax preparers and the protection of taxpayer filing information.
As a property manager, you’re entrusted not only with employee personal data, but that of your clients and tenants as well. This is the precise type of information necessary for identity theft, which increases your responsibility to protect that information.
The following observations and recommendations are taken from the findings and information stemming from the service announcements and research provided by the IRS and can be applied to small businesses and individual taxpayers, as well as businesses responsible for others’ personal information.
Scope of the Problem
Every day, data thefts of all sizes put personal and financial information at risk. That record-setting first half of 2017 resulted in data breaches increasing by 29%, according to IRS sources. Already at this record-setting pace, the problem worsened significantly with the theft of 145,000,000 persons’ information from a major credit-reporting agency (Equifax).
One common tactic for illicitly gathering this information is through the use of “phishing.” Most have heard of phishing by now, a process where the perpetrator issues an email pretending to be the IRS or another authoritative source requesting that you “confirm” your information. They then direct you to another page and collect any information provided – to be used for filing phony tax claims, opening credit accounts, or a myriad of other malicious motivations.
Generally, thieves try to use the stolen data as quickly as possible before there is time to report it and freeze any affected accounts. That may mean selling the data on the Dark Web to other shady operations or attempting to access financial accounts for withdrawals or credit cards for charges, even a possible fraudulent tax return in victims’ names for a refund.
Note: The holiday online shopping season and tax seasons are two of the most popular periods for cyber theft.
Prevention and Correction
There are steps that can be taken to guard against cyber attacks as well as to remedy the issue if it’s already happened. The following series of recommended prophylactic steps and post-breach fixes look at the issue from several angles including:
- small business protection of client data
- individual protection of personal and tax information
- small business protection of tax data
- post-breach curative measures
Prevention Measures for Individuals and Small Businesses
- A good starting point always is the use of strong, unique passwords for each online account. Some experts recommend a minimum 10-digit password that uses letters, numbers, and special characters, as well as different passwords for each account, using a password manager or password app if necessary.
- Tip: Sometimes Facebook and other online polls asking about your favorite book or movie, where you went to school, favorite hobby, etc. are actually looking for clues as to what you might use for your password
- Tip: Likewise, do not include personal information in passwords such as names of siblings, friends, children, and pets on social media sites which make it easier for cybercriminals to figure out passwords that include this info
- Avoid conducting any business (personal or professional) on unsecured Wi-Fi in public locations
- Tip: if you don’t know the network or account that you’re on, don’t share anything you wouldn’t otherwise share in public where you don’t know who all is listening
- Never click on links or download attachments from unknown or suspicious email addresses
- Tip: this should be second nature by now – don’t click on attachments from sources you don’t know, plain and simple. If unsure about the requester, contact who you believe it to be from and confirm it. Don’t click and hope for the best!
- Tip: the IRS does NOT initiate contact with taxpayers by email or phone to request personal or financial information or to expedite your payment under the threat of freezing your bank account – the IRS always begins with contact by mail.
- Tip: individuals or businesses who receive unsolicited emails claiming to be from the IRS should forward it to email@example.com and then delete it
Small Business Breach: Preventing and Rehabilitating
Signs that your business might have been breached include:
- IRS rejects e-file return because it already received one with that identification number
- IRS rejects a filing extension request because it already received one with that identification number
- Receipt of an unexpected tax transcript
- Receipt of an IRS notice that doesn’t relate to anything they submitted
- Stop receiving expected or routine mailings from the IRS
Steps Small Businesses Can Take to Protect Data
There are a number of steps that can be taken by and for small businesses in addition to those that protect the individuals (listed above). These include:
- Protect your employer identification numbers
- The IRS is requesting additional verification information for 2018 to confirm the legitimacy of your tax return, e.g., filing history, payment history and parent company information (if applicable)
- The IRS, state tax agencies, and the tax industry urge businesses to immediately report data losses to the IRS and state tax agencies “to ensure the safety of their systems, practitioners should promptly report identity theft or data breaches to help protect their clients.”
- Tip: be aware that some states require notification of data losses
Action for Individuals after a Breach
There are steps that both individuals and small businesses can take AFTER a breach has occurred which can mitigate the harm caused by the breach. Actions that can be taken by the individual or the small business include:
- Checking credit monitoring services for activities that you don’t recognize, and freeze any accounts and prohibit access to credit records, plus reset passwords as necessary (especially on financial accounts)
- Note: there may be a fee in some states for freezing access to credit records
- Determining exactly what information was compromised
- Determining if the criminals accessed emails and passwords, or more sensitive data such as name and Social Security number
- Inquiring of the breached company(ies) (for the individual or for the property manager using another service that was breached) if they offer credit monitoring services to victims and take advantage of it if they do
- At a minimum, placing a fraud alert on credit accounts by contacting one of the three major credit bureaus, which is not as secure as a freeze, but is free
- Using two-factor authentication (2FA) wherever it is offered on financial, email, and social media accounts, which requires entry of a username and password and then a security code, generally sent via text to a mobile phone you’ve pre-registered
This is just a starting point for the small business and individual to work from. Guarding data is a full-time endeavor, one that falls a little more heavily on property managers than many other small businesses because of the type of information that property managers are entrusted with. For more ideas on how to avoid data breaches and identity theft, see the IRS Security Summit webpage.
About the Author
Brian Murphy, TaxCE.com
Brian Murphy is a technical writer for www.TaxCE.com, which provides continuing professional education for tax preparers and enrolled agents. Brian has degrees in political science, journalism, and law, a real estate license, extensive experience working for both private and public agencies, and a deep personal interest in sharing information that makes people’s’ lives a little easier.