July, 2014

DMS for AccountantsNot Optional Anymore

Does this sound familiar...?

You’ve just received a call from an important client. They are requesting a specific piece of information and they need it fast. You politely say, “Let me check. I’ll get back to you.” The minute you hang up the phone, panic ensues as you dig through files, trying to find what your valued client needs.

If you can’t find the information quickly, your entire office might join the search and dig through files, shutting down the entire day’s productivity.

If you can relate to this scenario, chances are your firm is not utilizing a proper Document Management System. Any inability to quickly retrieve and securely manage information means that your firm is potentially jeopardizing your relationship with an important client and losing time and money due to poor operational systems. Without appropriate document retention, an accounting firm will inevitably experience some level of embarrassment, unnecessary chaos, poor service perception, and even fear. But there are far more frightening threats—think public embarrassment, legal liability, even criminal liability—the stuff of every firm owner’s nightmares. In a time when excellent and affordable DMS systems are readily available, no firm should be relying on paper files.

There are many reasons why having a paperless DMS is no longer optional—reasons such as improving the bottom line, increasing employees’ work-life quality, and disaster recovery planning, but perhaps the most compelling reason of all is SECURITY.

Topics• ManagingInformation

SecurityRisks

• SecurityStartsonthe

Inside

• SecurityBreach

NotificationLaws

• SafeguardingClient

Information

• WhattoLookforina

SecureDMS

www.efilecabinet.com

www.efilecabinet.com

DMS for Accountants — Not Optional Anymore

MANAgiNg iNfOrMAtiON Security riSkS

Just as location is key to success in real estate, managing information security risks is key to success in accounting practices. The laws and rules that regulate accounting documentation compliance are complex. The ever- changing regulatory environment that accountants live in makes it incredibly difficult to even know what is required, let alone how to stay 100% compliant. Although there are many advantages to working in this high- tech world, digitalization of information presents unique security challenges. New attacks and threats emerge almost daily.

Security StArtS ON the iNSide

It is estimated that employees are responsible for most data breaches. The most recent Verizon Data Breach Investigations Report (DBIR) states that 58% of cyber security incidents are caused by employees, with 34% of those incidents caused by employee accidents in handling data, and approximately 24% by unapproved or malicious data use. Part of the unique challenge to data security is the fact that the feedback loop is notoriously bad. If you’ve been hacked, or someone has breached your clients’ data in any way, it can be difficult to even know the breach has occurred. It might be months or years before you are alerted. Sometimes you might never find out. It’s even harder to figure out who did it.

Given the high incidence of security breach, including accidental breaches, it is imperative to make sure your firm is compliant. Regulatory compliance laws are complicated. Accountants are held to a large number of laws that affect document and data management, including HIPAA, FERPA, regulations under IRS Code Section 7216, Sarbanes-Oxley, and federal rules of civil procedure. Because of the complexity of these laws, it is vitally important you select a DMS that is highly compliant. Even with a compliant software or service provider, the customer of the software or service provider is ultimately responsible for the security of their own data. What does this really mean for you? Personal liability.

Security BreAch NOtificAtiON LAwS

If your clients’ information has been breached in any way, 46 states now require that you notify the client. It is important to note that you are responsible for complying with the laws of all 46 states if you have records breached of individuals or companies who are domiciled in those states.

Brian Tankersley, CPA, CITP, Technology Editor for The CPA Practice Advisor Magazine, advises, “While security breaches can cost a company dearly when it comes to a marred public image and a loss in customer confidence, the actual financial costs can be staggering.” Notifications alone are expensive. Forrester Research surveyed 28 companies that had some type of data breach and found it difficult to calculate the expenses that resulted. They estimate that the average security breach costs a

p.02

Theever-changing

regulatoryenvironment

thataccountantslivein

makesitincrediblydifficult

toevenknowwhatis

required,letalonehowto

stay100%compliant.

Recentstudiessuggest

thatover58%ofsecurity

breachescomefrominside

anorganization.

www.efilecabinet.com

DMS for Accountants — Not Optional Anymore

company between $90 – $305 per lost record. This means that if 20,000 records are affected, financial liability easily equals six figures. According to Tankersley, “Not having systems and procedures in place to manage risks associated with privacy breach laws and regs is the new way to lose your house.”

hOw Are yOu SAfeguArdiNg cLieNt iNfOrMAtiON?

Are you sending files that contain client information as email attachments? Do you use Dropbox to store information? Do you ever backup or transfer information using a flash drive or CD? These are just a few examples of methods still used today that have zero compliance or security and leave you liable for any security breach.

Unencrypted email of confidential data, such as tax returns, W-2s, and 1099s, is a massive compliance problem. Emailing such documents can result in significant fines and penalties from state and federal regulators. Accountants can mitigate the risks associated with unencrypted email by utilizing a web portal that is secure and compliant. Such a portal removes the need for FedEx, UPS, FTP, email, faxes, or personally driving to deliver critical files.

Consider the following story shared by Winston & Strawn LLP:

p.03

Accordingt

oonerepor

t,43%

ofcompanies

nownotify

victimsofa

breachwithi

none

monthatan

averagecos

tof

$268perre

cord.

Insurance Company Need Not Defend Accountant Who Lost Sensitive Client Information

Winston & Strawn LLPStephen E Wieker and Liisa M. Thomas

USAJanuary 30, 2013

The U.S. Court of Appeals for the Seventh recently ruled that Nationwide Insurance Co. has no duty to defend or indemnify an accountant who lost sensitive personal information from client files. According to the lawsuit, the accountant’s loss of the information stemmed from the theft of a CD containing confidential client information from the accountant’s personal car. The CD contained the social security numbers, names, and birth dates of over 30,000 beneficiaries of the accounting firm’s clients, the Central Laborers’ Pension Fund, Central Laborers’ Welfare Fund, and Central Laborers’ Annuity Fund. After the Funds sued the accounting firm to recoup $200,000 (the costs of credit monitoring and insurance), Nationwide sought a judgment from federal court to establish that it had no duty to defend the accounting firm under the “in care of ” and “business” policy exclusions. As the court interpreted the coverage, the “in care of ” exclusion applied under Illinois law because the sensitive information was in an employee’s care at the time of loss and because care of the CD was a necessary element of the employee’s work for the client. The “business” insurance policy exclusion—which excludes coverage for property damage arising out of or in connection with a business— also was found to apply because the accounting firm is a business whose employee breached the duty to safeguard the Funds’ confidential information. Because the two policy exclusions were found to apply, Nationwide was deemed to have no duty to defend or indemnify the accounting firm or the employee for any damages stemming from the lawsuit brought by the Funds.

www.efilecabinet.com

DMS for Accountants — Not Optional Anymore

This case gives a compelling reason for your firm to monitor and manage the handling of all client information by any and all employees. It is interesting to consider that in most cases, the clients have not been burned by these fires, just the companies who, in one way or another, are lacking compliance. According to Tankersley, the huge cost incurred by data breaches is being paid almost entirely by those service providers who drop the ball—as many malpractice carriers do not cover these expenses. “I think unencrypted flash drives with confidential client data are like ticking time bombs for firm liability for data breaches,” he explains.

Accountants need to be extra vigilant, as tax returns yield especially profitable results for thieves. During a speech at a state data-security symposium (after the state tax information of 4.5 million South Carolina consumers and businesses were possibly hacked in 2012), Chris Swecker, FBI security expert, stated, “Tax returns are the holy grail for the bad guys.”

Frightening? Very. Accounting professionals should be shaking in their boots with the implications. But here is the takeaway: Accountants must be proactive and utilize a well-designed, secure document management system which complies with applicable laws and regulations. Make sure each of your firm’s employees is trained in your DMS and all data handling processes. Doing so will greatly decrease the odds of a security breach. However, given the current environment we work in, creating a data breach response plan should be a part of your business plan as well. For most small business, understanding and implementing accounting compliance standards is a nuisance and often done poorly. Unfortunately, one mistake can permanently shut down a small business. Tankersley elaborates, “The big firms get this. They understand it and have plans for dealing with it. I would estimate that 2 out of 3 small firms that I deal with don’t have comprehensive strategy which mitigates the risk of an information breach.”

whAt tO LOOk fOr iN A Secure dMS

There are many Document Management Systems available and they differ greatly in terms of security and compliance. Here is a list of some of the most important features your DMS should include:

• WORM(WriteOnceReadMany)compliance:Abilitytopreserverecordsexclusivelyinanon-rewritable,non-erasableformat.

• Detailedaudittrail:AtrackingsystemthatclearlyidentifiestheoriginaldatestheimageswerecapturedintotheDMSaswellasuseraccesstofilesanddatesofanychangesmadetoafile.

• Robustretentionpolicy:Abilitytotime-stampeachfileanddateforrequiredperiodofretention.Built-inretentionshouldmeanthereisnochanceofaccidentalfiledeletion.

• Aboveindustrystandarddataencryption:256-bitAESencryptionisrecommendedwhendataisbeingtransmittedtousersandshouldalsobeutilizedtoprotectdataatrestonservers.

p.04

“Iwouldestimatethat2

outof3smallfirms…

don’thavecomprehensive

strategywhichmitigates

theriskofaninformation

breach.”

– Brian Tankersley, CPA, CITP

“Taxreturnsaretheholy

grailforthebadguys.”

– Chris Swecker, FBI Security Expert

www.efilecabinet.com

DMS for Accountants — Not Optional Anymore

• ThirdPartySecurityReviewsandRegulatoryCompliance:DatacentersusedbycloudservicesshouldhavethirdpartyauditssuchasSOC2,TypeIIserviceauditorreports(alsocalledan“SSAE16”engagement).DatacentersandservicesshouldalsoassertcompliancewithcommonindustryregulationssuchastheISO27001standardsformaintaininganinformationsecuritymanagementsystem,aswellascompliancecertificationsforregulationslikeHIPAAandPCI.Iftheserviceisn’twillingtoassertcomplianceinwritingaspartoftheirtermsofservice,providetherelatedreports(underanon-disclosureagreement),andsignotherdocumentslikeHIPAABusinessAssociateAgreements,webelieveyoushouldre-evaluatethecredibilityoftheirassertions.

• Redundantbackupcopieskeptinsecuredatacenters:Allinformationshouldbebackeduptoaremoteserverinasecuredatacentermaintainedbyanindependentthirdparty(D3P).Preferenceshouldbegiventosystemsthatprovidefilebackupinmultiplelocations,andservicesthathaverapidautomaticfailovertothebackupdatacenterintheeventadatacentergoesoffline.Backupshouldbefullyredundantandmaintainablewithoutimpacttooperations,24hoursaday,sevendaysaweek.

• Role-basedsecurity:User-basedpermissionstolimitaccess.Administratorcancontrolaccesstoallfiles,includingtheabilitytorestrictaccesstoanyfilefromanyworkstationbyaspecificemployeeorgroupofemployees.

Every accounting and tax practitioner needs sophisticated yet easy-to-use compliance adherence tools. The right DMS is critical not only to your productivity and work output, but to protect yourself and your firm from the onslaught of security threats that are ever present in today’s cyber world.

iN cONcLuSiON

The benefits of a secure DMS are many, and include:• Increasedvalueintheeyesofyourcustomers

• Betterclientretention

• Moreconfidenceinyourabilitytoselltonewclients

• Increasedrecognitionandcustomersatisfaction

• Betterqualityoflifeatwork

With a robust Document Management System in place, the phone call for requested client information that once made you sweat will no longer even have you batting an eye. Instead, you will calmly and easily retrieve and send client files within seconds, all while adhering to complicated compliance laws and keeping all client information secure. A Document Management System is no longer optional in the accounting world. You simply can’t afford to practice without one.

for more information on which dMS is right for you, speak with one of our paperless office experts today.

p.05

AccountantsandTax

Professionalscanno

longeraffordtopractice

withoutarobust

DocumentManagement

Systeminplace.

Contact Us: 877-574-5505 www.efilecabinet.com

2989W.MapleLoopDrive Suite300 LehiUT84043

©Copyright2014eFileCabinet. Allrightsreserved.