Transferring client data securely.

• Author: Holub, Steven F.

IN THE COURSE OF PROVIDING PROFESSIONAL services, CPAs need to gather many pieces of sensitive, personal information from clients. This includes financial information, tax identification numbers, financial account numbers, and other crucial financial data. If unauthorized third parties obtained this data, they could cause damage to the client ranging from simple embarrassment to identity theft. Therefore, it is critical for CPAs to maintain control over the transfer of data to assure that their clients' confidential information is not compromised. Technological advances have expanded the options for electronic data transfer, which is convenient for both CPAs and their clients. The advantages of electronic data transfer include:

* Data does not have to be physically delivered to the CPA's office, either by the client personally or by a third party (such as the post office or a private common carrier);

* Data transfer is instantaneous; and

* Data that originates in an electronic format may be processed more efficiently and accurately by the CPA than if it has to be input electronically from paper.

[ILLUSTRATION OMITTED]

However, most clients do not understand that various methods of electronic transfer require security to protect the client's private information from being intercepted. Clients may think the method they use to send vacation pictures to family and friends is also suitable for transferring tax records. That is not the case, and, therefore, CPAs must educate themselves and their clients about the risks and benefits of various data-transfer methods and which methods are appropriate or inappropriate.

Risks of Client Data Transfer

Many clients may want to transfer data to their CPA via email, since most people now regularly use email to communicate in professional and personal matters and files of any type may be sent conveniently via email. It may be simple to send data attached to an email, but this transfer method is risky because it is inherently insecure.

Unencrypted Data

Unless the sender takes special precautions, email is sent in an unencrypted form, which means it can be read if it is intercepted. If an unencrypted message ends up in an unintended party's hands, the contents of the message and its attachments can be compromised. The results could be very harmful to the client.

An unscrupulous individual could sell access to personally identifiable information or attempt to use the information to steal the client's identity. While almost all email programs support the use of a security certificate, which enables email users to send information encrypted and to determine that the information is being sent to the correct place, the system is not used much outside of certain industries. While "installing a certificate" provides good security, most clients probably will not use security certificates because they may not know what they are.

Lack of Control Over Transmission

To the sender, an email appears to go directly from the sender's computer to the recipient's. However, in reality the message is relayed through various servers and sites on its route to the final destination. At each step along the way, the message can be intercepted.

Many clients use email accounts that are hosted by third parties. While internet service providers and large email providers have policies and controls to guard against employees' misuse of email data, these protections are not foolproof. It is also unlikely that many clients are aware of the controls, if any, their provider has in place.

Losing Control of Credentials

Clients often access their email via various public networks. Hotels, coffeehouses, bookstores...