Tiffany Couch, founder and principal of Acuity Forensics, related just how easy it is to jeopardize PII and your company’s reputation.
“A local attorney’s laptop was recently stolen when he left it in his car during a brief meeting,” said Couch. “Now he has to call every single client and tell them their info is stolen. This could be a huge blow to any company, in terms of reputation.”
Couch provided additional examples of how PII can fall into the wrong hands. These include using third-party services, improperly discarding paper copies and copy machine hard drives (which contain an image of every single thing you have printed, copied, scanned or faxed), using/losing/improperly discarding USB and thumb drives, and social media accounts such as LinkedIn and Facebook.
To illustrate the potential hazards of social media, Couch cited a young, enthusiastic bank employee who took a photo of her newly decorated workspace and posted the picture on Facebook – unfortunately, a client’s banking account information was visible on her computer screen in the photo.
So how can companies protect the PII in their care? Nanette Walker, CPA, owner of Ridgefield-based NWCPA, shared some tips.
“You need to be extremely careful of the sorts of backups you use, and have numerous firewalls in place,” said Walker. “It’s important to have an IT person that is knowledgeable about information security.”
Walker also advised against using cloud-based services and wireless communication in the office. Companies can also make sure information is not easily physically accessible (locked doors, locked cabinets), and use professional-grade software applications.
“You can’t rely on Cousin Fred and TurboTax,” said Walker. “You need professional software and people that are trained so your information never goes anywhere except on extremely secure highways.”
Couch added that implementing well-documented data access controls and training employees about risk can help prevent data loss. For example, employees should have access only to the information they need to perform the jobs and mobile devices used at work should have a remote wipe capability.
“Good controls enable you to narrow down the source of a breach when it occurs,” said Couch. “When you don’t have good controls, you have to look at everybody.”
Individuals can also help keep their PII safe.
“The biggest thing is don’t put your social number on everything,” advised Barrett.
For example, if you own a small business and are filling out a request for credit, your social security number may not be necessary, even if there is a space for it on the form. Your company’s EIN number may suffice. Before you provide information, said Barrett, “ask how it will be taken care of and is it required.”
“The tax fraud issue speaks to how important it is for a company to understand that it has its own identity and that it is part of the identities of its customers. We must be vigilant in protecting that information,” said Couch.
Businesses should look into purchasing “cyber liability” coverage, and victims of tax fraud (and credit card fraud) should check with their homeowner’s insurance policy, said Bryce Davidson, a home insurance specialist with Davidson & Associates Insurance Agency Inc.
“It’s not the money that is always the issue,” explained Davidson, because eventually the IRS, or the bank, or the credit card company usually covers the financial part of the fraud. Stopping the fraud, however, can be time-consuming and confusing. A fraud endorsement, which according to Davidson costs an average of $1 to $2 per month, can provide resources to guide victims through the necessary steps and forms and may cover lost days of work.
Davidson added that fraud victims don’t have to go solo.
“Use the team you trust,” said Davidson, which includes your CPA, insurance agent and credit union or bank.
“Advisors in the community are working more as a team,” said Davidson. “We are blessed in our community that they care for people and make sure [clients] get connected to the right person.”
Medical identity theft – The next wave of fraud?
As the surge of tax fraud continues, and the IRS attempts to come up with ways to detect and prevent it, criminals are going after protected health information (PHI), such as social security numbers and medical insurance account numbers.
Tiffany Couch, founder and principal of Acuity Forensics, said that medical office staff with access to PHI can sell identities on the street for $25 each, which when multiplied by hundreds of thousands of hospital patients, for example, can add up to enormous amounts of money. Criminals fraudulently use an individual’s information to obtain medical services or drugs they can resell at a profit.
Medical-related identity theft accounted for 43 percent of all identity thefts reported in the United States in 2013. The U.S. Department of Health and Human Services reported that since it started keeping records in 2009, the medical records of between 27.8 million and 67.7 million people have been breached.
“It’s huge,” said Couch.
A local firm, MiddleGate Inc. in Lake Oswego, is working on a software solution monitors for loss and breach of PHI.