DMS for Accountants:
Not Optional Anymore
Does this sound familiar? You’ve just received a call from an important client. They are requesting a specific piece of information and they need it fast. You politely say, “Let me check. I’ll get back to you.” The minute you hang up the phone, panic ensues as you dig through files, trying to find what your valued client needs.
If you can’t find the information quickly, your entire office might join the search and dig through files, shutting down the entire day’s productivity.
If you can relate to this scenario, chances are your firm is not utilizing a proper Document Management System. Any inability to quickly retrieve and securely manage information means that your firm is potentially jeopardizing your relationship with an important client and losing time and money due to poor operational systems. Without appropriate document retention, an accounting firm will inevitably experience some level of embarrassment, unnecessary chaos, poor service perception, and even fear. But there are far more frightening threats—think public embarrassment, legal liability, even criminal liability—the stuff of every firm owner’s nightmares. In a time when excellent and affordable DMS systems are readily available, no firm should be relying on paper files.
There are many reasons why having a paperless DMS is no longer optional—reasons such as improving the bottom line, increasing employees’ work-life quality, and disaster recovery planning, but perhaps the most compelling reason of all is SECURITY.
The ever-changing regulatory environment that accountants live in makes it incredibly difficult to even know what is required, let alone how to stay 100% compliant.
Managing Information Security Risks
Just as location is key to success in real estate, managing information security risks is key to success in accounting practices. The laws and rules that regulate accounting documentation compliance are complex. The ever-changing regulatory environment that accountants live in makes it incredibly difficult to even know what is required, let alone how to stay 100% compliant. Although there are many advantages to working in this high-tech world, digitalization of information presents unique security challenges. New attacks and threats emerge almost daily.
Security Starts on the Inside
It is estimated that employees are responsible for most data breaches. The most recent Verizon Data Breach Investigations Report (DBIR) states that 58% of cyber security incidents are caused by employees, with 34% of those incidents caused by employee accidents in handling data, and approximately 24% by unapproved or malicious data use. Part of the unique challenge to data security is the fact that the feedback loop is notoriously bad. If you’ve been hacked, or someone has breached your clients’ data in any way, it can be difficult to even know the breach has occurred. It might be months or years before you are alerted. Sometimes you might never find out. It’s even harder to figure out who did it.
Given the high incidence of security breach, including accidental breaches, it is imperative to make sure your firm is compliant. Regulatory compliance laws are complicated. Accountants are held to a large number of laws that affect document and data management, including HIPAA, FERPA, regulations under IRS Code Section 7216, Sarbanes-Oxley, and federal rules of civil procedure. Because of the complexity of these laws, it is vitally important you select a DMS that is highly compliant. Even with a compliant software or service provider, the customer of the software or service provider is ultimately responsible for the security of their own data. What does this really mean for you? Personal liability.
Recent studies suggest that over 58% of security breaches come from inside an organization.
Security Breach Notification Laws
If your clients’ information has been breached in any way, 46 states now require that you notify the client. It is important to note that you are responsible for complying with the laws of all 46 states if you have records breached of individuals or companies who are domiciled in those states.
Brian Tankersley, CPA, CITP, Technology Editor for The CPA Practice Advisor Magazine, advises,“While security breaches can cost a company dearly when it comes to a marred public image and a loss in customer confidence, the actual financial costs can be staggering.” Notifications alone are expensive. Forrester Research surveyed 28 companies that had some type of data breach and found it difficult to calculate the expenses that resulted. They estimate that the average security breach costs a company between $90 – $305 per lost record. This means that if 20,000 records are affected, financial liability easily equals six figures. According to Tankersley, “Not having systems and procedures in place to manage risks associated with privacy breach laws and regs is the new way to lose your house.”
According to one report, 43% of companies now notify victims of a breach within one month at an average cost of $268 per record.
How Are You Safeguarding Client Information?
Are you sending files that contain client information as email attachments? Do you use Dropbox to store information? Do you ever backup or transfer information using a flash drive or CD? These are just a few examples of methods still used today that have zero compliance or security and leave you liable for any security breach.
Unencrypted email of confidential data, such as tax returns, W-2s, and 1099s, is a massive compliance problem. Emailing such documents can result in significant fines and penalties from state and federal regulators. Accountants can mitigate the risks associated with unencrypted email by utilizing a web portal that is secure and compliant. Such a portal removes the need for FedEx, UPS, FTP, email, faxes, or personally driving to deliver critical files.
Consider the following story shared by Winston & Strawn LLP:
Winston & Strawn LLP
Stphen E Wieker and Liisa M. Thomas
January 30, 2013
The U.S. Court of Appeals for the Seventh recently ruled that Nationwide Insurance Co. has no duty to defend or indemnify an accountant who lost sensitive personal information from client files. According to the lawsuit, the accountant’s loss of the information stemmed from the theft of a CD containing confidential client information from the accountant’s personal car. The CD contained the social security numbers, names, and birth dates of over 30,000 beneficiaries of the accounting firm’s clients, the Central Laborers’ Pension Fund, Central Laborers’ Welfare Fund, and Central Laborers’ Annuity Fund. After the Funds sued the accounting firm to recoup $200,000 (the costs of credit monitoring and insurance), Nationwide sought a judgment from federal court to establish that it had no duty to defend the accounting firm under the “in care of” and “business” policy exclusions. As the court interpreted the coverage, the “in care of” exclusion applied under Illinois law because the sensitive information was in an employee’s care at the time of loss and because care of the CD was a necessary element of the employee’s work for the client. The “business” insurance policy exclusion—which excludes coverage for property damage arising out of or in connection with a business—also was found to apply because the accounting firm is a business whose employee breached the duty to safeguard the Funds’ confidential information. Because the two policy exclusions were found to apply, Nationwide was deemed to have no duty to defend or indemnify the accounting firm or the employee for any damages stemming from the lawsuit brought by the Funds.
This case gives a compelling reason for your firm to monitor and manage the handling of all client information by any and all employees. It is interesting to consider that in most cases, the clients have not been burned by these fires, just the companies who, in one way or another, are lacking compliance. According to Tankersley, the huge cost incurred by data breaches is being paid almost entirely by those service providers who drop the ball—as many malpractice carriers do not cover these expenses. “I think unencrypted flash drives with confidential client data are like ticking time bombs for firm liability for data breaches,” he explains.
Accountants need to be extra vigilant, as tax returns yield especially pro table results for thieves. During a speech at a state data-security symposium (after the state tax information of 4.5 million South Carolina consumers and businesses were possibly hacked in 2012), Chris Swecker, FBI security expert, stated, “Tax returns are the holy grail for the bad guys.”
Frightening? Very. Accounting professionals should be shaking in their boots with the implications. But here is the takeaway: Accountants must be proactive and utilize a well-designed, secure document management system which complies with applicable laws and regulations. Make sure each of your rm’s employees is trained in your DMS and all data handling processes. Doing so will greatly decrease the odds of a security breach. However, given the current environment we work in, creating a data breach response plan should be a part of your business plan as well. For most small business, understanding and implementing accounting compliance standards is a nuisance and often done poorly. Unfortunately, one mistake can permanently shut down a small business. Tankersley elaborates,“The big firms get this. They understand it and have plans for dealing with it. I would estimate that 2 out of 3 small firms that I deal with don’t have comprehensive strategy which mitigates the risk of an information breach.”
“Tax returns are the holy grail for the bad guys.”
-Chris Swecker, FBI Security Expert
What to Look for in a Secure DMS
There are many Document Management Systems available and they differ greatly in terms of security and compliance. Here is a list of some of the most important features your DMS should include:
WORM (Write Once Read Many) Compliance: Ability to preserve records exclusively in a non-rewritable, non-erasable format.
Detailed Audit Trail: A tracking system that clearly identifies the original dates the images were captured into the DMS as well as user access to files and dates of any changes made to a file.
Robust Retention Policy: Ability to time-stamp each file and date for required period of retention. Built-in retention should mean there is no chance of accidental file deletion.
Above Industry Standard Data Encryption: 256-bit AES encryption is recommended when data is being transmitted to users and should also be utilized to protect data at rest on servers.
Third Party Security Reviews and Regulatory Compliance: Data centers used by cloud services should have third party audits such as SOC 2,Type II service auditor reports (also called an “SSAE 16” engagement). Data centers and services should also assert compliance with common industry regulations such as the ISO 27001 standards for maintaining an information security management system, as well as compliance certifications for regulations like HIPAA and PCI. If the service isn’t willing to assert compliance in writing as part of their terms of service, provide the related reports (under a non-disclosure agreement), and sign other documents like HIPAA Business Associate Agreements, we believe you should re-evaluate the credibility of their assertions.
Redundant Backup Copies Kept in Secure Data Centers: All information should be backed up to a remote server in a secure data center maintained by an independent third party (D3P). Preference should be given to systems that provide file backup in multiple locations, and services that have rapid automatic failover to the backup data center in the event a data center goes of offline. Backup should be fully redundant and maintainable without impact to operations, 24 hours a day, seven days a week.
Role-based Security: User-based permissions to limit access. Administrator can control access to all files, including the ability to restrict access to any file from any workstation by a specific employee or group of employees.
Every accounting and tax practitioner needs sophisticated yet easy-to-use compliance adherence tools.The right DMS is critical not only to your productivity and work output, but to protect yourself and your firm from the onslaught of security threats that are ever present in today’s cyber world.
“I would estimate that 2 out of 3 small firms… don’t have comprehensive strategy which mitigates the risk of an information breach.”
-Brian Tankersley, CPA, CITP
The benefits of a secure DMS are many, and include:
• Increased value in the eyes of your customers
• Better client retention
• More confidence in your ability to sell to new clients
• Increased recognition and customer satisfaction
• Better quality of life at work
With a robust Document Management System in place, the phone call for requested client information that once made you sweat will no longer even have you batting an eye. Instead, you will calmly and easily retrieve and send client files within seconds, all while adhering to complicated compliance laws and keeping all client information secure. A Document Management System is no longer optional in the accounting world. You simply can’t afford to practice without one.
For more information on which DMS is right for you, speak with one of our paperless office experts today.
Are You Ready to Learn More?