Discussion:Electronic communication of client info

I was just curious about any liability that anyone has run into by communicating tax information to and from clients through e-mail. Are web portals the answer, or an encryption tool that I should add or activate within MS Outlook?

I'm an accountant coming out of industry and starting my first year in my own tax practice, so some of the technical aspects are things that I haven't had to tackle on my own before.

Thank you in advance for advice and direction. Mark

A couple of years ago, after looking into the issue in depth, I instituted a policy of never sending unencrypted emails that contain information that might be used for identity theft, such as name and social security number of clients.

Sensitive documents are sent as pdf files attached to emails. The pdf files are encrypted using the Acrobat program (in my case, version 6.0). A password is required to open such documents. My standard password is the last four digits of the client's social security number, which I inform them of in the body of the email.

If you go this route, you will need to purchase one of the full Acrobat programs - the free "reader" version won't do it.

The most common documents I use this procedure for is copies of tax returns, W-2's, and schedules K-1.

Also, in my annual letter to clients, I advise them not to send unencrypted documents containing their name and social security number via email attachment.

You're absolutely on the right track in addressing this issue upfront. The liability attached to communicating sensitive information via email is the subject of much discussion among our peers here in my neck of the woods. My method solves the problem in my practice, but you my find that other solutions may work as well.

Good luck!

Larry

   Argh!
   Smokey, I admire your efforts to protect your clients' confidential information but I fear you may be doing more harm that good. A false sense of security is more harmful than a real sense of insecurity.

   Two things...
   1) Using just four digits, there are only 10,000 possible combinations to the password. There are of free password recovery utilities on the internet that could easily try all of those combinations in under five seconds. (I use a pay version from ElcomSoft (http://www.elcomsoft.com/apdfpr.html) and highly recommend their tool.) Even an eight-character password can be removed in the time it takes to grab lunch.
   So, having just a four-digit password means next to nothing. (Don't believe me? Send me a protected PDF with a 'confidential' message and I'll respond with the message.)

   2) Deterministic passwords are a bad idea. Anytime someone (other than the password's owner) knows something about how a password is generated, the password is much easier to compromise. Social security numbers are not highly protected numbers and are fairly easy to obtain.
   For example, it is very common for one's voicemail password to be the last four digit's of one's phone number. This is especially bad in an office environment and where people rarely change their voicemail password. If I'm the new guy and my voicemail password is the last four digits of my phone number, how many of my co-workers also have that pattern as their password? In my experience, never less than half.
   If I know my password is the last four of my SSN, I can guess all your other clients have a similar setup. Having read item one, you may think lengthening your clients' passwords would be a good idea. You might consider making their password their last name and then the last four digits of their SSN (ie: taxhelp1234). Since that is deterministic, once I have your client's name, I'm back to just guessing four digits which we know goes quickly.

   But, you might say, isn't four digits or a deterministic algorithm better than no protection? Not in my mind.
   Would you rather live in a house knowing none of the doors lock and anyone can enter at will or would you rather live in a house you feel to be secure but which anyone can get into in less than ten seconds using commonly-available and free tools?

   Finally, knowing your Adobe Acrobat workflow is insecure and yet having you present it as secure, will your professional liability policy pay-off when you are sued because someone on the internet got a hold of a client's documents? Mine wouldn't. My carrier and attorney both suggest that I make no claims of document security on the internet and that my official recommendation be that all documents transfer old-school style in hardcopy. As part of my engagement agreement, clients check a box saying they would rather have documents electronically and that they understand this is potentially less secure than hardcopies.

Also, once your files are done being transmitted, they are only as safe as the server on which they sit. So, even if you use SFTP, once the confidential documents are on the server, they do stand a chance of being compromised.

Again, this is one case where you might want to check your insurance policy. Make sure you're not promising something in terms of security that you can not deliver.

You could also substitute how much you were paid to do their taxes last year but in a stock 1040 shop, the fee may be the same for everyone thus reducing the chaos in the password pool.

While deterministic (bad), this method helps in a few ways.

Stop reading now if you are already know way too much about passwords and find this off-topic.

First, it greatly increases the size of the password from the existing four digits. Length adds possibilities. Four digits has 10,000 possibilities. Five digits is 100,000 possibilities. Already, the password takes ten times longer to attack using brute force.

Second, the length of the password is no longer fixed. If I know the password is only four digits, I save myself having to check 999 possibilities (0 through 999). While this is a small savings at four digits, imagine the password is known to be eight characters. Instead of having to check 0 through 999,9999, I can just check 00000000 through 99999999. Cutting out nearly a million possibilities saves real time.

Third, letters greatly increase the possibly passwords. Take a single digit password. It must be one of just ten characters (0 through 9). On the other hand, a single letter password has 26 potential options (a through z). Add in upper case as a potential and you have added 26 more options (A-Z). So, a password of four digits has only 10,000 possible combinations (10^4). Were the same four options digits and letters in both cases, there would be 14,776,336 (62^4) combinations. It is much more difficult to find a needle in nearly 15 million pieces of hay than in ten-thousand pieces of hay.

old style password: last-four digits of SSN

example: 1234

characters: four

combinations: 10,000 (10^4)

cracked in: under five seconds

new style password: middle name (properly capitalized) and last year's tax bill or refund

example: Jefferson10876

characters: unknown

combinations: unknown (10,000 (10^4, no middle name, just 1234) to easily 208,827,164,602 (26^1 (upper case) + 26^8 (lower case) + 10^5 (digits))

cracked in: several hours or even days

   For more on this topic, I'll require the class to have a slide rule.

What can you tell me about fax security? I don't have a fax machine anymore but have switched to "myfax". Most of my outgoing stuff I send via pw-protected email attachments, but everytime I need to send a POA to the IRS Tax Practitioner Hotline I have to send it as a fax. Obviously that always has a SSN (for individuals at least) on the POA. The fax gets sent via an email attachment, so it is obviously not secure. Is it any worse than a regular fax sent by machine?

What do you think about sending the password in a separate email? Or would this be futile if all emails are equally accessible to a thief?

I've heard of some practitioners using the same password for all clients, which seems odd, but when you think about it if the password is more robust than simply four numbers, perhaps is safer.

(By the way, oddly enough, I actually have a collection of vintage slide rules.)

Jdugan: The first three digits of an SSN are virtually worthless as a secure ID because they are assigned based on where the number was issued. The middle two digits are also troublesome because you can look them up based on the first three digits and the year in which the SSN was issued. So, with a birthday and place of birth, you can pretty much come up with the first five digits of one's social security number. (More details here: http://www.socialsecurity.gov/history/ssn/geocard.html .) So, the last six digits are better than the last four digits but the code is still discoverable.

As to fax security, I don't have any specific knowledge in that area. My gut tells me that faxing by email is less secure than faxing by landline simply because an email stream is far easier to compromise than a telephone stream.

Email is a store-and-forward medium, meaning that your email message sits for a period of time (generally less than a second) on several servers before it gets to its final destination. Anyone with access to those servers can have access to your email. Best of all, they don't have to do it in real time -- they can just keep a copy of everything and then search through it for the good stuff at their leisure.

A standard fax transmission, however, is live. It can only be compromised during the transmission, requires physical proximity and access to the phone line and special equipment. There are a couple billion people on the internet and tens of million of them that know enough about email to split the stream. Compare that to the number of people who have the physical access to your phone connections, the knowledge to make the connection and the necessary hardware. That is a much smaller pool.

Smokey: A secondary email with the password isn't much protection.

If I were looking to begin a life of crime and retire to a country without an extradition policy, I'd tap into a preparer's email system early in the season and capture every email message. When I had captured a fair amount of email, I'd do a full-text search for 'refund' and 'password'. I'd then figure out which clients were getting the largest refunds. Next step would be to check if there were any email messages that mentioned routing or checking account numbers. From the tax return, I'd have full name and social security number. I bet some preparers even take credit card numbers via email so that could add to the pool of yummy information. Finally, I'd sit in wait until I expected the Treasury to start depositing refunds and then start sucking the money out of their accounts before they had a chance to spend it on their own.

By just tracking email, it is trivial to gather all the components necessary to steal someone's identity or money... Full legal name, SSN, bank account number, account routing code, credit card number, etc. If I had a lot of ambition, I'd use this information directly to profit. Otherwise, I bet I could sell this information on the black market to folks who do identity theft professionally. The yield wouldn't be as good for me but it would be a lot less work on my part and would lower my risk exposure.

As for all clients using the same password... bad idea. If I were looking to gain access, all I'd have to do is have a return prepared at that shop then I'd have the keys to the kingdom. For the cost of a simple 1040 return preparation, I could compromise the entire operation.

My best advice -- on this any many other topics -- is to only make promises inside your area of expertise and promises on which you know you can deliver. My engagement letter states that electronic transmission is for the client's convenience, at the client's option and risk; that the best method for document delivery is the United States Postal Service.

The only time the subject would come up is if they say you sent one thing and you say you sent another. Thanks to the magic of math, you can easily prove that the recipient's version of the email is not the one you sent.

Cryptographically-signed email is still sent in plain text so it does not protect from prying eyes. Its primary purpose is to ensure what was received is what was sent to both the recipient and to a body of law should it come to that. It doesn't protect the data, only your reputation. From Wikipedia: "An analogy for digital signatures is the sealing of an envelope with a personal wax seal. The message can be opened by anyone, but the presence of the seal authenticates the sender."

You can also use the same key to encrypt the email but that requires the person receiving the email to add software or change their email configuration. In most cases, people will happily exchange convenience for security so you are unlikely to find clients willing to update their email configuration just to get secure email from you.

This is all way beyond the scope of TaxAlmanac. For those who want to read more, start with this Wikipedia article on Public Key Cryptography [ http://en.wikipedia.org/wiki/Public-key_cryptography ].

In short, if all you want is immutable email, don't think you have to pay a monthly fee, a per-email fee or buy an expensive piece of software. Math is free and works with all the most common email applications such as Outlook.

(Of course, if you need proof of delivery, you're pretty much limited ton one of the online email services such as RPost or Postini unless you have an in-house IT staff with specialized security knowledge.)

http://www.cpasitesolutions.com/youget/cpa-website-tools/secure-client-portal.php

PGP (http://www.pgp.com/products/desktop_email/) is what I used for years until they dropped their free product. Or, at least made it too hard to find. Now I use GnuPG (http://www.gnupg.org/) which does the same thing only is open source. For the tech-savvy, GnuPG is the way to go. If you don't mind paying $150 for everything to just work right out of the box, go with the commercial PGP product.

Natalie: When I was running with an especially geeky crowd back in the late-1990s, we encrypted all of our email back and forth. It was cool and probably got us added to some FBI watch lists but we stopped doing it because we couldn't get enough people using encyrption. Critical mass was not reached.

Mhill427: The concept seems sound and I didn't see any red flags that make me think it is just window dressing. I don't know anything specific about the company or their products. I also don't know anything about the cost of their offering.

>> All of my email going out and coming in has 256 bit encryption.

Natalie,

What service do you use for encrypted e-mail? Is this your regular e-mail service or an add-on service to your regular e-mail? Does it affect the way clients receive e-mail? Or does the encryption simply protect the e-mail stream in transit between and on servers on its way to its intended recipient?

By the way Corp, there is another option besides the postal service. For those clients who choose not to use email, we exchange information via thumb drives. That way I still save on postage, paper, ink, storage etc.