The IRS and many state taxing authorities now recommend that taxpayers use their driver's license number to provide another layer of security when electronically filing federal and state tax returns. A few states, notably Alabama, New York, and Ohio, are requiring a driver's license number or an equivalent for personal income tax returns. This sounds promising at first—another layer of verification to help prevent tax identity theft seems prudent. However, as with many other "good ideas," the unintended consequences can cause problems.
This new use for driver's license numbers may also pose an additional consideration for CPA firms about data security and the potential for a cyber-breach. Most CPA firm staff and clients have been trained to treat Social Security numbers (SSNs) with exceptional care, but the same has not been necessarily true for driver's license numbers. While the reasons, explained below, are understandable, driver's license numbers are a high-value target for criminals and a corresponding security concern for CPA firms.
While state and territory data breach notification laws differ, they generally consider driver's license numbers and SSNs equally important pieces of personally identifiable information. For example, California defines personal information in customer records subject to breach notification as specifically including both SSNs and driver's license or California identification card numbers, as well as credit and debit account numbers and medical and health insurance information (Cal. Civ. Code §1798.82(h)). Thus, the driver's license number is given equal status with the SSN, although the authors' informal poll suggests many people, including CPAs, might not regard the loss or theft of a driver's license number with the same alarm as they would that of an SSN, or exercise the same degree of care for its security.
Now that driver's license numbers are being used as a form of identification verification for tax return filing, it's easy to imagine them becoming a high-value target for hackers and other cybercriminals. And if accounting firms and their clients don't take care in protecting driver's license numbers and other personally identifiable information, the results can be costly.
According to the Ponemon Institute's 2016 Cost of a Data Breach study, the average total cost of a data breach for the nearly 400 companies in 12 countries studied came to $4 million, or $158 per lost or stolen record. The costs were even higher in highly regulated industries, averaging $221 per stolen or lost record in the financial services sector. Adding insult to injury, adverse media attention could result in lost business opportunities and revenue for years to come.
Insurance can offer some protection, but not as much as one might expect. CPA firms can find insurance for a number of related risks, including credit monitoring for clients, forensic analysis of computer systems, removal of malware, and system restoration, but the Ponemon study found that insurance protection reduced the cost of a data breach by a mere $5 per record.
CPA firms also have to be concerned that failing to properly notify clients of a data breach could lead to problems with various regulatory bodies and state attorneys general. Also, while penalties vary, states' fines and/or civil liability limits can reach hundreds of thousands of dollars, and a violation of Internal Revenue Code Sec. 7216 can result in a possible misdemeanor conviction with a fine of up to $1,000 and/or as much as a year in prison (see "Tax Practice Corner: AICPA's Revised Confidentiality Rule and Sec. 7216," JofA, March 2015).
PARTNER ACTION ITEMS
Educating the public is well beyond the capability of most firms. Even the current versions of the online IRS Taxpayer Guide to Identify Theft (irs.gov and IRS Publication 4524, Security Awareness for Taxpayers, do not mention safeguarding a driver's license number. CPA firm managers should direct resources toward training staff and implementing appropriate security measures to minimize the possibility of a breach.
Train staff: Emphasize driver's license numbers in training on internal firm policies that deal with handling and storing personally identifiable information. Because the costs of losing an SSN and a driver's license number are likely the same, treat them equally. In turn, firm staff should be the direct link to clients regarding proper handling of personally identifiable information.
Implement appropriate security tools: Most firms already have the tools in place to protect driver's license numbers. Having previously implemented secure portals or encrypted email solutions to protect SSNs, it's simply a matter of educating staff to leverage the tools they already have.
Secure portals such as Citrix ShareFile allow firms to insert a request link into their email to clients. With the link, clients can send an image of their driver's license via an encrypted tunnel.
Alternatively, using encrypted email to exchange personally identifiable information saves the steps required when using a portal. Solutions such as the Secure Messaging application from Mimecast allow firms and clients to exchange secure email messages containing personally identifiable information.
Finally, it is easy to overlook a simple tool that has been available for years: a phone. A quick call to collect a driver's license number from a client is a simple and secure solution with a personal touch.
Editor's note: This column is adapted from "Use of Driver's License Numbers Raises Security Concerns," March 30, 2017.
Joseph Brunsman is the vice president and Dan Hudson is the president of Chesapeake Professional Liability Brokers in Annapolis, Md. Brunsman and Hudson are the co-authors of True Course: The Definitive Guide for CPA Practice Insurance. Byron Patrick is managing director of CPA practices for Network Alliance Inc. in Reston, Va.
To comment on this article or to suggest an idea for another article, contact PaulBonner, senior editor, at Paul.Bonner@aicpa-cima.com or 919-402-4434.