Most businesses handle confidential information. Whether it’s employee-related or due to trade secrets or some other reason, companies must protect such data. Tax practices have even more constraints on private information. The handling of client material and dealing with taxing authorities requires substantial attention to maintaining privacy. Best practices are a must.
The first step in maintaining confidentiality is helping everyone to understand the definition of “confidential” and what it means in the workplace setting. According to Dictionary.com, it means “spoken, written, acted on, etc., in strict privacy or secrecy; secret.” Part of employee onboarding, especially if the person has never worked in a tax practice before, should include training on what “confidential” means for the business. In most instances, the definition will be consistent across firms, but clarification from Day One is essential.
In a tax practice, there are many types of confidential client information. Employee data, client documents, firm information, just to name a few. For each, there should be specific policies regarding how to handle the material. This includes who touches it. Clear policies on privacy help to make sure that proper steps are taken when confidentiality issues arise.
Another essential action could be including confidentiality provisions in employment contracts. These requirements put employees on notice that the firm is serious about this issue. Include precise definitions of what constitutes confidentiality plus point to clear company policies to follow. Also, have specific repercussions for violations. Make sure the contracts have teeth in them so that employees understand that this is serious business. Lost clients and ensuing lawsuits from privacy breaches are grave and risky to a firm.
Restricting access to information may be crucial. If data is not needed to complete a job, then access to it should be limited. There is no reason for people to have permission to look at information unless necessary. Also, consider keeping logs or audit trails. For many applications, this is just a matter of turning on an audit trail feature. Then, if it’s needed, an activity log is available to those who manage the register. They can review and understand who has accessed files and information.
Transferring information via email may be convenient, but it is not necessarily secure. Employing document management software could be the answer. It provides you a safe place to exchange information. Only approved individuals are allowed access. You can have a separate site for each client. It is secure and easy to use. And, when individuals no longer need access, you can remove them from the allowed users list.
Another email-related risk to confidentiality comes in responding to messages. It is essential to train your staff to recognize “phishing expeditions” and to not react to them. Or, to follow specific protocols when unsure. One example that has caught several CFOs over the last couple of years involves this scenario. An email appearing to come from the CEO arrives in the inbox of the CFO. It instructs the CFO to wire money to a particular individual or company. Typically the amount to be wired is tens or hundreds of thousands of dollars. In many cases, it should have given the CFO pause. However, in numerous instances, since the email came from the CEO (or so the CFO thought), the directive was followed. Only later did the company find out that it was the victim of phishing. In this case, adding an extra step to the expense payment process could have saved the company a ton of money. Confirming, via a separate email to the CEO (and not just a reply to the original email request), would help to make sure that a request is legitimate. Payment could follow such confirmation.
The best way to maintain confidentiality is to make it easy to maintain. Provide training on firm policies and procedures surrounding privacy. Include a short examination to make sure that learning was achieved. Then, have employees sign a document indicating that they understand the policies and procedures. This step can help employees know they need to pay attention to these items and make sure they follow the firm steps regarding them.
No matter how seemingly reliable your confidentiality measures are, leaks will happen. When they do, it is crucial to investigate what happened and take appropriate steps quickly. This may mean changing a process that is deemed to be faulty. It may also mean taking disciplinary action if employees are not following proper firm protocol regarding confidential client information.
One of the riskiest times for a firm and its confidential client information can be when an employee is getting ready to leave the company. It may not be feasible to limit all access to sensitive information during this time, especially if the employee is departing on good terms. But, it’s critical to understand that risk is elevated. Employees often take sensitive information to use later. Even with a non-compete agreement in place, it may be that the employee plans to use the information after the contract has lapsed. Or, if the staff person knows that things are not going well and feels like termination is on the horizon, malicious document destruction has been known to happen. It is imperative to make sure that you try to understand your employees’ frames of mind and intentions so that you can be aware of heightened risks.
The risks for not correctly securing confidential client information cannot be over-emphasized. The loss of business, clients, and reputation can all happen. Not to mention, lawsuits can result. But, if you take steps to ensure that your firm and client private information is secure, you can minimize those risks. You can feel comfortable that you are doing what you can to keep confidential client information as it should be: confidential.