Tax Season and Information Security
Someone stole your identity. Four words that made my stomach flip, my pulse quicken, and a flurry of questions run through my mind:
- Had I been careless?
- What happened?
- Who would do this to me?
For most people, tax season is wrapped up by mid-April, if not sooner. Not for me, not this year. Even in September, I am still in the midst of filing my taxes. No, I am not a serial procrastinator, just one of the millions of Americans served the unfortunate news that my personal information was compromised and used to take my identity in an attempt to steal my tax return. After reporting the fraudulent return, I received the IRS’s version of solace when they explained that this year, identity theft was so prevalent that a special facility was established to handle just such cases.
Typically, proving your identity is not very difficult – your address and maybe the last four digits of your social security number are all you need. When that personal information has been compromised, it can no longer be depended on to identify you.
In order to prove to the IRS that I was who I said I was, I had to correctly answer a series of questions about myself. It seemed simple enough, until the questions started coming my way. The information was from so long ago that it was difficult to answer with 100% certainty, questions such as: What was the name of the temp company that placed you at a high school summer job? were difficult to answer.
For other questions, the context was unclear and left me confused: Had I ever lived at a certain address with my mother? (Answer: yes), but the question was phrased using her remarried last name, which she did not acquire until a decade after we lived at the address… how should I answer that question?
Though confusing and tedious, I “passed” the test, proving I was who I claimed to be and received a list of actions I needed to take to move forward.
I learned that protecting an identity involves two key practices – theft prevention and theft response. From a prevention perspective, key strategies are to minimize exposure of personal data and to file a tax return early to minimize the duration of time for someone to file it in my place. My data—including my social security number—was compromised through an online tax filing software which had suffered a significant breach in 2014. I became aware of this at the absolute lowest point of this whole process, when I received a bill from the software company for the services the hacker used to file my taxes this year. Literally a bill for the tool the thief used to steal my identity.
The response portion is threefold. My process for responding to a stolen identity involved contacting a long list of government agencies and financial institutions, hours of sitting on the phone on hold, filing police reports, and incurring the monetary cost of additional hours billed by my accountant. In response, each of the agencies utilize processes to handle these types of cases. For example, the IRS has a facility dedicated solely to manually processing refiled taxes due to identity theft. For the software company whose databases were hacked, they had to invest in policies and procedures to recognize, communicate, and respond to impacted customers about what had happened and what could be done to resolve and correct the damage done.
One of Kenway’s core offerings is building out an IT Strategy for clients, and a key part of that strategy is the IT Security plan. As a consultant, I recognized that prevention and response were not unlike the approach businesses should be taking when developing their IT Security plan. Nowadays, it is common to see in the news that data has been lifted from department stores, banks, software companies, etc. Thievery has broadened beyond just credit card numbers, aiming now to take personal data: addresses, social security numbers, and online passwords – information to serve as a passport for thieves to use your identity to their advantage. Recently, employees’ personal data was the target of a breach of the federal government’s systems.
An Information Security plan does not only entail the measures put in place to protect and maintain company data and physical assets, but also the practice of how the organization will respond to each of its stakeholders (partners, customers, employees, etc.) should a breach occur. Organizations should ask themselves:
- What does IT Security mean for the organization?
- What is the cost of implementing the plan, versus the cost of various types of breaches (ROI)?
- What is our current exposure?
- How quickly can a team be mobilized to respond to a breach?
- How quickly can a breach be identified?
- Who is responsible for communicating to impacted parties?
- How does your organization rebuild trust?
News spreads quickly, and companies are measured on how swift, thorough, and actionable the information they provide is to those impacted by security breaches. Thinking back to how the tax software company responded to the breach that impacted me, had I received a communication about it or been provided steps to take to protect my identity, I would have had the opportunity to prevent my current situation. Instead, I was left uninformed and unprepared for the fallout. From my perspective, the company had every opportunity to do their due diligence; however, their inability to respond is why I will be using an accountant to file my taxes going forward.