It being early March, we are now in the heady season between where employers send out tax forms, and everyone scrambles to file their taxes. This means we are also in the season where fraudsters race to file false tax returns using stolen identity information, a form of identity theft. Worse, the FBI recently issued a PSA warning of an Increase in W-2 phishing. “Phishing” is a mode of scam where a fraudster uses an official-looking email to obtain access to information or a system, sometimes posing as a company’s internal employee or executive, sometimes pretending to be a customer or vender, and sometimes even pretending to represent a government agency. The omnipresence of technology in our lives, from smartwatches that send and receive emails, to calendars kept entirely by computer, to communication predominantly electronically, makes these problems and this time of year particularly problematic.
These concerns are not academic: a well-known software company may have accidentally released employee W-2 tax forms in a phishing attack in 2016. A large property management company may have similarly released confidential employee information due to phishing last year. Weeks ago, a Kansas company also gave up W-2 forms to a phishing attack. The FBI does not issue warnings idly.
Therefore, it is worth taking a few moments to both review internal policies regarding collecting, keeping, transmitting, and deleting sensitive information. We recently touched on some of this in an article regarding document retention policies, but some policies should be fairly obvious: Have a firewall. Use network security. Don’t collect information you don’t need. Don’t store sensitive data openly on your network or servers. Don’t keep sensitive data on your network after it is no longer needed. Don’t allow emailing of sensitive data unless necessary, and require confirmation by phone or in person before such a transfer. Restrict access to such sensitive data where possible. There’s a start.
It is also worth having in place a plan for what to do when (not if) some sort of data breach or release happens. Many states now have statutes that impose requirements, in many cases with serious penalties for failure to comply. For example, the Federal “Gramm-Leach-Bliley Act” has particular requirements for financial and insurance institutions that include notification and limitations on the use of some information. Virginia has a statute that also has requirements to notify the state Attorney General it “unencrypted or unredacted personal information was or is reasonably believed to have been accessed and acquired by an unauthorized person…” Similarly, Maryland has the “Personal Information Protection Act (PIPA)”, which both requires implementation of “reasonable security procedures” and punishes violations under statutes regulating “unfair or deceptive trade practices”. It is not advisable to find out what you were required to do before a breach after a breach, while you are also trying to find out who you are required to inform and what the consequences will be.
If you have any questions about this topic, please contact Steve Setliff at (804) 377-1261 or firstname.lastname@example.org.