The IRS is now recommending that taxpayers use their driver’s license number to provide another layer of security when electronically filing a federal tax return. A few states, notably New York, Ohio, and Alabama, are requiring a driver’s license number, or an equivalent, for state returns. This sounds promising at first—another layer of verification to help prevent tax identity theft seems prudent. However, as with many other “good ideas,” the unintended consequences can cause problems.
This new use for driver’s license numbers should create concerns among CPA firms about data security and the potential for a cyber breach. Most CPA firm staff and clients have been trained to treat Social Security numbers (SSNs) with exceptional care, but the same has not been true necessarily with driver’s license numbers (DLNs). While the reasons for that, explained below, are understandable, the increased relevance placed upon DLNs has made them a new high-value item for criminals and CPA firms alike.
Regulatory requirements
Why do CPAs need to be concerned about the possibilities of a data breach involving driver’s license numbers? The first reason is that while the 47 state and territory breach notification laws are different, they all qualify DLNs and SSNs as being equally important pieces of personally identifiable information (PII). And while it’s important to consult competent legal counsel to understand the breach laws pertaining to your firm, California’s definition of personal information in its civil code regarding customer records (Cal. Civ. Code §1798.82) illustrates the point. Specifically, personal information includes but is not limited to the following:
(1) An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted:
(A) Social Security number.
(B) Driver’s license number or California identification card number.
(C) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(D) Medical information.
(E) Health insurance information. [Cal. Civ. Code §1798.82(h)]
As you can see, the driver’s license number is given equal status with the SSN. And that’s a concern because our experience indicates that a significant percentage of the population does not see DLNs as important as SSNs in the protection of personally identifiable information.
Views on driver’s license numbers
To illustrate the types of attitudes we encounter regarding SSNs and driver’s license numbers, we sent a couple of questions to 15 of our non-CPA but college-educated peers to determine how they view a lost DLN vs. a lost SSN. While certainly not scientific, the answers they provided give a voice to the attitudes the authors have heard in the field.
Question #1: “What would you do if your Social Security card was lost or stolen?”
Selected answers: “Freak out,” “Notify the credit agencies,” “Watch my credit score like a hawk,” “Purchase identity theft protection.”
Question #2: “What would you do if your driver’s license was lost or stolen?”
Selected answers: “Get a new one,” “Ask my (spouse) if they’ve seen it,” “Wait a week then go to the DMV,” “Is that a big deal?”
The difference in answers is telling. Lost SSNs are generally understood to be a serious threat to identity theft. Lost DLNs are perceived as a mere inconvenience.
To gain insight into how CPA firms view this exposure, the authors conducted an anonymous survey with 29 respondents. Respondents came from varying levels of seniority, firm size, and geographic location. Again, the results are not scientific but are interesting:
55% of respondents said they are collecting DLNs, but 35% didn’t know DLNs are considered PII. Contradictorily, nearly half were using unsecure methods of collecting DLNs from their clients.
When asked if their clients knew DLNs were PII, 72% responded either “No,” or “Not sure.”
The risk
Now that driver’s license numbers are being used as a form of identification verification for tax return filing, it’s easy to see them becoming a high-value target for hackers and other cybercriminals. And if accounting firms and their clients don’t take care in protecting DLNs and other personally identifiable information, the results can be costly.
The Ponemon Institute’s 2016 Cost of a Data Breach study illustrates how costly a security breach can be. The average total cost of a data break for the nearly 400 companies studied came to $4 million, or $158 per each lost or stolen record. The costs was even higher in highly regulated industries, with the average cost of $221 per stolen or lost record in the financial services section. Adding insult to injury, adverse media attention could further result lost business opportunities and revenue for years to come.
Insurance can offer some protection, but not as much as you might expect. CPA firms can find insurance for a number of items, including credit monitoring for clients, forensic analysis of computer systems, removal of malware and system restoration, among others, but the Ponemon study found that insurance protection reduced the cost of a data breach by a mere $5 per record.
CPA firms also have to be concerned that improper breach notification to a client could be a violation of rule 1.700, Confidential Information, in the AICPA Code of Professional Conduct and also lead to problems with various regulatory bodies and state attorneys general. While the penalties vary, in several states fines can easily reach more than $100,000, and violation of Internal Revenue Code Sec. 7216 can result in possible conviction for a misdemeanor with a fine of not more than $1,000, and/or as much as a year in prison.
Partner action items
Educating the public at large is well beyond the capability of most firms. Even the IRS Taxpayer Guide to Identify Theft and IRS Publication 4524, Security Awareness Tips for Taxpayers, fail to mention the safeguarding of a DLN at this point. Resources should be directed toward training staff to speak with clients, and implementing appropriate security measures to minimize the possibility of a breach.
Train your staff: If you already have training on internal firm policies that deal with handling and storing PII, place an emphasis on DLNs. Because the costs to your firm losing an SSN and a DLN are likely the same, treat them equally. In turn, your staff should be the direct link to your clients, reinforcing the necessity for the minor inconvenience in properly handling PII.
Implement appropriate security tools: Most firms already have the tools in place to protect DLNs. Having previously implemented secure portals or encrypted email solutions to protect SSNs, it’s simply a matter of educating your staff to leverage these tools they already have.
Secure portals such as Citrix ShareFile allow you to insert a request link into your email to the client. With this link, the client can send an image of their driver’s license via an encrypted tunnel; protecting their DLN from nefarious characters.
Alternatively, using an encrypted email to exchange PII saves the steps required when using a portal. Solutions such as the Secure Messaging application from Mimecast allows you to send secure email messages to your client, and allows them to send PII data securely.
Finally, it is easy to overlook a simple tool that has been available for years; your phone. A quick call to collect a DLN from your client is a simple and secure solution with a personal touch.
—Joseph Brunsman (joseph@cplbrokers.com) is a vice president with Chesapeake Professional Liability Brokers in Annapolis, Md. He is a co-author of True Course: The Definitive Guide for CPA Practice Insurance. Dan Hudson (dhudson@cplbrokers.com) is a vice president with Chesapeake Professional Liability Brokers in Annapolis, Md. He is a co-author of True Course: The Definitive Guide for CPA Practice Insurance. Byron Patrick (bpatrick@networkalliance.com) is managing director of CPA practices for Network Alliance Inc. in Reston, Va.