For CPAs and their clients, having a way to share sensitive payroll data directly should be mutually beneficial. Sharing reports through a central system that both parties can access from anywhere eliminates back-and-forth communication or digging through old emails that waste everyone’s time. Instead, a busy CPA should be able to log into their payroll service dashboard, pull up a specific client payroll report and find the data they need right away.
Having direct access to clients’ payroll data helps CPAs close some data security gaps that are present when this information is being shared via paper reports or through insecure email accounts. Keeping payroll data in a password-protected cloud-based system allows you and your clients to control access tightly—but human error, internal fraud and cybercriminals are still potential threats. Read on for four ways CPAs can safeguard clients’ sensitive payroll data.
1. Refresh data security training for anyone who has access to sensitive payroll data.
A lot of the work CPA firms have to do to maintain data security falls to whoever’s in charge of IT. You won’t be able to protect any of the client data you access if there’s already malware or ransomware in your network.
On the training side, make sure you have a systemized method for keeping your data security training current. Things like password policies, phishing awareness and WiFi best practices should all be top of mind for anyone with access to sensitive data, including sensitive payroll data belonging to clients. That might require refreshing security awareness training every six months or so. In a firm where multiple employees have access to private data, spot testing throughout the year using strategies like unannounced phishing tests can be used to assess how well everyone remembers their training.
2. Maintain written protocols around data security that you can share with clients.
Most of your clients are probably concerned about data security. Creating and sharing some information about your internal protocols reassures these clients that their CPA is proactive and transparent about protecting their private data. These protocols should cover practical things like what methods you will (and will not) use to contact clients when you need information from them to help clients guard against sharing secure data with someone they think is you. For example, you might say something like, “We’ll send messages through the secure client portal but won’t email you asking for things like payroll reports; call us first if you ever have doubts that a message that’s from ‘us’ is legitimate.”
CPAs might even prepare a sort of “frequently asked questions” document to share with clients, including things like:
- What data security laws are you in compliance with? For example, any CPA who works with clients in Massachusetts should be familiar with 201 CMR 17, the law designed to protect all personal information belonging to Massachusetts residents. Let clients know that you’re aware of and in compliance with any state-specific data security laws that cover your client base, and that any platforms you use to share data with clients are also compliant.
- How would clients be notified if a breach did happen? Assure clients that a breach is unlikely but that if one did occur that involved their data, they would be notified in writing as quickly as possible.
- What other kinds of data security protections do you have in place to protect clients? Do you use a password manager and two-factor authentication to control access to the client’s payroll service? How about access to your own client portal? Do you change passwords at least every 90 days? Share an overview of all the steps you’ve taken to follow data security best practices.
- Do you print out physical copies of client payroll data, and if so, what policies are in place to safeguard that data? Paper records need to be protected just as vigorously as digital records! Either reassure clients that their sensitive payroll data is never stored in physical files or describe the procedures you use to protect and ultimately destroy those files.
3. Investigate the data security protocols of your chosen cloud-based payroll software.
Make sure any payroll service you/your clients use to create and share payroll reports employs multiple layers of security against unauthorized access. In addition to using security measures like encryption and multi-factor authentication to keep unauthorized users out, you’ll want to ensure the payroll provider alerts the authorized users whenever account information is changed or when any potential security issue is flagged.
4. Stay attuned to anything that seems “off,” especially while working with sensitive payroll data.
Knowing that payroll data is so valuable to cybercriminals, CPAs need to maintain a high level of vigilance while accessing and working with this kind of client data. Don’t discount glitches, network error messages or anything that seems remotely unusual while accessing client payroll reports through your payroll service, communicating through your internal client portal or working with any client payroll data on your network.
Have Concerns About How to Secure Sensitive Payroll Data for Clients?
We know CPAs feel the weight of the responsibility to protect all the private data that clients share. Safeguarding their payroll data is one thing you don’t have to manage alone. ConnectPay’s data security protocols are extensive, 201 CMR 17 compliant, and constantly being updated to reflect current threats. CPAs in our Accountant Partnership program can focus on helping clients make the most of their payroll data and leave the security technicalities to us. Have questions about how ConnectPay can help or about any of our data security protocols? Let’s connect today.