Accountants, doctors, and law firms—we trust them with our sensitive information, but increasingly it’s obvious that these businesses, as well as the government agencies who hold such information, are hard-pressed to keep our data safe.
In March 2016, for example, more than 2.5 million patient records were put at risk due to stolen laptops, unauthorized access, and hacking, according to data from the U.S. Department of Health and Human Services. Typically, the information is used for fraud, especially the pursuit of healthcare benefits using other people’s information.
Law firms have similarly been widely targeted by online thieves. It's one thing for the rich clients of Mossack Fonseca to be compromised after hacktivists targeted the Panamanian legal firm, but other law firms serving businesses and consumers have not been immune from such attacks.
The rash of breaches in recent years underscores that consumers, not just businesses, need to consider the security of their service providers, says Jody Westby, an attorney with the American Bar Association’s Science and Technology Law group.
”It is a step forward to think about those organizations as vendors,” she says. “Vendor security is the No. 1 issue right now for businesses and consumers.”
The issues underscore that one of the greatest benefits of the Internet economy—the ability to conduct transactions without needing to be face-to-face—is also a great weakness. As not-present transactions have become the norm, the information that can be used as a digital identity—known as “fullz” in the underground community—has become more valuable.
Experts say that a little due diligence can go a long way. Here are some basic steps that consumers can take to make sure that their accountants, doctors and lawyers protect their information.
1. Know your vendor
Banks are required to “know their customers.” The reverse is just as useful: People should know their businesses.
Some industries provide information on service providers. In February 2016, for example, the IRS launched a public directory of tax preparers. While the IRS verifies the credentials of attorneys and certified public accountants, the information is voluntarily submitted, so may not be complete. Yet, professional associations—such as the National Association of State Boards of Accountancy and the National Association of Enrolled Agents—have directories to help verify the credentials of accountants.
Accountants and other service providers “have ethical obligations to their customers,” Melanie Lauridsen, senior technical manager with the American Institute of Certified Public Accountants, said during a recent press call. “We constantly stress that to our members.”
If you already have a relationship with the business, ask your accountant, doctor or lawyer for information about the security and how they protect your information. They may not know, but they should be able to refer you to the person in the office who does.
2. Know what they've done about security
Good businesses may have bad security practices. Doctor’s offices, health insurers and hospitals have been widely targeted by hackers.
While physical theft (of a computer or tablet, or files or records) is the most common reason for doctor’s offices and hospitals to report a breach, online intrusions tend to be the most damaging. Of the records endangered in March, for example, the largest proportion—2.2 million—were leaked in a single incident, the hacking of 21st Century Oncology. Information on such breaches can be found online, thanks to federal requirements.
While consumers will not want to get into the ins and outs of encryption, firewalls and backups with their doctors or accountants, asking a simple question—“what are you doing to keep my data safe?”—should yield an answer that reveals whether the provider has thought about the issues.
Consumers should ask their vendors whether they have ever had an incident. If they have, don’t necessarily hold that against them, but rather ask them what steps they now take to protect data, says AICPA’s Lauridsen. Frequently organizations are lax about security until they have an actual security incident.
“It’s a fair question to ask how did you respond,” she said. “It’s a good way to start a conversation about how they will protect my data.” Let them know that a lack of solid security could mean you'll be seeking another provider.
3. Keep your information private
While it’s almost certain that some part of your personal identification data has been leaked in a breach, you shouldn't stop trying to keep your information as private as possible.
Sensitive information should not be sent in email unless, at the very least, it is encrypted and the password provided through a different channel, such as over the phone or in person. In addition, consumers should not provide information to businesses with whom they do not have a pre-existing relationship.
Mining personal information has led, for example, to billions of dollars' worth of losses each year to criminals who use the data to file fraudulent tax returns and collect unwarranted refunds. In 2015, tax-refund fraud—where criminals use consumers’ information to file for tax refunds from the Internal Revenue service—accounted for 45 percent of reported identity-theft cases, a massive increase from the previous year’s 30 percent, according to the Consumer Sentinel report published annually by the U.S. Federal Trade Commission.
While much of that information is already out there, consumers can make it harder on thieves by asking the right questions and thinking about the security of their digital identity.