[BreachExchange] Keeping Your Company’s Data Safe This Tax Season

Tue Feb 14 19:34:25 EST 2017

http://www.jdsupra.com/legalnews/keeping-your-company-s-data-safe-this-
86971/

Tax-related identity theft is nothing new, but tax season 2016 took tax
schemes to a new level.

Last year, our cyber experts advised a large cluster of clients (public and
private companies) over a period of only two weeks, following a nationwide
explosion of deviously simple attacks—mostly targeted at mid-size
companies—that followed the same fact pattern:  the Director of Human
Resources or Chief Financial Officer received an email appearing to come
from a senior executive (normally the CEO) asking for copies of all of the
company’s W-2 tax forms; the recipient was fooled by the email and sent the
requested records to the attacker; and hours or days later, the company
came to the sickening realization that hundreds, if not thousands, of
personnel records were compromised. Even worse, the stolen information was
rapidly exploited in fraudulent tax return filings, diverting expected tax
refunds to the scammers, and saddling often the most senior (highly
compensated) company employees with a huge headache of sorting out their
personal finances and tax return status with the IRS.

These tax refund thefts attacks are highly automated, quick, easy, and
inexpensive to initiate, and last year fraudsters blanketed businesses with
record volumes of attacks. As simple as the attacks are, it can be a
difficult and painful process to protect your employees in the aftermath.

The good news? You can very easily prevent this scenario from unfolding at
your company:

Send your employees – especially in the HR, payroll and finance functions —
an urgent reminder that no one will ever ask them to email W-2s,
particularly in bulk. And by all means, be sure that is the case. Sensitive
documents like these should never be emailed, unless doing so is explicitly
authorized by company policies and secure protocols are followed.
If your employees receive a request for access to (other) employees’ W-2
forms or tax data, they should call (or better yet, speak in person with)
the requestor and also a supervisor to validate the origin and purpose of
the request before taking any further action. (Another option is to require
any such request to be digitally signed by appropriate personnel.) Ask
first, not after sending! Even then, there is almost certainly a better way
to answer a legitimate business question than sharing this sensitive
employee data via email or otherwise.
Take action now to limit who has access to tax and payroll information to
begin with. While many times these attacks target individuals with
legitimate access to employee records (like the Director of Human
Resources), reducing the number of people who have access to this data
exponentially reduces the risk that it will be improperly shared.
Institute firm encryption policies that require human resources data (and
other sensitive information) to be securely encrypted when in transit,
without exception. Also remember that passwords must be sent separately
(unfortunately, we witnessed a few occasions where companies did the right
thing and encrypted their data, only to then share the password with the
attacker).
Acquire software that alerts employees when they are sending an attachment
to someone outside the company. Some programs can scan and block outbound
email that includes attachments with sensitive information like Social
Security numbers. Using these tools can help to prevent accidents.

If you think that your company has already been a victim of one of these
attacks:

Speed is of the essence! Begin working to identify which of your employees
may have been affected. Last year we routinely saw timeframes of less than
24 hours between the attack and the filing of the first fraudulent tax
returns (stealing large refunds, in some cases). Your employees can take
steps to protect themselves with the IRS, but only if they are given the
proper notice.
Don’t go it alone. State data breach laws are confusing, often requiring
you to share information in one state, while forbidding the same sharing in
another. Short timelines and high stress can compound the problem for your
company (and its employees), while attracting unwanted attention from state
regulators. Call your data security counsel immediately.
Gather your company’s insurance policies. Your data privacy counsel may
recommend that you notify your employees and procure for each of them
identity theft monitoring and prevention services. While coverage for this
sort of “attack” will vary, notices and services may be covered by your
company’s liability insurance and it helps to know the terms and limits of
your policies.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170214/8773422d/attachment.html>