In the 11 weeks since the novel coronavirus first made its way to the U.S., Americans have been forced to conform to sweeping changes as schools and businesses made the move to shut down and governments enforced lockdowns, stating individuals must be confined to their homes to stop the spread of COVID-19.
Now the IRS has made its own, unprecedented move in response to the pandemic: extending the tax filing deadline to July 15, and allowing its employees to accept tax documents via email, along with images of signatures.
In a three-page memorandum sent to tax preparers and IRS employees, the Treasury Department announced that beginning March 27 the IRS is temporarily allowing its employees to accept "images of signatures (scanned or photographed) and digital signatures on documents related to the determination or collection of tax liability." It is also implementing a temporary deviation that allows IRS employees to accept documents via email and to transmit documents to taxpayers using established secured messaging systems.
The move was made to make it easier for IRS employees and for taxpayers and their representatives, most of whom are now working from home due to the COVID-19 pandemic, to carry out their functions without any human contact.
But tax experts say this decision opens up a whole consortium of concerns.
"These tax documents being sent have everything about the taxpayer's personal identity. Suddenly, something that hasn't been considered secure or compliant by several industry standards — transmitting sensitive data as an email attachment — is now being allowed by the IRS. Only in very select cases would this be considered okay under normal circumstances," says Jesse Wood, CEO of document-management software company eFileCabinet.
Wood says he is most concerned about the measure to allow email attachments. "If you send an attachment via email, it will be saved on all of the IRS' servers and not encrypted. So anyone with access to these emails would be able to grab the information." He says that often the IRS gets backed up and emails are left on its servers for days.
"I recognize the need for certain concessions to be made so tax professionals can do their jobs without having to leave their homes. But if they're not careful, then the preparer and their clients can get caught in a very bad position. Sharing these essential tax documents electronically with clients or the IRS isn't a bad thing, but it needs to be done the right way," says Wood.
The IRS is requiring an attached cover letter as a form of consent from the taxpayer, acknowledging that they understand what they are doing. Wood says "that essentially leaves all liability with the individual."
Brian Streig, tax director at Calhoun, Thomson and Matza, understands the need for the IRS to implement measures to make it easier for filers and tax preparers to do their jobs during this crisis. But he adds, "I would be worried if the IRS continued to allow this beyond this point. It's definitely a security risk, but they had to have a balance."
Wood says that security breaches usually are the result of human error, lackadaisical security practices and a lack of common sense. "Hackers specifically target individuals and businesses and will jump on the opportunity to intercept unencrypted files."
On April 2 the IRS issued a warning about coronavirus-related scams.
With the tax season extended to July 15, 2020, and most of the world doing business online, now is the time to get up to speed on how to protect your personal data. Fortunately, it's easy, says Wood. "Most of the tools and systems are widely available and easier to set up than an email account." Here's how to securely sign, file and deal with digital file-sharing during the COVID-19 pandemic.
1. Know where your data is and who is handling it. Being a little knowledgeable about how your personal data is handled can go a long way. You want your CPA to be an expert number cruncher and personable, but they also need to be knowledgeable about data security — especially now that nearly everything is being done digitally, says Wood.
When consulting with an accountant, he says you should ask the following four questions: Where do you store my personal data? Who has access to my data? How will you share forms and information with me? What kind of backup do you utilize?
If they can't give any clear answers to these questions, then that's a huge red flag.
2. Know what encryption is and the type you or your accountant is using. "Data is not usable unless you have the key to unlock it," says Wood, explaining that encryption is the primary method of keeping data secure on the internet. He says the two main types you or your accountant should be using are 256-bit AES and SSL/TLS. In short, Wood says, 256-bit AES is bank-level encryption.
"In theory, it would take a supercomputer millions of years to decode a file encrypted with this standard," he says. SSL/TLS is the standard most of the internet uses to establish secure communication between computers.
"Nowadays, your web browser will notify you if it detects a website isn't secured with this encryption. You need to make sure your tax preparer is using applications that incorporate these two essential security measures," he says.
3. Never share sensitive data over email. Wood says that although most email services use some form of encryption, you are still trusting your sensitive data with a third party — meaning it's going through another location before its intended destination. Worse yet, he says, many services store your messages and attachments on their servers. "The IRS will get backed up, which means it could be sitting on their server for days."
Instead, he says, encrypted file-sharing systems create secure connections directly between your computer and the server they're being stored on. These types of services ensure your data is entirely encrypted, whether it's at rest or being transferred between you and your accountant. These systems also automatically log who has had access to your data and when. "It's fine to communicate with your accountant over email about certain things, but not when it comes to personal data," says Wood.
4. Utilize multifactor authentication. "A secure system should use multiple levels of authentication, so even if a malicious party gets hold of your password, they still can't get in because they don't have your fingerprint or a randomly generated code on your phone," says Wood.
Using multifactor authentication will keep them out. He says there are three main methods of authentication — something you know (password); something you possess (a mobile phone); and something you are (biometric). A secure system should use multiple levels of authentication, so even if a malicious party gets hold of your password, they still can't get in because they don't have the randomly generated code on your phone or your fingerprint," he says.
Disclosure: NBCUniversal and Comcast Ventures are investors in Acorns.