Confidential Communications in a Digital World
CPAs are entrusted with clients’ most private and confidential financial information. While there are a variety of security requirements from various regulatory sources, CPAs should always strive for highest levels of security for all confidential information regardless of formal requirements. For communications to be secure, the recipient’s identity must be authenticated before granting access. As a result, security often creates an extra layer of inconvenience as authentication can be cumbersome. Having the right processes and tools in place can alleviate some of the inconvenience.
There are two main types of digital communication — continuous and sporadic — and both can entail sensitive document transmission. Continuous communication represents the stream of reciprocal communication that CPAs often have with clients and colleagues. Sporadic communication represents the one-off communication a CPA may have with someone he or she does not interact with on an ongoing basis.
Without the right tool, security can easily become a clumsy nightmare. The old method of emailing password-protected/encrypted PDFs entails quite a few extra steps. To reliably authenticate the recipient, the password needs to be transmitted via another secure method such as a phone call. The protected/encrypted PDF method ends up being unwieldy for both the sender and the recipient. The sender has to password protect files and securely transmit the password while the recipient must retrieve the password and unlock the file. It is no surprise that these types of solutions are often disliked by clients and are often abandoned by practitioners.
While there are a variety of platforms and communication options that guarantee a great deal of security and privacy, many of them can create challenges and lack seamless usability. As the goal and frequency of communication differs per contact, it is no surprise that CPAs often need to use different secure communication tools based on the need.
Many practitioners are adopting platform-based communication/document exchange tools for continuous communication with their clients. Authentication by these platform-based communication tools is achieved by requiring the parties to create an account and log on to the platform. Once authenticated, the user is able to enter a secure environment and utilize the platform’s communication/document exchange features. While these platform-based tools are certainly not as seamless as regular email, they are often packaged with additional features that may be useful to both the sender and recipient. Document request lists, organized document repositories (initial documentation and client deliverables) and electronic signatures are just some of the features CPAs may find useful.
However, platform-based tools are typically too bulky for sporadic communications. Recipients do not want to go through the inconvenience of creating an account and password to retrieve a short message or file. These types of communications require a quicker and more seamless communication tool. Email encryption is perhaps the most effective way to preserve convenience while maintaining security. Most providers allow for the encrypted transmission of both email and attachment. In instances where both users are using the same tool set, the encryption platform can authenticate the sender and recipient seamlessly. In these scenarios, the emails will be viewable by both sender and recipient as a regular email; if the email is intercepted by a third party, the contents will be unreadable to that unauthorized recipient. In instances where the recipient is not utilizing the same tool set, the recipient will be prompted to authenticate that they control the email address to which the email was sent.
The new generation of security tools does a good job of alleviating some of the authentication pains, but there is still a long way to go before seamless and secure communication is a reality. Having access to convenient security tools can greatly reduce the inconvenience factor, but it is likely that an organization may need to adopt multiple tools for various modes of communication. Ultimately, all CPAs need to be mindful of the dangers of exchanging confidential information on the open internet. One would never send confidential information in see-through envelopes; the same diligence should be maintained in the digital world.
Karolis Matulis, CPA, CVA, is a supervisor at WilkinGuttenplan. He is a member of the NJCPA Emerging Technologies Interest Group (#NJCPATech).
This article appeared in the September/October 2020 issue of New Jersey CPA magazine. Read the full issue.