Recent revelations that several prominent tax planning solutions were leaking data to third parties have raised questions about how accountants can protect themselves and their clients in an age where such information has become a valuable commodity.
As first reported in the MarkUp, a number of software solutions associated with TaxAct, TaxSlayer, Intuit and H&R Block were found to have been leaking data due to the presence of trackers associated with companies like Meta (the owner of Facebook) and Google. Such trackers, commonly used throughout the internet, are generally used to train their algorithms as well as optimize direct marketing campaigns. These trackers were used to collect personal information ranging from (in the case of Intuit) just usernames and last device used to, for some others, actual financial data including filing status, adjusted gross income, and refund amounts. While names were obscured, the process used to do so can be easily reversed.
Brian Tankersley, director of strategic relationships with K2 Enterprises, has spent a number of years warning professionals about this very thing (see our interview). On the one hand he feels vindicated by the recent news. On the other, he was sad to see just how widespread this issue is in the accounting technology space, noting that trust is one of the major reasons why people hire accountants in the first place.
“Let’s say I’m a client. You have an agreement with Brian Tankersley CPA. I have my ethical responsibilities. Now you find out your employee salaries have been shared with Experian and you didn’t specifically authorize that. And then you find out that data has been shared with Credit Karma and you didn’t specifically authorize that. And you find out that, potentially, when people electronically pick up 1099s and W-2s from your software that the data may be shared in one indivisible store of data used by an organization,” he said.
One of the problems, he said, was that many people don’t even know what they’re agreeing to when they install a piece of software — while many of them have privacy policies tucked away in their terms of service agreements, oftentimes they’re so difficult to understand that a user would need a law degree to properly interpret their clauses (and even that, that might not be enough). Tankersley said that if companies really were prioritizing privacy, or at least, transparency, they wouldn’t make the agreements so confusing.
If one takes the time to go over these agreements with a fine-toothed comb, what many would find, according to Tankersley, is “most of them” are written in a way that the provider is the one with all the rights and the user has few or none.
‘We didn’t actually sell it …’
Tejas Gadhia, a product manager and evangelist with Zoho, raised similar points, saying that many privacy agreements, at their heart, tell people they should have no expectation of privacy or, even worse, tell people that the company respects user privacy while carving out myriad clauses for exceptions.
Tejas added that just because a company does not share data with third parties does not mean their privacy is totally secure. He raised a hypothetical example of a tax software company that might also own a credit monitoring service. While people may think their data is held by the former, they may not be aware it’s also being shared with the latter. This means that, theoretically, the information used by the tax software could possibly affect one’s credit score without the user knowing this is happening. They may only find out, he said, the next time they’re trying to apply for a home loan.
“They technically didn’t do anything that wrong from a legal perspective, so it’s not always that first-party data is fine and won’t connect to a third party,” he said.
Will accountants get blamed?
Tankersley said that while the data leakage could represent a breach of professional ethics, it likely won’t result in anyone losing their licenses. However, the reputational cost to the profession could be severe if people don’t fully trust that their financial information will remain private. While an accountant might be able to legally protect themselves by warning in their engagement letter that client data might be leaked to third parties, such a disclosure would likely not be received well by a prospect.
“The trust that society has in our profession is contingent on our ability to keep our mouths shut and our ability to not leak data to the outside world. When that is compromised, then our utility to the business community is much less,” he said.
Gary Florian, vice president of underwriting with professional liability insurer Camico, said that while using software that leaks information to Facebook or Google does create some litigation risk, so far it has not affected a firm’s insurability. He noted that, at least from his perspective, he has not seen any inquiries from policyholders regarding the matter. While there might be some in the future, so far he does not see widespread risk.
“You could sue a ham sandwich. You can get sued over anything. So if a firm is in this situation, I’m sure they could get sued. But are they liable? Or is there another party who is more liable than the accounting firm? That’s really up to the claims department to sort out,” he said.
That being said, Florian said accounting firms who are in this situation should probably notify their insurers, who would likely want to know if their software has been leaking information to third parties.
“They should notify their insurance company right away. Even though no claim has been made against them, there is the potential matter that exists. [This is] in order to get assistance from the insurance company, as well as to avoid any potential future denial of a claim because you knew about the situation and didn’t report it. So, first thing is to notify the insurance carrier,” he said.
He also recommended that accountants communicate with the software vendors as well and, possibly, stop using their products until they can get a better idea of what data is going out and whether they can stop it.
“We would recommend … that they immediately talk to those vendors and find out what’s going on and get assurances that it’s not continuing to occur. Because the accountants have a professional duty when they have custody of client records to maintain those records confidentially,” he said.
The allure of data
Zoho’s Tejas said that these privacy issues stem from the fact that data has become so much more valuable and all companies are under rising pressure to increase earnings, especially if they have shareholders to please. If a company is having trouble producing revenue in other areas, it might look to data as a way to wring out more profit. His own company, he said, avoids these pressures by keeping costs low through things like not setting up in major cities and not overspending on marketing.
He also noted that their original core service, business email, inherently favored privacy because they guessed that people would prefer not to give their information to advertising networks. Later products followed this same mindset to the point where the company eventually drafted a privacy pledge that became a key part of its brand identity. This has sometimes impacted its partnerships and integrations, as many times potential partners wanted a data-sharing agreement, but overall he felt it has been worth it to preserve the company’s privacy focus.
Tankersley noted, though, that as a professional he shouldn’t even need to worry about privacy in the first place. Solutions marketed to accountants should understand the need for client confidentiality. He found the fact that this was something he needed to worry about highly objectionable in and of itself.
“If you’re going to process data for me, as a CPA, I should not have to worry about what you do with that data on the back end. It’s kind of like when you get married. You should not have to worry about what your spouse is doing when you’re not watching. If you do, maybe you’ve got the wrong spouse,” he said.