The following article by Isabelle Syring and Robert R. Ragan, Jr. of CUSTOS IQ will appear in the August issue of The PIOGA Press.

Tax season is everyone’s favorite time of the year- in August the filing deadline may seem eon’s away, but the deadline is here before you know it. Tax season is known as the heyday of cyber and phone scams. Tax related identify theft or the harvesting of PII (Personal Identifiable Information), are the most common types of scams. Businesses tend to consider PII and tax related identify theft a consumer grade issue. Organizations often ignore the vast amounts of PII stored in the organizational environment, and forget the value of PII on the black market. In this article, we intend to provide the bare necessities organizations need to have in place to protect PII or Tax-Identify related information stored in their systems.

As oil and gas producers, organizations have unique requirements for retaining and protecting PII. PII is used by organizations to pay royalties, report royalty income to taxing authorities, bill gas consumption to landowners, or issue Tax-Forms to consumers and employees alike. IRS rules require organizations to retain seven years of financial data for audit purposes. Organizations that neglect to purge tax information and other PII in a timely manner, face increased liability should a data breach occur. Permanently stored customer data in the organizational IT-Infrastructure, i.e., applications, cloud based services, or databases provide more information ready for theft.

A popular method of shifting liability is the outsourcing of financial services and ergo, any tax-identity related information. Nonetheless, outsourcing requires the exchange of tax-identity related data or PII with the Third-Party financial service. Post-exchange, IT-Administrative employees may either never purge the obsolete data or the 7-year IRS rule for data retention supersedes. Once the tax -return is sent to the IRS or the W4 is sent to the employee, an organization no longer controls a documents integrity. Nonetheless, businesses can control and adequately protect tax-identify related information while the PII is retained in the environment, and reduce organizational liability.

To help Oil and Gas Producers and Allies better understand PII and Tax related-identify theft, let’s start establish the data contained in Tax-forms . PII is considered information, “that can be used to distinguish or trace an individual’s identity—such as name, social security number, biometric data records…. that is linked or linkable to a specific individual (e.g., date and place of birth, mother’s maiden name, etc.) (National Institute of Technology and Standards).” In addition, many Producers store further tax-identity related information, including but not limited to banking and routing information or EIN numbers.

The organizational storage of PII or tax-identity related Information is regulated by U.S Federal Law. The Gramm-Leach-Bliley Act of 1999 (GLB) 15 USCA §§ 6801-6809, regulates the collection, use, safeguarding, and disclosure of PII. GLB affects organizations with in-house CPA’s or Tax Advisors. Further, GLB applies to businesses utilizing Third-Party Tax-Advisors, CPA’s or financial advisors for the outsourcing of financial work i.e., billing, tax-advice, accounting, etc.

In addition to GLB, Pennsylvania cyber-security law is based on the landmark ruling Dittman v. UPMC. In Dittman v. UPMC the PA Supreme Court ruled held that “an employer has the legal duty to exercise reasonable care to safeguard it’s employees’ sensitive personal information stored by the employer on an internet accessible computer system”. In 2018, UPMC suffered a data breach affecting 62,000 UPMC employees. Criminals stole UPMC’s employees personal and financial information, including, names, birthdates, SSN, Tax Forms, and bank account information. In addition to the Dittman v. UPMC ruling, the Pennsylvania constitution assures the right to privacy, and GLB compliance helps consumers opt-out of Third-Party data management for PII.

Organizations regulated by GLB are required to have an in-house resource responsible for the management of GLB compliance. The GLB compliance program is required to meet the following objectives; (1) the notification of customers regarding the organizations data sharing practices with Third-Parties, (2) the implementation of a written data security program for the protection of PII or tax-identity related information, and (3) provide customers a right to opt-out of information sharing with third-parties. GLB considers any information, whether past or present protected through the applicable data-security plan developed in-house by the managing resource.

A risk analysis conducted by a third-party prior to the development of the data security plan will help understand the thorough risk or liability held by the organization handling PII or tax-identity related information. A risk analysis will not only identify data risks, but highlight general network/workflow vulnerabilities and provide insight for addressing risks. After a successful third-party audit and remediation of immediate risks, a data security plan is implemented to reduce organizational liability. Ideally, plans are created according to the MITRE Attack Framework, which utilizes the following pillars of cyber-defense; (1) Protect, (2) Identify & Detect, (3) Respond, and (4) Recovery.

Consecutively, the security program should involve the physical development and implementation of an advanced security monitoring program and testing application. Data encryption is critical to protecting PII data in the event of a breach or the inadvertent export by a staff member who is authorized to use this information. Monitoring systems should be in place to detect PII from unauthorized transfer via email, file transfer, cloud storage, USB devices, etc. An organization’s written information security program needs to describes how customer (PII) information is protected. The program must be appropriate to: Company size and complexity, nature and scope of companies’ activities, sensitivity of customer information the company handles.

The plan should include technical details of access protection, data encryption technology, application security protections, policies and procedures, and a detailed workflow analysis of how staff members will comply with the policies established. Some areas the security policy should cover are:

  • Proper use of e-mail
  • Hard copy protection
  • Use of UPSP, FedEx, and UPS, etc.
  • Use of CDs, DVDs, hard drives, USB flash drives
  • Electronic copies (spreadsheet, file extracts, database, etc.)

PII requires additional protections as: End Point Detection and Response (EDR), Patch management, Backup and Recovery, Data Isolation (VLANS), access restrictions, Data Loss Protection (DLP). EDR, will protect Data from outside threats that have successfully penetrated the network by isolating hackers in the network before further data theft can occur. Data Loss Protection (DLP) program identifies access, movement, identify theft, administrator error, or leaks to outside sources via the use public email providers, i.e., aol.com, Gmail, etc. Further, internal access restrictions, can help restrict unauthorized employees from accessing, altering, stealing, or utilizing PII or tax-identity related information. Finally, as per NIST standard recommendations, Data Isolation through the use of VLAN’s will ensure organizational data “lives” in an isolated portion of the network and remains off limits for unauthorized employees or hackers.

While there are numerous ways to improve network security and the protection of Organizational IT-Infrastructure, the first step is the proper identification of PII or Tax-identity related information and the liability associated with the storage of data. Organizations need to establish if existing staff is capable of handling a data security program or whether outside resources are required for the design and operation of a data security program. Third-party providers can help organizations understand the organizational liability related to Tax information and the risk for PII loss or theft.

As highlighted in this article Tax or PII theft is a complex subject, which require a high level of expertise in safeguarding and defending. Laws safeguarding the protection and liability related to PII are an ever evolving matter, and subject to increasingly stringent national and international regulations. Small, Medium, and large businesses handling tax-related information without adequate protection are not able to escape liability for violating cyber-law by being unaware of regulatory requirements.

>> Return to the Latest News and Blog index page >>

Want to continue to get all the insider oil and gas news? Become a PIOGA member and you’ll get access to The PIOGA Press monthly newsletter, the PIOGA eWeekly e-newsletter and many other member benefits. Click here to learn more and join today!