Daily Tax Report: State provides authoritative coverage of state and local tax developments across the 50 U.S. states and the District of Columbia, tracking legislative and regulatory updates,...
Unclaimed property audits may be emerging as a new cybersecurity risk as audit firms seek new ways to help states recover abandoned property, attorneys say.
“If you can have an Equifax breach, you know you could have a Kelmar breach,” said Mary Jane Wilson-Bilik, a partner at Eversheds Sutherland (US) LLP in Washington, in a webinar presentation on unclaimed property Sept. 19. The recent computer breach at Atlanta-based credit reporting agency Equifax Inc. may have compromised social security numbers, birth dates, and other personal information for up to 143 million people.
However, contingency audit firms such as Kelmar Associates LLC and Verus Financial LLC, which states hire to mine company records for unclaimed property the state can recoup, say they’ve never had a breach and have stringent data security protocols in place.
Yet as states rely ever more heavily on unclaimed property to pad thin budgets, and the race to claim unclaimed property heats up, auditors are asking for increasing amounts of data from more companies—creating a treasure trove of data to tap, attorneys told Bloomberg BNA. And it’s less clear whether the states themselves have adequate security controls in place to protect the data they amass from unclaimed property audits, according to Ethan Millar, a partner in unclaimed property and state and local tax in Alston & Bird LLP’s Los Angeles office.
“The risk that the state could be hacked is pretty substantial,” Millar told Bloomberg BNA Sept. 20. While he has never heard of a hack involving an unclaimed property audit, “I think it’s largely a result of hackers not really realizing that there’s this treasure trove of information out there. Once they realize it’s there, I don’t know if it’s all that well protected,” he said. “My fear is that as things currently stand, a lot of this data is not all that safe right now.”
States hold about $58 billion in unclaimed property, less than 10 percent of which is ever remitted, Phillip E. Stano, a partner at Eversheds Sutherland (US) LLP, said during the same webcast.
As a revenue source that requires no taxation, approval from the legislature, or buy-in from special interest groups, unclaimed property “constitutes a perpetual interest-free loan that the states never have to repay, except in about 9 or 10 percent of the cases,” Stano said. “Manna from heaven.”
Only a “handful” of audit firms conduct unclaimed property audits for the states, meaning that a small number of firms each hold “massive amounts of data” from hundreds of businesses, Millar explained.
To find more unclaimed property, auditors are becoming more intent on obtaining large quantities of personal identifiable information, most recently in audits of the financial services and healthcare sectors, according to Michael M. Giovannini, a senior associate in tax and unclaimed property in Alston & Bird’s Charlotte, N.C., office.
Such personal data is useful because it can be cross-referenced with other database research to determine whether the owner of the property is deceased, Giovannini told Bloomberg BNA Sept. 20.
Two of the nation’s top unclaimed property auditors told Bloomberg BNA they have tight data security controls in place.
Wakefield, Mass.-based Kelmar Associates, which does audits for about 35 states, has never had a data breach in its 16 year history, said David Kennedy, the firm’s general counsel.
“We take data security extremely seriously,” Kennedy told Bloomberg BNA Sept. 20. “I would say we take it as seriously if not more seriously than any company that we audit.”
Waterbury, Conn.-based Verus Financial, which has recovered more than $7 billion for 48 states over the past decade, has “appropriate security controls in place that exceed both our contractual obligations and applicable industry standards,” Caroline Marshall, the firm’s general counsel and chief operating officer, told Bloomberg BNA in an email Sept. 20. The company undergoes multiple audits of data security controls each year and has never had a security breach, she said.
Attorneys advised that companies under audit take care to protect data early on in the process.
When turning over data files to auditors, businesses need to make sure they avoid inadvertent release of sensitive data, said Matthew Adams, a partner in the litigation department at Fox Rothschild LLP, who focuses much of his practice on digital privacy and cybersecurity.
For example, a company working with a third party to do payroll may not know everything that is in the data file or how to fully redact the data. “Businesses have to be mindful of the way that they redact personal identifiable information in an effort to comply with these types of audits,” he said.
Companies under scrutiny should examine their data early in the audit process to see if federal laws that protect data, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), might allow them to redact it or not turn it over, Giovannini suggested.
Companies should also involve information security and data experts at the beginning of audits when nondisclosure agreements are being worked out. “It’s important that experts get involved to vet the auditor,” he said.
To contact the reporter on this story: Leslie A. Pappas in Philadelphia at LPappas@bna.com
To contact the editor responsible for this story: Jennifer McLoughlin at firstname.lastname@example.org
Copyright © 2017 Tax Management Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)