Equifax Hack: Will Unclaimed Property Auditors be Next?

Daily Tax Report: State provides authoritative coverage of state and local tax developments across the 50 U.S. states and the District of Columbia, tracking legislative and regulatory updates,...

By Leslie A. Pappas

Unclaimed property audits may be emerging as a new cybersecurity risk as audit firms seek new ways to help states recover abandoned property, attorneys say.

“If you can have an Equifax breach, you know you could have a Kelmar breach,” said Mary Jane Wilson-Bilik, a partner at Eversheds Sutherland (US) LLP in Washington, in a webinar presentation on unclaimed property Sept. 19. The recent computer breach at Atlanta-based credit reporting agency Equifax Inc. may have compromised social security numbers, birth dates, and other personal information for up to 143 million people.

However, contingency audit firms such as Kelmar Associates LLC and Verus Financial LLC, which states hire to mine company records for unclaimed property the state can recoup, say they’ve never had a breach and have stringent data security protocols in place.

Yet as states rely ever more heavily on unclaimed property to pad thin budgets, and the race to claim unclaimed property heats up, auditors are asking for increasing amounts of data from more companies—creating a treasure trove of data to tap, attorneys told Bloomberg BNA. And it’s less clear whether the states themselves have adequate security controls in place to protect the data they amass from unclaimed property audits, according to Ethan Millar, a partner in unclaimed property and state and local tax in Alston & Bird LLP’s Los Angeles office.

“The risk that the state could be hacked is pretty substantial,” Millar told Bloomberg BNA Sept. 20. While he has never heard of a hack involving an unclaimed property audit, “I think it’s largely a result of hackers not really realizing that there’s this treasure trove of information out there. Once they realize it’s there, I don’t know if it’s all that well protected,” he said. “My fear is that as things currently stand, a lot of this data is not all that safe right now.”

$58B ‘Manna’

States hold about $58 billion in unclaimed property, less than 10 percent of which is ever remitted, Phillip E. Stano, a partner at Eversheds Sutherland (US) LLP, said during the same webcast.

As a revenue source that requires no taxation, approval from the legislature, or buy-in from special interest groups, unclaimed property “constitutes a perpetual interest-free loan that the states never have to repay, except in about 9 or 10 percent of the cases,” Stano said. “Manna from heaven.”

Only a “handful” of audit firms conduct unclaimed property audits for the states, meaning that a small number of firms each hold “massive amounts of data” from hundreds of businesses, Millar explained.

To find more unclaimed property, auditors are becoming more intent on obtaining large quantities of personal identifiable information, most recently in audits of the financial services and healthcare sectors, according to Michael M. Giovannini, a senior associate in tax and unclaimed property in Alston & Bird’s Charlotte, N.C., office.

Such personal data is useful because it can be cross-referenced with other database research to determine whether the owner of the property is deceased, Giovannini told Bloomberg BNA Sept. 20.

Auditors: All Safe

Two of the nation’s top unclaimed property auditors told Bloomberg BNA they have tight data security controls in place.

Wakefield, Mass.-based Kelmar Associates, which does audits for about 35 states, has never had a data breach in its 16 year history, said David Kennedy, the firm’s general counsel.

“We take data security extremely seriously,” Kennedy told Bloomberg BNA Sept. 20. “I would say we take it as seriously if not more seriously than any company that we audit.”

Waterbury, Conn.-based Verus Financial, which has recovered more than $7 billion for 48 states over the past decade, has “appropriate security controls in place that exceed both our contractual obligations and applicable industry standards,” Caroline Marshall, the firm’s general counsel and chief operating officer, told Bloomberg BNA in an email Sept. 20. The company undergoes multiple audits of data security controls each year and has never had a security breach, she said.

Safeguarding Data

Attorneys advised that companies under audit take care to protect data early on in the process.

When turning over data files to auditors, businesses need to make sure they avoid inadvertent release of sensitive data, said Matthew Adams, a partner in the litigation department at Fox Rothschild LLP, who focuses much of his practice on digital privacy and cybersecurity.

For example, a company working with a third party to do payroll may not know everything that is in the data file or how to fully redact the data. “Businesses have to be mindful of the way that they redact personal identifiable information in an effort to comply with these types of audits,” he said.

Companies under scrutiny should examine their data early in the audit process to see if federal laws that protect data, such as HIPAA (Health Insurance Portability and Accountability Act of 1996), might allow them to redact it or not turn it over, Giovannini suggested.

Companies should also involve information security and data experts at the beginning of audits when nondisclosure agreements are being worked out. “It’s important that experts get involved to vet the auditor,” he said.

To contact the reporter on this story: Leslie A. Pappas in Philadelphia at LPappas@bna.com

To contact the editor responsible for this story: Jennifer McLoughlin at jmcloughlin@bna.com

Copyright © 2017 Tax Management Inc. All Rights Reserved.

Request Daily Tax Report: State