When setting up clients in your Firm360 account, it's essential to follow best practices for data security and privacy. Using Social Security Numbers (SSNs) as client identifiers, though sometimes done for internal consistency or legacy system compatibility, introduces significant security risks and increases the likelihood of inadvertently exposing sensitive personal information.
This article explains the concerns around using SSNs as client IDs, our platform's stance on the issue, and the options available to your firm.
Why SSNs Should Not Be Used as Client IDs
SSNs are highly sensitive personal identifiers. When used as client IDs, they are exposed in multiple areas of the platform, including:
Invoices
Platform displays (ex: client list, reporting dashboards)
Exported reports and documents
Using SSNs in this way increases the risk of accidental disclosure or misuse. Additionally, IRS Publication 4557 and broader industry security standards advise against unnecessary collection or display of taxpayer identification numbers. If SSNs are exposed, even unintentionally, it could be seen as negligent data handling on the part of the accounting firm.
Platform Recommendation
We strongly recommend that firms avoid using SSNs as client IDs. Instead, we suggest:
A randomly generated alphanumeric ID
An internal account number unrelated to PII
A unique short name or code that is easily identifiable but not sensitive
This ensures both compliance with data protection best practices and protection against reputational risk.
If Your Firm Currently Uses SSNs as Client IDs:
We understand that changing existing client IDs may not be straightforward for all firms, particularly those with integrated systems or workflows that reference SSNs. If your firm is currently using SSNs as client IDs, you have a few options:
1. Rename Client IDs
This is the most secure and recommended approach. You can rename client IDs to a non-sensitive identifier. This eliminates the risk of exposure and aligns with best practices.
2. Hide Client IDs in Settings
If renaming is not feasible, the platform can hide the client ID from appearing in invoices and most of the UI. This minimizes exposure, though it does not change the underlying data.
To perform this configuration, please go to Settings under Admin in the ribbon on the left and toggle ON the Hide client Numbers.
Note: While hiding the client ID reduces visibility, the SSN still exists in your system and may be accessible in certain exports or integrations.
Compliance, Responsibility, and Liability
It is ultimately the responsibility of the your firm to ensure that you are handling client data in accordance with relevant privacy laws and regulations.
We are not liable for any data exposure resulting from a firm's decision to use SSNs inappropriately.
Final Note
It is your responsibility to stay up to date on the latest regulations regarding data privacy. Strong data practices demonstrate your firm’s commitment to professionalism and responsible risk management. While our platform offers the flexibility to accommodate your needs, we encourage every user to adhere to industry standards and take appropriate steps to protect their clients' sensitive information.
Related to