Everyone knows that hacking is a huge problem that typically results in the theft of large amounts of confidential information. But they don’t know a major cause of the problem: many organizations use only software-based procedures instead of more effective hardware, software, and safe rooms.

Accountants, auditors, attorneys, and other trusted professionals maintain a treasure trove of confidential client data that is increasingly vulnerable to hackers. The risk of hacking has become even greater with the number of employees who now work remotely. Unauthorized extraction of client data can be devastating to both a CPA firm and its clients. Professionals need to act now to meet this increased risk by addressing the root causes of the problem.

The risk of hacking has become even greater with the number of employees who now work remotely.

Looking for Solutions

Anonymizing information.

A common use of anonymized identification is the substitution of hacker-desired personal identifiable information with data center placeholder information. For example, individuals’ names that are used in the data center can be substituted with account numbers that are derived from their zip codes, first names, and participation dates. The successful hack of an anonymized account, often created in a safe room or portable safe room, may lead at most to the theft of information associated with one specific account.

Encrypted identification is camouflaged information. The actual information is in the data center, but some form of substitution (camouflage) is employed. A successful hack of one encrypted account typically reveals the substitution method used, which can then be used to attack all of the remaining accounts.

Safe rooms.

These facilities are an especially important part of a modern overall security strategy. Such rooms frequently include a data processing center that has no wi-fi or Internet access. Safe rooms are copper shielded. They are ideally hidden, physically guarded rooms that comprehensively protect documents by blocking radio waves, mobile telephones, portable computers, and the Internet. A safe room should have at least one private, single person viewing area that locks automatically on entry. Other safe room features can include the following:

  • Strict viewing access controls should be introduced. For example, individuals who are identified with a specific fingerprint should be only allowed a one-time deanonymization and viewing of a specific document.
  • For each category of documents, there should be: 1) a list of eligible viewers; 2) a time limit per document view, typically not exceeding 40 minutes; and 3) a maximum number of views allowed, perhaps one per viewer.

The safe room and anonymized information safeguards are linked. Safe rooms are used to create anonymized accounts. In a safe room, one can anonymize an individual’s name and Social Security number with a newly created account number. Reprogramming can often be avoided by testing to find a pattern that is compatible with the software currently in use. Ideally, only anonymized information is transmitted to outside software systems to maintain and update the entity’s human resources, payroll, finance, marketing, sales, and client financial databases.

Safe rooms can also be used to safely add new clients, update current client information, and prepare invoices. Invoices and other notifications can then be emailed to the clients from an outbound room.

Outbound rooms.

Outbound rooms are another important component of an effective security strategy. These facilities are copper lined and almost identical to safe rooms; unlike safe rooms, however, they have an outbound-only connection. Computers in an outbound room can send but not receive information. Once information is sent, the sending computer is erased.

Getting Ahead of Hackers

Frustrating ransom attacks.

Ransom attacks attempt to steal information and freeze computer processing. There is no reason, however, for a business to pay a ransom if the stolen information is either anonymized or duplicated in the safe room. Given their restricted access, safe rooms are the best places to store updated account and transaction files that could later be used to frustrate attempted ransomware hacking.

Detecting hacks.

Safe processing rooms afford another advantage. They have no electronic computer input or output capabilities. Therefore, they are an excellent place to detect and verify new procedures and email addresses.

Access and processing.

At a minimum, computer-based biometric validation should be required to enter a safe room or an outbound room. The use of carefully timed critical computer programs within these rooms ought to require biometric validation.


To be valid, transactions should be anonymized in a safe room, processed in its data center, deanonymized in the safe room, and mailed or emailed from an outbound room.

CPAs, attorneys, auditors, and other trusted professionals need to take steps now to ensure the integrity of client data and maintain control over their internal operating systems. With threats continuing to increase, leading edge firms will take the necessary steps to ensure their data is protected with a focus on long-term sustainable growth. The time for half-measures is over; today, it is imperative that businesses move beyond the still popular, albeit inadequate, procedures that have failed abysmally to prevent hacking.

Michael Cherry is the president and chief technology officer of Cherry Biometrics, Falls Church, Va.
Edward J. Imwinkelried, JD is a retired professor of law at the University of California, Davis.
Elven Riley is a professor of finance at the Stillman School of Business, Seton Hall University, South Orange, N.J.
Jules Epstein, JD is a professor of law and director of advocacy programs at the Beasley School of Law, Temple University, Philadelphia, Pa.
Jack King, JD is a criminal defense lawyer admitted to the bar in Washington, D.C.