By: Diane Ring
Today, the Guardian is reporting that big-four accounting firm Deloitte suffered a hack back in March, 2017. The underlying attack may have originated in the fall of 2016 and may have allowed access to Deloitte systems for several months.
Deloitte itself is not unfamiliar with cybersecurity. As stated on its website, among the services that Deloitte offers clients is Cyber Risk. However, being a victim of a hack provides a new perspective. At this point, details are scarce on exactly which clients have been affected and what specific information may have been accessed, but it has been reported that “confidential emails and plans of some of its blue-chip clients” may have been compromised. This doesn’t sound good. But it is also no surprise.
Leaks and hacks can target a wide variety of data including business plans, mergers and acquisitions, scientific developments, business forecasts, individual identities, and government records. In recent years, tax-related information has proven especially attractive to leakers and hackers. As my co-author, Shu-Yi Oei and I explored in our recent article, Leak-Drive Law studying tax leaks that have occurred over the past 10 years, tax information can be valuable and their release by leakers can have powerful impacts. Moreover, as the tax community has embraced increased reporting and transparency to the government, the number of caches of well-organized data held by corporations, tax advisers and governments increases. Such caches may be magnets for those seeking to hack into it or leak it.
As we continue to move forward in this new world, what do we know?
- Varied threats. Leakers and hackers gather information through different means, ranging from computer hacks to data theft by employees. Moreover, their motivations vary. All of which suggests that entities holding data caches should take a comprehensive look at whether that data is secure.
- Varied uses. Data may be immediately disclosed to the public, may be provided to one or more governments privately, may be used to gain competitive business or market advantage, or may be used criminally (e.g., sold to facilitate identity theft). Importantly, just because data was stolen for one purposes does not mean that over time it will not make its way into other arenas. Technology has greatly enhanced the speed, ease and scope of information dissemination.
- Potential Downsides of Tax Transparency Trends. The global trend towards requiring taxpayers to be more transparent and provide tax authorities with more complete and integrated information (think the BEPS Country-by-Country Reporting requirement) was driven by the desire to ensure meaningful tax compliance and, if necessary, audit. An unintended side effect is the accumulation of such valuable organized data in discrete locations – a tempting target for hackers and leakers. This reality does not mean that these tax compliance mechanisms should be abandoned, but it does make one wonder whether the march towards tax transparency may have underestimated the potential side effects of transparency initiatives.
- It Can Cut Both Ways. Leaks and hacks can cut both ways. As Shuyi and I noted in our paper, leaks of tax data have thus far been regarded as information windfalls for enforcement-minded governments. But the growing variety of recent leaks and hacks (Verizon, Equifax, White House leaks) suggests that it’s possible that other types of data (including government data) may be accessed as well. One cannot embrace leak-driven enforcement without being attuned to the risks that cut the other way.