Small Businesses Face SSN, Cloud and Home-Device Risks
Using personal SSNs on W-9s, storing business files in personal cloud accounts, and sharing work devices at home can expose small businesses to identity theft and data breaches.
Small businesses in the United States face increased risk of identity theft and data exposure when owners use personal Social Security numbers on tax forms, keep business files in consumer cloud accounts, and share logged-in devices at home.
The Internal Revenue Service allows sole proprietors and owner-employees to use a Social Security number as a Federal Tax Identification Number. The W-9 form, which businesses collect from contractors and vendors paid $600 or more, requests a name, address and tax ID. The W-9 is retained for later filings rather than sent to the IRS at the time it is collected, and copies of that form can be stored by multiple outside parties. Each additional copy that contains a Social Security number increases the chance of exposure through a data breach, a misdirected email or weak recordkeeping. After about a year of operations, an owner’s Social Security number may be held in the inboxes, cloud drives and filing systems of a dozen or more external contacts.
Fraudsters with a business owner’s Social Security number and basic company details can attempt to open credit in the business’s name, file fraudulent tax returns that claim business income, or impersonate the business to defraud clients. An Employer Identification Number is available from the IRS at no cost; using an EIN on W-9s, 1099s and other business paperwork separates the business tax identity from the owner’s personal Social Security number and reduces how often the SSN appears on external documents.
Consumer cloud storage services that automatically back up phones and computers can capture scanned contracts, invoices, client intake forms, tax returns and photos of signed paperwork. Those files may be accessible through family-shared accounts or any device linked to the same consumer cloud service. Shared access raises the number of people who can view business records and increases the chance of accidental exposure or loss if one of those accounts is compromised.
Business owners can limit exposure by reviewing backup and sync settings on phones and computers and moving sensitive business files to a dedicated business storage account that supports controlled access and audit logs. When business files remain in consumer cloud accounts, using a unique strong password and multi-factor authentication reduces the likelihood that an outside party can access those files.
Phones, tablets and laptops that move between household members and rooms can expose logged-in business apps and documents. A device used by someone else can lead to accidental deletion, unintended purchases or malware infection after a single click on a malicious link. Requiring device passcodes or biometric locks, enabling multi-factor authentication for key business accounts and running up-to-date antimalware and endpoint protection on devices used for work limits routes through which data can be accessed or compromised.
Replacing personal SSNs on business forms with an EIN, separating business files from personal cloud backups and securing devices used for work reduces the number of places where Social Security numbers and client data are stored.
