Protecting Employee Data During Tax Season

Whether it’s an insurance application, a W-4 form, or a photocopy of a driver’s license, your employees’ sensitive information needs to be protected - especially during this extended tax season as scams and refund theft increases. While the IRS has made efforts to improve identity verification, scammers only need a few crucial pieces of data to file a fraudulent tax return and claim a refund. 

As an employer, it’s your responsibility to make sure that documents are stored securely and disposed of properly. If not, you could be faced with hefty fines from state and federal agencies. To ensure that personal information is safe from prying eyes, use these tips to create and implement a company-wide plan:

Practice Security Procedures

To keep your employees’ information protected, your company will need to develop and enforce security policies. These guidelines will dictate which information is deemed sensitive and how that data will be protected. Having these policies in place will also help determine which employees need access to what information. For example, Sales managers should have the authorization to view performance goals while HR managers should have access to tax paperwork. 

No matter what form the information is in, it should be stored safely. For paper records, ensure documents are kept in a locked location, like a secure room or fire-safe filing cabinet. Store digital records in a private server with password protection and data encryption. If your technology is more than a few years old, have it evaluated to confirm that it can protect and store information without being susceptible to viruses or bugs. 

To limit access, delegate the responsibility of managing private records to only a few individuals. This system not only controls who sees personal information, but also allows for easier office surveillance. If there are any situations where unauthorized individuals view protected information, an investigation needs to be launched promptly to determine why and where there was a breach in security. Once a cause is determined, use it as a learning experience and update your security policy to eliminate any flaws in the procedure.

Provide Training to Staff

With your company’s security policies in place, your staff will need to be trained on your new procedures. This education should also focus on general best practices for protecting private information. Use this time to remind employees about updating passwords regularly, not responding to phishing or spam emails, and avoiding the use of their social security numbers or bank account information whenever possible. While this might seem like obvious information, it’s beneficial to educate employees on these preventative measures. 

At the beginning of each year, your HR department should distribute W2s in a secure and timely manner. Make sure employees pick up their forms in-person and ask HR staff to double-check that their mailing addresses are accurate. If possible, you can even offer employees the opportunity to download their W2s from an online portal. This option not only speeds up the distribution of W2s, but also prevents the need to mail the forms to off-site employees. 

To further prevent tax-time identity theft, employees should file their returns as soon as possible. This will prevent identity thieves from using a fraudulent tax return to claim a refund later in the season. Getting a refund directly deposited into a bank account can also help stop the theft of paper checks coming in the mail. For employees new to filing taxes, encourage them to use a financial service that reduces fees for their tax return. This will enable them to track the deposit of their tax refund instantly and not have to wait for a monthly bank statement. Electing to have a tax refund directly deposited can even speed up the payment process by a couple of weeks.

Follow Recordkeeping Laws

Since most recordkeeping laws differ from state to state, you will need to research what regulations your company is required to comply with. The Department of Labor, Occupational Safety and Health Administration (OSHA), and many other federal agencies require different records to be retained for varying amounts of time. As a general rule, employee records should be kept for at least seven years after termination. Any benefits or medical records need to be held six years after the start date of an employee’s health plan. Hiring records also need to be stored for at least two years after the date an employee is hired. Before you destroy any out of date documents, you will need to check with the appropriate state and federal agencies to confirm that the records are no longer required. 

Once your records are approved for disposal, they will have to be destroyed appropriately. That means these documents will need to be shredded, burned, or pulverized. Whatever method you use, the records should be destroyed to the point of unreadability. If your company does not have the means to destroy records in-house, many third-party vendors can securely remove unneeded documents for off-site disposal.


The best way to stop identity theft is by preventing sensitive information from getting into the wrong hands. Since most cases of fraud start with a paper source, you can help protect your employees by implementing a data security policy. By keeping personal documents secured, educating your workforce, and using proper disposal methods, you can protect your employees’ information.

Topics: Payroll

Stay Updated

Get the latest news from Namely about HR, payroll, and benefits.