For New Jersey business owners, the series of hurricanes that recently struck Texas, Florida and other locations may have stirred painful memories of Superstorm Sandy, which rocked the Garden State in 2012.
If personal, income‐producing or business property is impaired or destroyed during a disaster, taxpayers may be able to claim a casualty loss deduction on their tax return, generally as an itemized deduction on Form 1040, Schedule A for individuals , and on Section B of Form 4684, Casualties and Thefts, for business or income-producing property.
But what if the books and records you need to compute and document your losses—not to mention carrying on your business post-disaster—get lost in the flooding, fire or other conditions that can accompany a disaster? Without the proper safeguards in place, a business owner could be in a costly Catch-22 situation.
“Some small businesses may have lot of paper-based documents that are at risk of exposure to fire and flood, yet they don’t have much in the way of backup copies,” warned Henry Rinder, senior forensic partner at the Fairfield-based CPA firm Smolin Lupin. “Most strategic plans incorporate some kind of offsite storage of critical, relevant documents and records. So if a fire, flood or another disaster occurs—like the time that Sandy slammed into New Jersey—and your records are destroyed, you will still be able to recover your vital data with offsite recordkeeping.”
Common digital hacker threats can include phishing, where a hacker tries to fool people into revealing passwords and other sensitive information; and ransomware, where a hacker hijacks all or part of your records, and threatens that they won’t be released unless you make a payoff, typically in untraceable Bitcoin.
This summer, Merck, the Kenilworth-based pharmaceutical giant, was hit by a ransomware attack, likely part of a global outbreak. Last year, the Chatham-based New Jersey Spine Center was also attacked, and “elected to pay the ransom to gain access to the records,” according to a company document.
“Fortunately there are security provisions that can reduce the risk of an external threat,” said Rinder. “A checklist of countermeasures would typically start with your external firewall, a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.”
For example, if you only do business in the U.S., you can block access from Russia, China, North Korea and other countries that are known for hacking threats, he said.
“You should also have robust virus scanning software in place that’s regularly updated. These and other measures should be periodically checked by a security-trained IT professional to be sure they’re effective.”
But no security system can keep a hacker out if an employee opens a digital door.
“Train your employees about safe surfing, combined with strategy and tactics to keep employees off high-risk sites,” Rinder said.
He added that his firm has locked out access to Facebook, Amazon, and other websites that are popular but pose hacking risks.
“We also have training companies send phishing emails to our employees so we can identify individuals that will open suspicious messages. Then we talk to them and provide more training so they’ll be more cautious in the future. The idea is to reduce risk, because all it takes a click to expose your entire system,” said Rinder.
In New Jersey, professional document service providers like Iron Mountain Inc. offer storage and protection of information assets like critical paper business documents as well as electronic and other information.
“If you transfer your records to the digital space, storage can be a lot easier,” added Rinder. “This way you can easily transfer data to an offsite cloud-based ‘storage facility’ like Google Drive, often in real time. Of course, when you’re talking digital, it’s important to protect your documents—as well as your entire network—from hackers.” October is National Cyber Security Awareness Month, he said, which is an annual campaign to raise awareness about the importance of cybersecurity, like being up to date with your antivirus software.
But putting backup and other security plans in place is only one step, Rinder said.
“Every business, regardless of its size, should have a strategic plan in place that’s communicated to all the employees,” he said. “Document the steps in your disaster recovery plan, and establish a chain of command in case of a disaster, like flooding or power outages. How will people communicate if phone lines are down, or if access to your office is blocked? Then test your plans, and run ‘fire drills’ with all of your staff to ensure that everyone understands what to do, and that the plan is effective.”
Cipolla & Co., a Franklin Lakes-based full-service CPA and financial services firm, has back up generators that can power computers, lights and heat in an emergency, said Joseph Cipolla, the managing director. “We outsourced our record retention to a cloud-based provider, and everyone has a laptop and takes them off premises each night. Employees also have cell phones with their own ‘hot spot’ so they can work remotely regardless of where they’re located.”
When it comes to tax planning for a disaster, business owners may find that preparing for disasters is the biggest takeaway.