Filing Deadline Extended, Questions Remain

The Canada Revenue Agency (CRA) has announced a May 5 tax filing deadline extension and an arrest has been made in the "Heartbleed Bug" matter.

Also note that unincorporated small businesses will avoid late filing penalties by filing before midnight of June 16, because the usual deadline, June 15, falls on a Sunday, and T1135 form filers (Foreign Income Verification) must file by July 31.

But now, more questions arise on security of financial information in cyberspace: what confidential and personal information has been compromised in the two year period in which the error persisted, who has seen it and used it, and what is the best advice professionals can give their clients in the matter?

CRA notified lead security agencies of a malicious breach of taxpayer data that occurred over a six-hour period and closed down their website to allow authorities to make an arrest in the matter. It was learned that Social Insurance Numbers (SIN) of approximately 900 taxpayers were removed from CRA systems over a 6 hour window. Surprisingly, CRA has not required passwords for logins to be changed, which is somewhat eyebrow-raising, because the compromised information can still be used. CRA has pledged to provide credit protection services at no cost to alert compromised taxpayers of unusual activity. It will also apply additional protection to your CRA accounts to prevent any unauthorized activity. 

A SIN number alone is relatively harmless, but when you can link this to a name and birthdate, you can find out whatever CRA knows about you – everything from your filing history to where your investments are – and you can EFILE, thereby making it possible to assume a taxpayer’s identity to change and file tax returns and redirect refunds. Any unauthorized access to SINs, therefore, is potentially a huge problem for those affected.

In the end, you need to know more about your money than potential thieves do and it is your responsibility in most financial investment, banking and credit card accounts to report discrepancies within 30 days. Clients should be counselled to keep their SINs, and all logon data secret, change logon information frequently – quarterly or semi-annually – and check their financial information weekly. This matter will be discussed in more detail at the May Audit Defence workshops starting May 21 in Winnipeg, May 22 in Calgary, May 23 in Vancouver, May 26 in Toronto and June 3 in Halifax. Participants will share views and expertise in better documenting client experiences to mitigate risk with CRA and other legal authorities.

Click here for full Audit Defence workshop agenda.