CPA practice owners must keep a watchful eye on their businesses day and night. Because CPAs are entrusted with important and sensitive client information, they need to review their data security protections and document them in writing.
What is “Data Security”?
Data security is that the process of safeguarding digital information from unauthorized access, corruption, or theft throughout its lifecycle. This concept encompasses every facet of knowledge security, including the physical security, file transmission, access controls, and software applications.
Effective data security must consider the sensitivity of the info and corresponding regulatory compliance requirements. CPAs are required by federal law to possess a written information security commit to protect client data. The Gramm-Leach-Bliley Act (GLBA) provides the Federal Trade Commission (FTC) with the authority to manage information safeguard protocols for various kinds of businesses that are "significantly engaged" in providing financial products or services. This, of course, includes professional tax preparers, no matter size, though firms with less than 5,000 individual accounts are exempt from certain requirements (e.g., obligation to document written risk assessments, annual board reporting, certain monitoring and testing requirements, and a written incident response plan).
What is the Safeguards Rule?
The purpose of the Safeguards Rule is to confirm the protection of the privacy of non-public information with the creation, implementation, and maintenance of a good security program. For CPAs, this nonpublic personal information is usually a client’s name, address, SSN, income, account information, and other similar financial information.
The rule requires companies to have a written information security plan describing its policies and procedures for safeguarding client information. The plan must be appropriate to the firm’s size, activities, and complexity, as well as the sensitivity of the client information it collects.
The Safeguards Rule requires a CPA firm’s security program has each of the following elements:
• An employee to coordinate the program;
• Identification of internal and external risks to the protection of client information;
• Regular testing and monitoring of the protection program;
• Adapting the safety program if testing and monitoring shows inadequacies;
• Adjustment of the program to respond to changes in the business; and
• Significant oversight of service providers.
While CPA firms are exempt from the privacy notice requirement under the Financial Services Regulatory Relief Act of 2006, the AICPA recommends that CPAs maintain such a notice. The FTC provides a model privacy form available for adoption by CPA firms to assist compliance. When used, it provides a safe harbor against the civil penalties that may be levied in cases of breach. Clearly posting it on a firm’s website will be found to satisfy the notice requirement.
Why is Data Security So Important?
Failure to adopt adequate safeguards for security systems and failure to oversee the safety practices of service providers may end in an enforcement action from the FTC. The GLBA has penalties up to $100,000 per violation and firm officers and directors may be personally liability up to $10,000. Additionally, criminal charges may be brought.
In addition, a NY business can also be liable under state law for inadequate safeguards, like violation of the SHIELD Act, which carries a civil penalty of the greater of $5000 or up to $20 per instance of failed notification, up to a maximum of $250,000.
Ultimately, however, it is the clients’ perception of the CPA firm as a trusted advisor that's so crucial to its business. Having protections against data loss – and avoiding the accompanying bad press and reputational loss that may result - is vital to a CPA firm’s livelihood.
Francine E. Love is the Founder & Managing Attorney at LOVE LAW FIRM PLLC which dedicates its practice to serving entrepreneurs, start-ups and small businesses. The opinions expressed are those of the author. This article is for general information purposes and is not intended to be and should not be taken as legal advice.