Accounting firms must take steps to protect client data
Accountants and accounting firms are at increasing risk of cyberattacks. Just earlier this year, two small accounting firms in Massachusetts reported being hacked, resulting in the theft of more than 6,000 clients’ data. Why do hackers target accounting firms, especially smaller ones? The client information that these firms have includes names, social security numbers, birthdates, bank and brokerage account information, and other data that is extremely valuable to hackers, who sell the data to others who may use it to file false tax returns, for identity theft, and other fraudulent purposes.
Smaller firms are generally easier targets, as they may not be aware of what they must do to protect client data, or may not have invested the resources to do so. Many breaches are the result of unintentional actions by employees, such as opening attachments to emails from unknown senders, but some are intentional, taken by employees tempted to exploit the valuable data at their fingertips. It is important to address both internal and external threats. I recently had the opportunity to present on this topic at a continuing education seminar for CPA’s here in Denver.
In this blog post I’d like to provide a brief overview of the main legal requirements regarding cybersecurity that apply to accountants, specifically those who prepare tax filings. Most accountants have heard of the Financial Services Modernization Act of 1999, better known as the Gramm-Leach-Bliley Act (GLBA), and assume that it only applies to banks and other financial institutions. However, GLBA also applies to tax preparers, so any accountants or accounting firms that prepare tax filings are also covered by the act. The Federal Trade Commission, or FTC, enforces GLBA, and issued the GLBA Safeguards Rule to set out what is required to safeguard client data. Penalties for noncompliance include fines of up to $100,000 for an organization and up to $10,000 for individuals, and prison time for criminal violations.
The Safeguards Rule requires anyone covered by GLBA (including accountants) to develop a written information security plan setting forth their program to protect client information. As part of the plan, firms must:
- designate one or more employees to coordinate its information security program;
- identify and assess the risks to customer information in each relevant area of the company’s operation, and evaluate the effectiveness of the current safeguards for controlling these risks;
- design and implement a safeguards program, and regularly monitor and test it;
- select service providers that can maintain appropriate safeguards, make sure your contract requires them to maintain safeguards, and oversee their handling of customer information; and
- evaluate and adjust the program in light of relevant circumstances, including changes in the firm’s business or operations, or the results of security testing and monitoring.
The FTC acknowledges that these requirements are flexible and may vary based on the size and complexity of the firm, the scope of its activities, and the sensitivity of the data it handles. In any case, the written plan must comply with these basic requirements.
A written security plan may include specific measures such as:
- requiring background checks of employees who will have access to client information
- restricting access to client data to only those employees with a business need to see such data
- good password practices, including use of “strong” passwords (not “password” or “123456”) that are periodically changed
- policies and procedures for protecting data in the office and when data is being transmitted
- policies for safe use of mobile devices such as laptops, tablets, and smartphones
- training for all personnel on good cybersecurity practices, and repeating training periodically to help everyone become good cyber-citizens
- implementing recommended IT fixes, including software updates, firewalls, virtual private networks for remote access, real-time backup, and encryption of data
- an incident response plan to follow in the event of a breach
This list is not exhaustive by any means, but these and other measures should be part of an overall information security plan which you should review and update periodically, as risks and vulnerabilities change; unfortunately, the hackers are always a step or two ahead of the good guys.
In addition, CPA’s have ethical obligations under the AICPA Code of Professional Conduct, and their state licensing boards’ professional rules, to safeguard the confidentiality of client information. Failing to take reasonable measures to do so can result in sanctions by the licensing authorities, up to and including loss of license to practice as a CPA.
In a future post I will talk some more about what accountants can do to protect their clients’ privacy. If you have questions about how to put a written information security plan and practices in place, please give me a call at 720-575-0440 or email me at mark@spitzlegalcounsel.com.