Security and Privacy 

    Security and Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information. Security and Privacy is a risk management issue for all organizations, and many are looking to CPA firms for solutions.

    CPAs are adept at performing comprehensive risk assessments for businesses and developing risk management solutions that can give companies competitive marketplace advantages.

    Security and Privacy is included in these risk assessments, and CPAs use a universal framework of best practices against which the company's privacy policies can be examined. CPAs can provide guidance to the organizations they serve by using the Generally Accepted Privacy Principles (GAPP) to help assess their privacy-related risks as well as to develop sound privacy policies and practices. 

    Visit the Privacy Resources page for additional information.

    Visit the Privacy Services page for additional information.


    Generally Accepted Privacy Principles

    A man reads over the GAPP documentThe AICPA and CPA Canada have formed the AICPA/CPA Canada Privacy Task Force, which has developed the Generally Accepted Privacy Principles (GAPP). This document supersedes the AICPA and CPA Canada Privacy Framework. Using GAPP, CPAs can help organizations design and implement sound privacy practices and policies. These principles and criteria were developed and updated by volunteers who considered both current international privacy regulatory requirements and best practices. These principles and criteria were issued following the due process procedures of both institutes, which included exposure for public comment. The adoption of these principles and criteria is voluntary.

    Download the
    Principles and Criteria table to start using GAPP.

    Visit the GAPP page for additional information.

    Cyber Security

    A row of computersCybersecurity is the process of applying security measures to ensure confidentiality, integrity, and availability of data. Cybersecurity attempts to assure the protection of assets, which includes data, desktops, servers, buildings, and most importantly, humans. The goal of cybersecurity is to protect data both in transit and at rest.

    Countermeasures can be put in place in order to increase the security of data. Some of these measures include, but are not limited to, access control, awareness training, audit and accountability, risk assessment, penetration testing, vulnerability management, and security assessment and authorization.

     Visit the Cyber Security page for more information.

    Cloud Computing

    Looking at the cloudWith the increasing trend for companies to outsource, cloud computing has increasingly become a solution for organizations. It’s an innovative and increasingly popular model of software deployment that offers enterprise-class software function without traditional up-front infrastructure costs or the unpredictable support and maintenance costs of on-site software and hardware.


    Visit the Cloud Computing Tools and references page for more information.

    Tools and Resources

    A stack of privacy resourcesPrivacy Principles Scoreboard
    The AICPA Privacy Principles Scoreboard tool is designed to help organizations and the CPAs that serve them reach a new level of best practice in the assessment and management of privacy.

    Identity Theft Resources
    Identity theft and identity fraud are terms used to refer to all types of crime in which someone wrongfully obtains and uses another person's personal data in a way that involves fraud or deception, typically for economic gain.

    FTC Identity Theft Resources for Businesses
    The Federal Trade Commission (FTC) has compiled resources to help organizations secure the personal information they collect and prevent identity theft.


    The Privacy Act of 1974 prohibits federal government agencies from disclosing any personal information about an individual without consent, except in certain circumstances such as: law enforcement purposes; census activities; and necessary circumstances for a government to conduct its business. The Privacy Act of 1974 applies to federal government agencies, as well as businesses that are contractors for a federal government agency and that collect, maintain, process, or transmit data.

    Copyright © 2006-2015 American Institute of CPAs.