Data breaches are constantly in the news. Last year, Marriott, Quora and Dunkin Donuts all made headlines for privacy breaches – and that’s just to name a few. With breaches happening all the time, it’s easy to feel overwhelmed. But it’s more important than ever to focus on data protection. In honor of Data Privacy Day, here are three ways to protect your clients’ data during tax season and all year long.
Develop an incident response plan
Is your firm ready for a cyberattack? In today’s world, it’s not about if you will experience an attack, but when. Having a prepared incident response plan means you and your staff know what to do as soon as you realize an attack happened. You’ll be able to respond faster and more efficiently. Your response plan will delegate responsibilities, detail how you will notify your clients and help mitigate any reputation damage to your firm.
Make sure your cybersecurity efforts are working
Once you develop plans and procedures, you want to make sure they are achieving your goals. Your clients want to know that you are protecting their information, regulators want to know if you are complying with data protection laws and your senior management wants to understand all the firm’s cybersecurity efforts.
To help communicate to these and other stakeholders, the AICPA developed a cybersecurity risk management reporting framework. You can use it to analyze your own efforts, or – if you perform advisory and assurance services in this area – you can use it to help your clients evaluate and report on theirs. Not only will this help you understand if your internal controls are effective, but it will build trust and transparency with your customers and leadership.
Be aware of changing laws and regulations
Part of protecting your clients’ data is complying with all relevant laws and regulations. And these change all the time – on state, federal and international levels.
In the United States, state legislatures across the country consider data breach laws every year. These bills change when you must notify clients about a breach, how you notify them and when you notify government authorities. For example, in 2018, the New York State Assembly considered a bill that expanded data breach notification requirements to any entity that stores a New York resident’s private information. That would mean out-of-state firms with clients in New York would be subject to these rules. While the bill did not pass last year, these types of proposals are already cropping up all over the country. So far, 16 states have introduced cybersecurity legislation in 2019.
On an international level, your firm may now be subject to the European Union’s General Data Protection Regulation. If you or your clients deal with personal data of any person in the EU, the way you store data might need significant changes.
Today is Data Privacy Day but protecting your clients’ information is an everyday task. Data breaches aren’t going anywhere and it’s essential to remain on top of cybersecurity to keep your firm and your clients safe.