CPA cyber obligations and breach response
Professional Insights
AICPA logo
AICPA logo
  • Home
Futuristic shield symbol
Professional Insights

CPA cyber obligations and breach response

1 year ago · 4 min read

Through the normal course of running a firm, CPAs accumulate significant amounts of confidential client data, including a considerable amount of personally identifiable information (PII) which they have a fiduciary responsibility to protect. In addition to firms being targeted by hackers for ransomware attacks, stolen client information is a lucrative treasure trove for cybercriminals to monetize. This makes all accounting firms whether sole practitioner, small, medium, or large multi-national in size, a coveted hacker target. This article explores safeguards to keep client data confidential as well as provides guidance on how to respond in the event of a breach.

Cyber protection is the law
Handling taxpayer data includes an obligation to take reasonable measures to protect against a breach and securing client taxpayer data is a legal requirement. The Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley) gave the Federal Trade Commission the authority to set safeguard regulations for paid tax preparers which required them to enact security plans to protect client data. These regulations also imposed criminal and monetary penalties for knowingly or recklessly making unauthorized disclosures of taxpayer information. To assist with compliance, the IRS provided guidance beginning with tax preparers having awareness of the cyber “Security Six.” To adequately protect client data, tax preparers must utilize antivirus/malware applications, firewalls, multi-factor authentication, encryption, virtual private networks (VPNs), and maintain backup software. In addition, tax preparers should obtain regular security awareness and phishing training to keep current on evolving cyber threats. The regulations also require tax preparers to have a written information security plan (WISP) “appropriate to their circumstances,” which is one of the data security responsibilities they confirm when completing their PTIN Application and Renewal (IRS Form W-12). Firms must designate an employee to coordinate the development of the WISP either internally or with the help of external service providers that can identify and assess risks to taxpayer information held by the firm. The firm is then responsible for designing, implementing, monitoring, and maintaining a safeguards program. If the firm utilizes external cloud or hosting providers to process or store taxpayer data, the plan should extend to those services as well.

Obligation to keep confidential
CPAs should implement best practices to protect confidential client data from that data’s initial acquisition to its eventual lawful destruction. Most firms provide new hires with a thorough training on client confidentiality, but few follow up with reminder training or consider the impact of new digital technologies and remote work. With the adoption of digital tools such as portals, video collaboration, social media, etc. it is important that internal training includes a discussion on keeping data impacted using these technologies confidential. Firms should discuss the assignment of appropriate access rights to digital applications for both firm members and clients. In addition, the impacts of remote work need to be emphasized, not only in client/public spaces but also working from home where family members may be present to see the employee’s computer display or overhear conversations.

The AICPA Code of Professional Conduct includes the “Confidential Client Information Rule” (1.700.001), which prohibits members from disclosing any confidential client information without the specific consent of the client. Additionally, the International Ethics Standards Board for Accountants is working on a Technology Exposure Draft. Among other matters, the exposure draft will expand upon professional accountants’ responsibilities when complying with the principle of confidentiality, including taking appropriate action to secure confidential information in the entire data governance cycle (i.e., from data generation or collection, to its use, transfer, storage, dissemination and lawful destruction). It will also include a proposed definition of confidential information, which establishes that information not in the public domain is confidential. Once approved, the IESBA exposure draft will be published for open public consultations.

Have I been hacked?
Even with a comprehensive cybersecurity plan in place, a firm’s data infrastructure and resources can still be compromised so it is important for personnel to know how to respond if they suspect a breach. Educating personnel to identify tell-tale warning signs indicative of a breach is the first step. Breach indicators can include notifications of changed passwords, odd emails being received by peers or being bounced back, tax returns being inexplicably filed or having their bank routing information changed, returns being rejected because they were already filed, and in the worst case-getting a ransomware notice that all files have been encrypted. When such suspicious activities occur, personnel should immediately stop working on their computer, disconnect it from the network, and contact the firm’s IT/support team to have them remediate the concern with pre-defined breach response protocols.

We’ve been hacked!
If it is confirmed that a cybersecurity event occurred, firms should already have a breach response plan in place so they can respond in a timely manner. The reality is that the longer it takes to respond to a breach, the more costly the breach becomes and the greater the potential impact on the firm’s reputation. Accordingly, firms should already have designated a breach response team consisting of internal leadership and IT personnel as well as identified external partners to assist in the event of a breach. These external team members should include the firm’s insurance carrier, legal representative, and experts in cyber forensics and regulations, as well as Federal law enforcement. The breach response plan should also include a coordinated notification plan to inform clients and the public about the incident, so expert public relations assistance may also be considered. Best practices have pointed to the firm designating a central spokesperson to deliver a consistent message to the public and all parties impacted, to be transparent about what happened, when it happened, when the firm became aware of the breach, and the firm’s planned remediation efforts (including coverage for clients that could have had their data exposed).

Handling confidential client data is one of the realities of being a CPA and firms must do everything possible to protect that data. However, when disaster strikes, it is also the responsibility of the CPA to minimize the impact to both the firm and the clients and the most effective way to do that is to be prepared with a breach response plan and trusted team.

Additional AICPA cybersecurity resources

A CPA’s introduction to Cybersecurity – This PCPS firm practice management resource explains why CPA firms and their clients are at risk and outlines best practices, as well as, how CPAs can help clients.

CPA cybersecurity checklist – This PCPS firm practice management resource outlines 22 cybersecurity best practices CPAs should consider when protecting their firms and client data.

HACKED! Building defenses against and responses to intrusion – This PCPS firm practice management resource provides firms with key action items to minimize exposure and respond to an incident.

Roman H. Kepczyk, CPA.CITP, PAFM

Roman H. Kepczyk, CPA.CITP, CGMA is Director of Firm Technology Strategy for Right Networks and partners exclusively with accounting firms on production automation, application optimization and practice transformation. He has been consistently listed as one of INSIDE Public Accounting’s Most Recommended Consultants, Accounting Today’s Top 100 Most Influential People, and CPA Practice Advisor’s Top Thought Leaders.

What did you think of this?

Every bit of feedback you provide will help us improve your experience

What did you think of this?

Every bit of feedback you provide will help us improve your experience

Mentioned in this article



Manage preferences

Related content