State governments could constantly monitor and receive data from some CPA firms’ computers when those firms work with government agencies if pending cybersecurity bills in a number of state legislatures become law.
The AICPA is working to oppose these bills. The National Association of State Chief Information Officers (NASCIO) also opposes the bills, citing the privacy concerns, costs, and other unintended consequences of such monitoring.
“Legislation like this potentially poses significant risks to citizen privacy,” said Megan Kueck, the AICPA’s lead manager–State Regulation & Legislation. “They would also be greatly burdensome on small and medium size firms who cannot afford to assume the risks the software requires.”
The proposed legislation first appeared in 2019 in numerous states in bills that would require professional firms serving as contractors to state governments to install what the IT industry calls “spyware.”
The proposed bills would use software created in the private sector that can continuously track computer keystrokes and mouse clicks, and record screenshots, Kueck said.
The data would be stored by state revenue departments and potentially also sent to a third party that purports the proposed work verification service could save governments money by revealing waste and fraud by private suppliers.
Seven states — Minnesota, Montana, New Jersey, Pennsylvania, Rhode Island, Virginia, and West Virginia — had legislation pop up in 2021 related to the monitoring of government contractors, Kueck said. Pilot programs could be adopted with some of the legislation proposed this year.
This legislation and other bills like it could essentially transfer the ownership of the private data of CPA firms’ clients to third parties, potentially infringing client’s privacy, according to Kueck.
Opposition has been significant.
Others, in addition to the AICPA, to oppose the bills are Associated General Contractors of America (AGC), the American Council of Engineering Companies (ACEC), the Computing Technology Industry Association (CompTIA), and the Information Technology Industry Council (ITI).
“Opposition to monitoring mandates among the business community is widespread,” according to a Virginia report in October 2020. It predicted that if the bill passed, the state’s procurement costs would rise because many suppliers would refuse to do business with the state, and those willing to take state contracts would pass on to the state extra costs mandated by the law.
In a significant step in 2019, NASCIO condemned the wave of bills in a statement: “While NASCIO certainly supports contractor productivity, cost efficiency, and successful project outcomes, legislation of this nature could introduce unnecessary risks to citizen data by essentially transferring ownership of private citizen data to a third party.”
NASCIO Executive Director Doug Robinson said at the time this was the only occasion in his 15-year tenure that his organization publicly opposed any state legislation.
CPAs and AICPA members concerned about the legislation can contact their state CPA society or email Megan Kueck at Megan.Kueck@aicpa-cima.com.
— George Spencer is a freelance writer based in North Carolina. To comment on this article or to suggest an idea for another article, contact Chris Baysden, a JofA associate director, at Chris.Baysden@aicpa-cima.com.