Painful Realities of a Data Breach
Phoenix, AZ (AZ CPA) September 2015 – What would be the best time of the year to call all your clients and tell them that their personal information has been compromised as a result of lax security procedures in your office? How do you think your clients would react to your firm being subject to an exhaustive investigation by the Arizona attorney general, the Internal Revenue Service, the IRS criminal investigation unit and the Federal Trade Commission? This is just the beginning of what you can to look forward to if you compromise your clients’ personally identifiable information.
The recent IRS data breach was successful largely because the thieves had substantial information on the victims prior to beginning the attack. As larger organizations continue to tighten security protocols, identity thieves will undoubtedly be looking for low hanging fruit. Even the smallest CPA firms hold sensitive information for hundreds of entities.
A.R.S. § 44-7501 addresses an Arizona CPA’s responsibilities in the case of a data breach. Although this statute is relatively lenient compared to some states, it defers authority to the Gramm-Leach-Bliley Act (P.L. 106-102; 113 Stat. 1338; 15 United States Code sections 6801 through 6809) where it applies. The statute suggests that an Arizona CPA would be subject to federal oversight in most data breach cases.
Each violation of the Gramm-Leach-Bliley Act carries a potential civil liability of $100,000 for the entity, $10,000 for each of the officers and directors and subjects the CPA to penalties imposed under U.S.C. Title 18. Among other things, Title 18 holds the CPA responsible for actual damages. Violations can also carry a jail term up to five years for the responsible parties.
It is unlikely anyone will view a CPA firm as a victim when a breach occurs. A client discloses personally identifiable information to a CPA because they believe that appropriate measures have been implemented to protect the information. This is a reasonable assumption. Section 6801(b) of the Gramm-Leach-Bliley Act requires CPAs to establish appropriate procedures and grants authority to a myriad of federal agencies to enforce compliance.
Unless the CPA is placing insurance or securities products they will most likely be subject to the rules promulgated by the Federal Trade Commission. The Commission, at minimum, requires that a firm establish a written security plan. The plan has to designate responsible employees, identify and assess risks, design a safeguard’s program, select appropriate service providers and evaluate the program and explain adjustments. Any firm without a written security plan is already in violation of federal law.
Past enforcement concerns, a firm is liable for costs associated with a data breach. This includes both direct and indirect costs. Cyber liability insurance can provide coverage for network extortion, business interruption, loss or damage to a network and e-theft. The coverage may even extend to third-party service providers in the form of media liability, privacy liability and network security liability. Reputational damage is not, however, an insurable interest. Once clients have lost confidence in a firm’s business practices all recommendations become suspect. Time spent restoring confidence and lost revenue opportunities represent the most significant drains on a firm’s profitability.
Proactive management of the data security program is the most effective way to reduce the damage a breach can inflict on a firm. The program’s effectiveness rests on three pillars; technology, processes and people. Technology selection is probably best addressed by professionals dedicated to that field, but personnel at all levels must participate in operationalizing security protocols. This necessitates the same diligence employed in the execution of all professional responsibilities.
A firm manager may never become a security expert, but they must become an expert is vetting the personnel they hire. The IT field is as vast as the accounting profession. There are many different areas of specialization. A database administrator may not have the required expertise to secure a network from attack. A security specialist may not be able to identify the location of the firm’s most sensitive data.
Larger firms may be able to support dedicated IT staff, but any employee can become the source of a data breach. A partner or manager who discounts the importance of data security sets a tone that can permeate throughout an organization. Smaller firms and sole practitioners are subject to the same standards as their larger peers. There is no de minimis exclusion available in Gramm-Leach-Bliley.
Unless specialized training is obtained it is unlikely a CPA will be able to competently assess data breach risks and reduce those risks to an acceptable level. Technology can alleviate some of the load, but only if the practitioner knows what is available and makes intelligent selections. Secure procedures are rarely, if ever, user friendly. Implementing new security protocols will impair productivity. Staff and clients will tend to circumvent overly burdensome procedures.
Even after implementing reasonable precautions a practitioner needs to be prepared for the worst. The firm should have procedures in place to identify and manage a data breach. Gramm-Leach-Bliley does specify some disclosure requirements, but the manner in which that is done is left to the firm’s discretion. The practitioner is well-advised to put some forethought into how a client discussion might go in the worse case scenario prior to the actual occurrence.
While technological improvements have dramatically increased productivity in the profession, it has also changed the nature of how practitioners structure their internal controls. In order to meet this challenge a firm manager needs to be willing and able to step outside their comfort zone. Failing to dedicate appropriate attention to these issues could be a career decision.
Benjamin Podraza, CPA/PFS, MTAX, CGMA is the principal at Podraza CPA, PLLC, a tax and business consulting firm in Scottsdale, Arizona. He can be reached at firstname.lastname@example.org or 480-998-3945.