Accounting firms have embraced technology and eased up the mechanics of doing business online today. Cloud computing, data management systems and exclusive client portals are the order of the day. However, electronic / physical records maintenance must be carried out in a professional and confidential manner due to the various standards & statutes regulating record retention.
Identity thefts or data breach can occur owing to a lost or stolen device, hacking, fraud, improper disposal of data, and errant email messages. An accounting firm faces numerous exposures in the event of identity thefts such as:
- Claim for damages – A client or third party can bring both direct claims and cross-claims for indemnification against the firm for damages incurred as a result of the exposure.
- Cost of compliance with state and federal statutes and regulations – In addition to the costs of compliance with state security breach notification laws, the firm may be subject to penalties for violations of federal statutes and regulations.
- Reputational damage. A privacy breach, actual or perceived, may result in a loss of consumer trust that causes significant damage to the public perception of a firm. That can harm business relationships, especially in the practice of public accounting, which is a business in which trust and confidentiality are critical.
- Network damage. Companies of all sizes are at risk for attacks on their computer networks. CPA firms are attractive targets due to their access to data that can be readily sold in the online black market. Intentional hacking attacks aren’t the only danger. Malware, which is software designed to impair the operation of various technological devices, can be introduced through email attachments or downloaded software. Malware can disrupt computer operations, gather sensitive information, or gain access to private computer systems. It can also spread out from a firm’s system and damage clients’ networks. Some malware uses systems to host email spam attacks or to launch denial-of-service attacks.
If identity theft is suspected or known to have occurred, rapid assessment and damage mitigation are imperative. Evaluate the severity and scope of the incident, consult with legal counsel regarding compliance with applicable notification laws and public relations activity related to the breach and notify potentially affected clients.
The more cost-effective approach is to implement robust data security measures.
Make sure that laptops, desktops, USB drives, servers, smart phones and other devices do not contain any confidential data that is unencrypted. Consider remote laptop security measures to prevent access to protected files in the event of theft or loss. Ensure that email messages and attachments containing confidential data are encrypted with file encryption and digital certificates. Use strong passwords, and do not write them down or share them. Passwords should be “salted” with random bits and symbols such as #, $, and &. Physical security should be provided for computers and endpoints, as with any other valuable assets, including building security and access codes, and locking up all servers, laptops, desktops and mobile devices.
Accounting firms should also engage in a continuous data security process emphasizing on risk assessment to highlight vulnerabilities and a well-balanced information security plan with policies, procedures, staff responsibilities on protecting data and action in case of breaches coupled with regular staff training so that each employee knows what the firm is doing and what he or she is required to do, including best practices for addressing new and continuing risks (e.g., social engineering, phishing and web application attacks). New laws or regulations should be reflected in changes to the plan. Training sessions to update staff on such changes will make the plan a dynamic, living document that staff uses and relies upon. Firms will avoid or reduce the high costs associated with data breaches, and strong data security measures will become selling points that many clients appreciate.