CPAs need to have access to a lot of personal information about their clients. It's the nature of the job. But with identity theft on the rise, the question becomes: What are you doing to protect this information?
Many, if not all, accounting firms password-protect their computers and have locking cabinets for safeguarding their client information. Many, but not all, firms have written policies regarding the safe keeping of client data.
"When clients came to the office, client files were usually kept covered or out of site of visitors", said Rick Solecki, owner of Solecki + Associates, CPA, PC. "My office had a wall closet with shelves which made it relatively easy to keep files out of sight."
CPAs should physically safeguard personal identity information as part of their duties to protect client confidentiality, according to Suzanne M. Holl, CPA, vice president of loss prevention for CAMICO, a professional liability insurance provider. Physical security should be provided for client files and can be as simple as having a locking file cabinet or bin in the CPA's office or cubicle.
"Because we have a suite of offices, our concerns over the security of client files are somewhat relaxed", said Robert Okray, owner of Stricof, Okray & Mahaffy, PLC. "The doors to the suite are locked at night and we have personnel sitting near our entrance to greet our guests. Client files can be in one of the various offices in the suite while the job is in process and are not returned to the client file drawers in the evening. However, we are cautious when we have visitors to our office. We make sure that names on client files are not in sight to the visitor and that any papers that are on the desk are covered."
What is the risk from allowing confidential client information out? Identity theft has been in the news for a while. The risk depends on what is done with the information and how quickly the theft is detected. From a CPA's standpoint, it is not just the risk to assess, but also the damages.
"Damages arising out of an inadvertent disclosure of confidential information can be substantial", said Christopher Piety, CAMICO vice president of claims. "Damages from such breaches would be covered under the CAMICO policy as any other damages arising out of the rendering of professional services. We have had requests by victims for credit monitoring, which is expensive yet does absolutely nothing to prevent identity theft or address any loss attendant to disclosure."
Keep in mind, though, that identity theft and equipment theft are not the same, according to Piety.
"We have seen many laptop and desktop [computer] thefts, but so far not actual damage resulting from identity theft [when the equipment is taken]", he said. "That leads us to believe that many of these thefts are for the purpose of taking the hardware and selling it rather than for identity theft. When these instances occur, we will assist our policyholders with client or consumer notification, and many policyholders have had their commercial general liability (CGL) carriers pay for the cost of notifying clients/consumers. Accordingly, we encourage our policyholders to notify both their CGL carriers and us."
The best way for firms to avoid the costs and problems associated with a data breach is to avoid a breach in the first place. Having written policies is a start, but firms must ensure that those policies are followed.
As professionals, employees must understand that there is no such thing as absolute security in any setting. In reality, identity theft risk comes from more than just outsiders to the firm - an employee in a CPA firm, bank, or credit card company also can steal personal identity information. Firms must do the best they can with internal policies and practices to limit client information exposure to protect their clients and themselves.