Firms must protect information with policy, action

CPAs need to have access to a lot of personal information about their clients. It's the nature of the job. But with identity theft on the rise, the question becomes: What are you doing to protect this information?


Many, if not all, accounting firms password-protect their computers and have locking cabinets for safeguarding their client information. Many, but not all, firms have written policies regarding the safe keeping of client data.


"When clients came to the office, client files were usually kept covered or out of site of visitors," said Rick Solecki, owner of Solecki + Associates, CPA, PC. "My office had a wall closet with shelves which made it relatively easy to keep files out of sight."


CPAs should physically safeguard personal identity information as part of their duties to protect client confidentiality, according to Suzanne M. Holl, CPA, vice president of loss prevention for CAMICO, a professional liability insurance provider. Physical security should be provided for client files and can be as simple as having a locking file cabinet or bin in the CPA's office or cubicle.


"Because we have a suite of offices, our concerns over the security of client files are somewhat relaxed," said Robert Okray, owner of Stricof, Okray & Mahaffy, PLC. "The doors to the suite are locked at night and we have personnel sitting near our entrance to greet our guests. Client files can be in one of the various offices in the suite while the job is in process and are not returned to the client file drawers in the evening. However, we are cautious when we have visitors to our office. We make sure that names on client files are not in sight to the visitor and that any papers that are on the desk are covered."


What is the risk from allowing confidential client information out? Identity theft has been in the news for a while. The risk depends on what is done with the information and how quickly the theft is detected. From a CPA's standpoint, it is not just the risk to assess, but also the damages.


"Damages arising out of an inadvertent disclosure of confidential information can be substantial," said Christopher Piety, CAMICO vice president of claims. "Damages from such breaches would be covered under the CAMICO policy as any other damages arising out of the rendering of professional services. We have had requests by victims for credit monitoring, which is expensive yet does absolutely nothing to prevent identity theft or address any loss attendant to disclosure."


Keep in mind, though, that identity theft and equipment theft are not the same, according to Piety.


"We have seen many laptop and desktop [computer] thefts, but so far not actual damage resulting from identity theft [when the equipment is taken]," he said. "That leads us to believe that many of these thefts are for the purpose of taking the hardware and selling it rather than for identity theft. When these instances occur, we will assist our policyholders with client or consumer notification, and many policyholders have had their commercial general liability (CGL) carriers pay for the cost of notifying clients/consumers. Accordingly, we encourage our policyholders to notify both their CGL carriers and us."


The best way for firms to avoid the costs and problems associated with a data breach is to avoid a breach in the first place. Having written policies is a start, but firms must ensure that those policies are followed.


As professionals, employees must understand that there is no such thing as absolute security in any setting. In reality, identity theft risk comes from more than just outsiders to the firm - an employee in a CPA firm, bank, or credit card company also can steal personal identity information. Firms must do the best they can with internal policies and practices to limit client information exposure to protect their clients and themselves.


Related articles:

You may like these other stories...

Former DOJ Tax Division head Kathryn Keneally joining DLA Piper in New YorkGlobal law firm DLA Piper announced on Thursday that Kathryn Keneally, the former head of the US Justice Department Tax Division, is joining the firm...
Read more from Larry Perry here and in the Today's World of Audits archive.In my last article, I summarized major differences between principles in U.S. GAAP and the Financial Reporting Framework for Small and Medium-...
OECD calls for coordinated fight against corporate tax avoidanceDavid Jolly of the New York Times reported that dozens of countries with the most advanced economies have agreed on principles for concrete action to prevent...

Already a member? log in here.

Upcoming CPE Webinars

Sep 24
In this jam-packed presentation Excel expert David Ringstrom, CPA will give you a crash-course in creating spreadsheet-based dashboards. A dashboard condenses large amounts of data into a compact space, yet enables the end user to easily drill down into details when warranted.
Sep 30
This webcast will include discussions of important issues in SSARS No. 19 and the current status of proposed changes by the Accounting and Review Services Committee in these statements.
Oct 21
Kristen Rampe will share how to speak and write more effectively by understanding your own and your audience's communication style.
Oct 23
Amber Setter will show the value of leadership assessments as tools for individual and organizational leadership development initiatives.