The Rise of Data Privacy Regulations Offers New Opportunities for CPA Firmsby
Here are some ideas on how CPA firms can seize on opportunities stemming from rising data security rules, to create innovative and new service offerings.
In the next several years, hundreds of thousands of businesses in the U.S. will need help navigating the increasingly tricky data privacy landscape and ensure that they can keep critical business systems secure and their customers’ information private. This represents a unique, unprecedented opportunity for accounting firms to step up and lead their clients through this complex business environment.
Data Privacy Laws Will Pose Significant Burdens
At this time, approximately 41 U.S. states have laws mandating data breach notification, which is among the central focuses of modern data privacy regulation. However, multiple states have rolled out new and improved data privacy laws in 2018 and 2019. These new privacy programs tend to mirror Europe’s hallmark compliance legislation, the General Data Protection Regulation (GDPR).
The GDPR has been notoriously challenging for organizations to implement and most were not able to meet its stringent requirements by its effective date. This failure to comply has resulted in a number of enforcement actions against companies operating in Europe. For those of us here in the US, the following is a sampling of recent laws that will impact all of us:
● Gives consumer rights to know about how their data is being used, a right to access, and a right to opt-out of having their data sold to third parties, right to request that their personal information be deleted
● Businesses have to inform consumers about categories of information that will be collected and the purpose for which it’s being collected -- at or before the point the information is taken.
● Formalized data protection and disposal techniques and tools
● Consumer notification within 30 days of breach detection.
● Civil financial penalties of up to $7500 per instance of non-compliance.
● Individuals have the right to bring private right of action against a company when their personal information is breached. Consumers don’t have to prove that they incurred actual financial loss from the data loss, but only to show the company violated the law.
Even though CCPA only took effect recently on January 1 2020, it is already being cited in data breach lawsuits (Barnes v. Hanna Andersson, LLC, N.D. Cal., No. 20-cv-00812). Barnes, the plaintiff and a California resident, brought her class action complaint to the U.S. District Court after Hanna Andersson announced on Jan. 15 that hackers had scraped customer names, payment card numbers, and other personal information.
The complaint alleges that the hacked data, which was found for sale on the dark web, was hosted by Salesforce on its e-commerce platform. It also alleges that the e-commerce platform was infected with malware, which is what led to the data breach.
New York’s SHIELD Act (Stop Hacks and Improve Electronic Data Security Act)
● Amended New York’s data breach notifications and cybersecurity laws
● Added new data security protections to the General Business Law -- these are far-reaching, prescriptive standards. The law requires covered businesses to implement certain administrative, technical and physical safeguards; for instance “regularly conduct tests and monitors the effectiveness of key controls, systems and procedures.”
● Pushes organizations to develop and implement a written Data Security Plan that complies with the SHIELD Act
● Pushes organizations to integrate their ongoing compliance with New York data breach laws into their overall compliance efforts
● The SHIELD Act toughens the potential civil penalties for breach notification law violations, increasing them to up to twenty dollars per instance of failed notification (capped at $250,000), and imposes new civil penalties (up to $5,000 per violation, with no cap) for certain failures to comply with the new data security standards.
Nevada’s Senate Bill 220
● Requires operators of Internet websites and online services to follow a consumer’s direction not to sell his or her personal data
● For companies that don't comply with the law, the Nevada attorney general can seek an injunction or impose a civil penalty of up to $5,000 for each violation.
Washington State Data Privacy Act (Introduced in Senate in Jan. 2020)
● Gives consumers the right to know if a controller is processing their personal data and to access that personal data
● Gives consumers the rights to correct their personal data, delete it, obtain their personal data in a portable format, and right to opt out of having their personal data processed for targeted advertising, the sale of their personal data, or profiling in furtherance of decisions that produce legal or significant effects on the consumer
● Data controllers (those who determine how data will be used) are required to put in administrative technical, and physical data security policies and processes in place to protect the confidentiality, integrity, and accessibility of the consumer data they are collecting or processing.
● Data controllers and data processors must have contracts in place with provisions regarding personal data processing. The required provisions are similar to the GDPR’s data processing requirements.
● Processing sensitive data without a consumer’s consent is forbidden
● Covered businesses must conduct data protection assessments for all processing activities involving personal data.
● For companies that don’t comply with the law, the Washington Attorney General authority to take legal action and enforce penalties of up to $7,500 per violation.
In addition to the state-level legislations, Congress is actively exploring what a federal privacy bill would look like. In fact, multiple legislators have bills in process.
Organizations Must Maintain Data Security Policies and Practices
What’s common between these data privacy laws is that they all require businesses to have reasonable security controls to protect sensitive/personal data from unauthorized access. These laws recognize that organizations cannot keep user information private unless they also have disciplined cybersecurity management practices to keep data secure.
They push organizations to strengthen their security measures and better manage the IT risks posed by their supply chain. These laws also use large fines and penalties to incentivize this behavior change.
While surveys have shown that organizations’ leaders are already highly concerned about cybersecurity risk, we believe the rise of data privacy laws will push security concerns even higher on organizations’ agenda. To successfully comply with these data privacy laws, organizations will need to do a better job of protecting their critical data assets, which represents a new business opportunity for CPA firms.
Organizations Will Need to Take a Closer Look at the Security Risks
In the first half of 2019, data breaches exposed 4.1 billion records, and third-party breaches accounted for over half of all data breaches in the US. While awareness of third-party risk has begun to improve, we believe that the new data privacy landscape will force organizations to grow up fast when it comes to their third-party risk management practices.
Faced with the prospect of paying significant fines and penalties, organizations will start to do more to examine the security posture of their supply chain and take measures to mitigate the risk of third-party data breaches. In fact, we believe this trend will have a significant impact on how organizations build trusted relationships with one another.
Going forward, trust will always need to be earned. Before entering into a new relationship, organizations will take multiple steps to verify the digital trustworthiness of their prospective vendors and partners. In many cases, organizations will ask their vendors to send them the most recent audit reports signed by their CPA firms (e.g., SOC 2 report).
Additionally, the firms with sufficient resources may develop their own auditing procedures to evaluate the security and data privacy practices of their vendors. You may already be familiar with Microsoft’s Supplier Privacy & Assurance Standards that instructs their suppliers on data privacy and protection and ensures suppliers’ compliance with those requirements.
Going forward, we anticipate more organizations following in Microsoft’s footsteps with their own security and data privacy standards for suppliers.
The Opportunity Ahead for CPA Firms
At this moment, CPA firms have a greenfield of opportunity to help clients -- new and existing -- meet the new set of challenges posed by data privacy regulations.
Surveys show that most organizations are just starting to grapple with the challenges ahead. For instance, when Hyperproof conducted a survey to understand the state of CCPA preparedness as of December 2019 -- just a month before from the effective date, 91 percent of respondents reported that they have not completed the work required to be in compliance with the CCPA.
In fact, the most common response among those surveyed was that their organization has just begun to assess how CCPA requirements will affect their business (34 percent). There’s a real need for CPA firms to step in and help clients understand their obligations under these data privacy laws, ensure that their data practices are in line with regulations, guidelines and good practice, and do it in a way that’s easy to implement, cost-effective and scalable.
Opportunities for new services include:
● Education and training to help organizations understand the requirements of new data privacy laws, e.g., CCPA
● Helping clients identify important assets, map out their risks and provide a cybersecurity roadmap
● Gap Analysis: Help assess the range and quality of controls in an organization prior to a SOC reporting examination
● Becoming an assessor for Microsoft Supplier Security and Privacy Assurance Program (SSPA)
● Becoming a preferred assessor for emerging supplier security and privacy standards (look-alike programs to Microsoft’s SSPA)
● Conducting security reviews (e.g., penetration testing and vulnerability assessments) to help clients identify specific risks to their business systems and data and providing mitigation strategies
Craig Unger is CEO and Founder of Hyperproof, compliance operations SaaS application designed to streamline IT compliance processes and reduce administrative costs. Jingcong Zhao is Director of Content at Hyperproof: At Hyperproof where she leads the development of thought leadership content...