Privacy Framework Helps CPAs Protect Consumers

EXECUTIVE SUMMARY

COMPANIES REQUIRE HELP understanding and complying with the confusing array of privacy rules, and CPAs can meet that need. HIGHLY PUBLICIZED CORPORATE FAILURES to protect confidential data have heightened consumers’ awareness of threats to their privacy. CONSUMERS SURVEYED SAID they would rather do business with companies that safeguard customers’ personal information, underscoring privacy’s effect on the bottom line. IN THE UNITED STATES compliance is particularly difficult because each industry has its own privacy regulations. American companies that want to compete globally will have to observe international privacy standards as well. A coordinated approach to these diverse requirements is essential to effective compliance with them. THE AICPA PRIVACY TASK FORCE will issue in the third quarter an exposure draft of a comprehensive framework of privacy best practices. CPAs can use them to help their clients and employers maximize compliance and minimize privacy-related risks. WHILE CPAs MAY BE MORE QUALIFIED than other professionals to provide guidance on privacy compliance, they should be ready to display their skills in the face of strong competition from lawyers, as well as e-business and security consultants. CPA FIRMS SHOULD INTEGRATE their privacy and attest services to avoid potential restrictions on providing both assurance and consulting services to public clients.

J. LOUIS MATHERNE, CPA, and ERIN P. MACKLER, CPA, are AICPA employees. Mr. Matherne is director of business assurance and advisory services and Ms. Mackler is a research and innovation technical manager and staff liaison for the Institute’s enterprisewide privacy task force. Their views, as expressed in this article, do not necessarily reflect the views of the Institute. Official positions are determined through certain specific committee procedures, due process and deliberation.

ost companies are just beginning to realize they should implement a sound privacy policy. Some have learned the hard way—through negative publicity and lawsuits—like the pharmaceutical giant that mistakenly revealed the e-mail addresses of more than 700 people who had signed up for prescription refill reminders or the Web marketer that planned, by means of cookies, to track Internet users’ online shopping habits. Accidents and judgment errors like these can harm millions of consumers when they do business with companies lacking a comprehensive plan to safeguard privacy. And while lawmakers and trade groups may aim to prevent Web spamming, unwanted sales calls or unauthorized disclosures of private information, “the current inconsistency of rules, regulations and voluntary practices is confusing and provides uneven levels of protection for consumers,” said Mary Grace Davenport, a partner in PricewaterhouseCoopers’ financial services privacy practice.

In response, the AICPA is creating a privacy framework of best practices that CPAs can implement for their clients and employers. “It is clearly in the public interest for companies to have sound privacy practices,” said Everett C. Johnson, a partner in Deloitte & Touche’s enterprise risk services practice and chairman of the AICPA enterprisewide privacy task force. “It also is in the best interest of every company that interacts with the public. The framework addresses both needs.”

This article explains how the upcoming framework will serve as a coordinated source of reliable information CPAs can use to help their employers and clients comply with the growing body of overlapping privacy regulations.

"It is very clear the misuse of customer information poses a significant risk to businesses,” said Mitchell S. Baxter, vice-president of LegalNet Works, a Falls Church, Virginia, consulting firm that specializes in risk management, information security, regulatory compliance and liability and privacy issues. “Even when a company generally is following good privacy practices, the mere absence of a clearly defined policy with appropriate management involvement and oversight can expose a company to liability. Equally important is the risk of customer dissatisfaction and damage to the company’s reputation.”

THE NEED FOR A SINGLE FRAMEWORK
A quick glance at the patchwork of privacy regulations, laws and guidelines U.S. companies must navigate reveals the need for an efficient approach to compliance. Financial services companies must adhere to the Gramm-Leach-Bliley Act (GLB), while the health care industry has its own regulations under the Health Insurance Portability and Accountability Act (HIPAA). Companies that accumulate online data from children are subject to the Children’s Online Privacy Protection Act (COPPA) and those that contract with a government agency must observe the Privacy Act of 1974. Domestic retailers follow yet another set of rules, and any company that does business internationally likely is subject to the European Union’s Data Protection Directive. Many must comply with more than one of these laws simultaneously.

Davenport said American privacy strategy is behind the times and causing problems for U.S. corporations. “This industry-by-industry approach is unique to the United States,” she said. “We need a single privacy framework so companies can apply one set of policies to all their operations.”

AICPA TASK FORCE AIMS TO FILL THE VOID
The Institute’s enterprisewide privacy task force is developing strategies to establish the accounting profession as a key contributor in the effort to protect consumers’ privacy. An exposure draft of its Privacy Framework of Practices and Criteria, designed for companies interested in creating best practices, is scheduled to be released during the third quarter of this year. “The framework will guide CPAs in implementing best practices and act as a kind of education awareness campaign,” Baxter said. “CPA firms will be able to create a compliance module that will review a client’s need for a privacy policy.”

According to Johnson, the framework will be broad enough for a CPA to implement a privacy policy covering all of any company’s operations. “Businesses that choose to implement privacy policies in accordance with this framework will meet, and in most cases exceed, current privacy regulations and reduce their privacy-related risk,” he said.

Davenport, who along with Baxter is a member of the privacy task force, pointed out that the framework covers employees’ personal data, to which—in the United States—virtually no legal privacy requirements apply. “This is becoming an important focus as companies develop global human resources systems that must observe international privacy requirements,” she said.

OPPORTUNITY FOR CPAs
Many CPAs believe a privacy framework will provide them a significant consulting opportunity with their clients—or their employers. But practitioners certainly will not have this field to themselves: The legal community and e-business and security consultants have already entered the market, and the Better Business Bureau, through its BBBOnline Web site, recently launched a privacy seal of approval program. But Marilyn Greenstein, an accounting professor at Arizona State University West, and James E. Hunton, an accounting professor at the University of South Florida, agree that CPAs may have a strategic advantage in the arena. “CPAs have always focused on serving the public interest while at the same time helping businesses implement policies and practices in financial reporting,” explained Greenstein, who is also a member of the privacy task force.

In addition to characteristics CPAs share with other professions, such as the ability to understand various statutory regulations and to develop a high-level strategic business plan, Greenstein and Hunton suggested several reasons why accountants may be uniquely qualified to provide privacy services.

CPAs have a long history of

Providing attestation, risk assessment and audit services.

Assessing the adequacy of controls and determining whether they are operating effectively.

Assessing the risk a firm faces if its practices and policies are inadequate.

Monitoring a system’s compliance with its stated policies and practices and closing any gaps.

Firms that integrate their privacy monitoring with other attest services may guard against potential future restrictions on performing both auditing and consulting engagements for public companies. Such a strategy will be prudent for the client as well as the firm.

“The audit is about attestation of controls and business transactions,” said Brian Tretick, principal for privacy assurance and advisory services at Ernst & Young LLP and another member of the task force. “Having a sound privacy policy that can stand up to scrutiny can be as important to a company as making certain its financial statement complies with generally accepted accounting principles.”