It has been said that with great power comes great responsibility. Mobile devices and cloud computing empower CPAs to work on an anytime, anywhere basis, but increased access demands greater responsibility for data security. A CPA’s obligation to protect client confidential data is not only governed by the AICPA Code of Professional Conduct and Internal Revenue Code Sec. 7216, but also by the patchwork of federal and state statutes and regulations that govern data security. This obligation is the same regardless of how or where the data is stored or transmitted.
A breach of client confidential data poses various risks, including professional liability exposure if that information is used maliciously and damages are incurred. Risk also arises related to mandatory compliance with applicable federal and state breach notification statutes and regulations. Moreover, reputational and other harm may ensue from the failure to protect client information.
CPAs’ growing use of mobile devices to conduct business increases the number of potential data leakage points. Additionally, apps have become a prime avenue for hackers to gain access to mobile devices. All of these factors contribute to an increased likelihood of improper data disclosure.
More data to protect, more data security laws with which to comply, and more ways data can be released or compromised—what’s a CPA firm to do? As technology advances at lightning speed, the challenge to secure data may seem daunting. Prohibiting the use of mobile devices is not a practical option. While no security program or security software can guarantee that data will never be lost or stolen, application of a few basic principles can help address mobile security risks and mitigate professional liability exposure.
Understand the firm’s data security risk profile. The use of mobile devices creates additional opportunities for data to be lost or stolen. Review how the firm receives, uses, and maintains data, including how and where data is stored, the kind of data transmitted to and from mobile devices, and the practices that may place your firm at higher risk for data leakage and loss. For example, does the firm permit the use of unencrypted flash drives?
Rethink data needs. Before accepting confidential data from a client, determine if there is a business need for collecting the data. Could you perform the professional services in accordance with the engagement agreement without receiving the data? CPAs should be mindful of their responsibility to protect client data when they request information from clients or access client systems. Having access to data that is not truly necessary increases the CPA’s professional liability risk. By limiting the type of information it receives from its clients, the firm can reduce the need to protect and secure such information.
Decide what type of mobile program fits the firm best. Will firm-owned devices be provided to your partners and employees, or will they provide their own devices as part of a bring-your-own-device (BYOD) program? Each program has risks and benefits. When the firm provides the device, it has more control over its use and security. A BYOD program might be less expensive, but it is less secure and may result in situations where employees have two of each device—one for work and one for personal use. Some features will be the same for both programs, but others will be different. Firms should decide which programs best fit their budget and address their cultural and security needs.
Take mobile security seriously. Do not allow partners and employees to use any device they wish, with programs they select, and believe that these devices are secure if they have a password. Passwords do not constitute a security program. Use a mobile device management (MDM) vendor that can provide a mobile device software platform that secures and supports the different devices used by employees. Different platforms are available to control how data flows to and from the devices, the cloud, and servers. A mobile device platform also will have security features such as encryption and the ability to remotely locate, lock, and wipe the devices. A mobile device program should also address removable media, such as thumb drives.
Have a firm policy or an employment agreement that states the terms and conditions of the mobile program and expectations of partners and employees. Create a comprehensive mobile device policy (including detailed guidelines) for all partners, employees, contractors, and third-party service providers. The policy should identify and address data security risks and the procedures that should be followed if a data loss occurs. Let partners and employees know how they can use their devices and what is expected of them. Explain the privacy expectations they should have when they use a mobile device for work. Because employment and privacy laws vary by state, CPA firms should consult an attorney to draft these.
Educate partners and employees about risky behaviors. Inform personnel about the importance of safeguarding mobile devices. Risky behavior includes downloading apps and free software from unsanctioned online stores that may contain malware, turning off security settings, not encrypting data in transit or at rest, and not promptly reporting lost or stolen devices that may contain confidential and sensitive information.
Integrate IT, human resources, and legal professionals in the development of the mobile device program. Every program should have aspects that draw from each of these disciplines. For example, an IT professional can address security software issues, but he or she probably would not know whether certain practices violate employment laws. Have a point person coordinate the effort, but make sure to get input from each of these areas of specialization.
While there is much more detail that goes along with all of these considerations for an effective mobile program, these principles are a good start to get CPA firms on their way to establishing a mobile program that addresses data security risk and the related professional liability risk.
Continental Casualty Co., one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the authors’ knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to
establish any standards of care, serve as legal advice, or
acknowledge any given factual situation is covered under any CNA
insurance policy. The relevant insurance policy provides actual
terms, coverages, amounts, conditions, and exclusions for an insured.