Cyber liability exposures and regulations impacting CPA firms have evolved significantly in recent years. While CPA firms have always had the challenge of protecting the confidentiality of client information in accordance with the AICPA Code of Professional Conduct and Sec. 7216, changes have occurred in both the regulatory and legal landscape, as well as to the scope of cyber liability exposures CPA firms face. CPAs need to be familiar with both their professional obligations and the risk management activities necessary to mitigate the risk of a breach of confidential firm and client information, as well as fraud, theft, and other criminal acts of third parties.
REGULATORY AND LEGAL LANDSCAPE
At present, federal regulations on cybersecurity primarily impact the health care and financial services industries. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), P.L. 104-191, and the Gramm-Leach-Bliley Act (GLB), P.L. 106-102, resulted in the issuance of federal regulations increasing the responsibilities of health care providers and financial institutions to protect confidential information and disclose cybersecurity breaches.
The HIPAA Omnibus Rule, 78 Fed. Reg. 5566 (Jan. 25, 2013), amended prior versions of the HIPAA privacy and security rules. Significantly, it expanded the application of many of the privacy and security obligations applicable to health care providers to their "business associates." The U.S. Department of Health & Human Services Office for Civil Rights (OCR) defines a business associate under HIPAA as, "a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity." CPA firms that have access to patient billing records in rendering services to health care providers qualify as business associates. Penalties of up to $1.5 million can be imposed by the OCR for each violation of this rule.
The Federal Trade Commission Safeguards Rule, 16 C.F.R. Part 314, requires "financial institutions" to ensure the security and confidentiality of consumer personal information. It imposes specific requirements, including the development and implementation of a written information security plan. CPA firms that prepare tax returns qualify as financial institutions under the definition contained in this rule (16 C.F.R. §313.1(b)). In the past year, enforcement actions by the SEC and the FTC have resulted in consent agreements and substantial fines.
While there are no national cybersecurity standards, the Department of Commerce's National Institute of Standards and Technology (NIST) recently released an updated version of its voluntary cybersecurity framework for data breach risk management. The guidelines provide best practices companies can employ to ensure that the risks of a cyberthreat are promptly identified, measures are taken to protect the data, the breach is promptly detected and responded to, and data are restored timely.
All 50 states, the District of Columbia, Guam, Puerto Rico, and the U.S. Virgin Islands currently have laws requiring companies to notify clients of a cybersecurity incident. Colorado and Vermont have cybersecurity regulations affecting investment advisers and broker-dealers; New York has comprehensive cybersecurity regulations affecting banks, insurance companies, and a broad range of other financial service providers. More recently, California passed legislation, which goes into effect in January 2020, related to how companies collect, store, and use personal data. Meanwhile, the European Union enacted the General Data Protection Regulation (GDPR) to regulate businesses regardless of domicile that maintain personal information of clients within its member states.
On the legal front, the federal circuit courts are currently split on what constitutes sufficient standing to sue for a cyber breach. While some federal circuits require the plaintiff to have suffered actual harm in order to have standing, others have held that a risk of future harm is enough — a significant expansion of standing. While it is hard to predict how the Supreme Court may ultimately rule, the prevailing thought (based upon current and proposed regulations) appears to support the expansive "threat of harm" rule as eventually becoming the applicable standard.
In earlier years, CPA firms were primarily targeted by cybercriminals infiltrating computer systems with ransomware, which prevents access to firm data and requires companies to pay a ransom to unlock the data. The FBI does not recommend paying a ransom and provides resources on its website to assist businesses in implementing ransomware attack prevention, business continuity, and breach response plans.
More recently, CPA firms have been targeted by cybercriminals seeking to access the personal information of individual tax clients to file fraudulent tax returns and obtain refunds. The IRS provides specific guidance for tax professionals to prevent and respond to such attacks, including IRS Publication 4557, Safeguarding Taxpayer Data: A Guide for Your Business (2018).
Additionally, CPA firms face the risk of privacy breaches involving both their own employees and subcontractors such as seasonal tax return preparers or cloud hosting applications used to facilitate client services. While intentional breaches are rare, inadvertent breaches are common and often arise from inadequate training and security controls.
Mitigating the risk of privacy breaches and complying with applicable legal and regulatory requirements can seem overwhelming, but resources are available that provide related guidance. Here are a few basic steps to begin the process:
Start with an assessment
What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur?
Mapping where your firm's vulnerabilities are today is the best way to understand your next steps. The AICPA's cybersecurity risk management reporting framework helps you assess existing risk management programs. The AICPA Private Companies Practice Section cybersecurity toolkit also can help you understand the most common cybersecurity threats.
Implement best practices
At a minimum:
- Use encryption wherever possible to protect sensitive data. This includes laptops, desktops, and mobile devices. Failing to do so threatens your data and your reputation.
- Train employees to recognize threats and safeguard equipment and data.
- Develop and practice your response plan for various situations such as a ransomware attack, hack, or identity theft.
- Back up your data so you'll still have access to them if they're damaged, lost, or stolen.
- Keep your equipment physically secure in your office and on the road.
Get an outsider's perspective
Learn your firm's vulnerabilities by hiring an expert to conduct penetration testing. The consultant will provide insights on your firm's vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm's response in the case of various attack scenarios. For smaller firms, those with the necessary technical knowledge can use various penetration testing devices and scanning software.
LEGAL AND INSURANCE CONSIDERATIONS
CPA firms should consult with their legal counsel to assess the firm's risk of first- or third-party data security claims and consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage.
Editor's note: Additional cybersecurity resources for organizations and CPA firms are available at aicpa.org.
Stanley Sterna is a vice president and Joseph Wolfe is a risk management consultant at Aon, the administrator of the AICPA Professional Liability Insurance Program since 1967. For more information about this article, contact firstname.lastname@example.org.
Aon Insurance Services is the National Program Administrator for the AICPA Professional Liability Program and is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the authors' knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.