Increasingly, clients of CPA firms impose confidentiality agreements as a precondition to engaging the firm to perform professional services. These may appear in the form of a separate nondisclosure agreement (NDA) or as a required provision to be included in the engagement letter. Requests for signed confidentiality agreements also may occasionally arise during the engagement as documentation is requested from the client.
In many situations, such requests are not warranted or necessary given the fact that CPAs are subject to the AICPA Code of Professional Conduct's "Confidential Client Information Rule" (ET §1.700.001) and confidentiality requirements of Internal Revenue Code Sec. 7216 respecting a client's tax return information. Begin by explaining to the client that the "Confidential Client Information Rule" and relevant ethics interpretations already require the CPA firm to protect the confidentiality of all client information. As such, a separate agreement or engagement letter provision should be unnecessary. However, that may not satisfy all clients. Before considering how to respond to the situation, it is important to understand the problems that may be presented in requested confidentiality agreements and engagement letter provisions.
RETURN OR DESTRUCTION OF CLIENT CONFIDENTIAL INFORMATION
NDAs sometimes include provisions requiring the CPA firm, upon the conclusion or termination of the engagement, to either return or destroy any client confidential information that is possessed by the CPA firm, including any client confidential information included in firm workpapers. Other provisions may restrict access to workpapers by others. Workpapers produced by firm staff in connection with an engagement are owned by the CPA firm that undertakes the engagement, not the client or the individuals performing engagement services. Workpapers must also be available for system or peer reviews as required by state boards of accountancy or other regulators. Moreover, in the unfortunate event a professional liability claim or lawsuit is pursued, workpapers will serve as key evidence in the defense of the CPA firm.
Another provision that is often included in NDAs or confidentiality provisions is the requirement for the firm to indemnify the client for any expenses should the firm breach its obligations in the NDA or confidentiality provisions. Any requirement to indemnify the client should always be reviewed carefully. (See "Professional Liability Spotlight: Deflecting Clients' Defense and Indemnity Requests," April 2017, for further discussion of this issue.)
OTHER RESTRICTIVE CONFIDENTIALITY PROVISIONS
Confidentiality agreements presented by clients also may include definitions that broaden the scope of confidentiality obligations. While CPAs are obligated to keep client information confidential, that obligation does not extend to the confidential information of third parties that are not subject to the agreement. If the agreement requires the CPA to maintain confidentiality over such information, discuss this with the client and consult with your own attorney regarding the provision.
Confidentiality provisions sometimes restrict the service provider's ability to communicate with anyone other than representatives expressly authorized by the client. The intent of such a provision may be to protect the confidential information provided to the CPA firm from being disclosed to other employees of the client, but it also may restrict the CPA's ability to effectively perform a tax or consulting services engagement. For example, in a consulting services engagement focused on improving business efficiencies, the CPA firm may have to collect information from a client's employees and respond to their questions about related information already provided by the client representative. A provision restricting such a discussion would severely hamper that ability.
NDA REQUESTS AND PROPRIETARY R&D
Clients and prospective clients may need tax, accounting, and consulting assistance associated with research and development for proprietary products or services. As such, the CPA may be asked to sign an NDA before any discussion about the scope of services can even begin. As such, the NDA may expand the scope of confidentiality obligations beyond the framework of the "Confidential Client Information Rule." For example, it may include requirements:
- Prohibiting disclosure of any related information to third-party advisers. This arguably could prohibit the CPA firm from consulting with its own attorneys regarding both the terms of the NDA and other matters that may arise in connection with the engagement. The NDA should at the very least permit the CPA firm to consult with its own attorneys and risk advisers. If this provision is included, discuss it with your attorneys before beginning to talk to the prospective client about the NDA's terms.
- Prohibiting disclosure of confidential client information to any employees or owners of the CPA firm and related affiliates not involved in the engagement. The CPA firm should consider how such a provision will restrict access to this information by locking down engagement files and requiring the engagement team to keep this information confidential and available only to the engagement team. The terms of this provision should be based upon the specific requirements of the engagement. Further, for purposes of consistency and clarity, it should be addressed in the engagement letter rather than in a separate NDA.
- Defining and restricting ownership and third-party access rights to proprietary information. This is likely to arise in an engagement involving the development of a proprietary product such as computer software. This should only apply to the ownership and transfer of confidential information and not to access by specifically identified parties necessary to complete the engagement.
- Permitting the assignment of NDA rights to third parties, such as affiliates or prospective business partners of the client.
When presented with an NDA raising such issues, take the time to review the content and discuss it with your own attorney and risk advisers prior to proposing modifications to the prospective client. In some situations, the client may need to disclose some proprietary information simply to discuss the scope of proposed services, and a limited-scope NDA may be appropriate. However, in many cases NDA provisions can and should instead be detailed in a signed engagement letter customized for the situation. It is important for the CPA firm to consult with its own attorneys and risk advisers before concluding an agreement on the terms of an NDA, including confidentiality provisions that go beyond applicable professional standards.
Prospective clients may ask the CPA firm to be engaged by their attorneys using a Kovel arrangement (deriving from the case Kovel, 296 F.2d 918 (2d Cir. 1961)). A Kovel letter is issued by an attorney when providing legal advice or services to the client and is designed to protect all CPA firm communications and workpapers under the cloak of privilege between the attorney and the client. The letter typically includes restrictions on both confidentiality and ownership and control over workpapers. Kovel letters may be required in litigation support engagements or in pending tax cases but also may be presented in other types of engagements. CPAs should consult with their own attorney prior to entering into a Kovel arrangement. For more information, see the AICPA's Attorney Client Privilege and Use of Kovel Arrangements FAQs.
BEWARE THE SCOPE OF NDAs
Increasingly, CPA firms are being presented with NDAs and other client confidentiality requirements that go beyond the scope of the "Confidential Client Information Rule," Sec. 7216, and other applicable laws and regulations. It is important to scrutinize these requests closely and consider whether they are appropriate under the circumstances. Consult resources available from the AICPA and your professional liability insurer pertaining to these matters, and have your attorney review requirements in NDAs, engagement letters, or other contracts that expand upon or potentially conflict with professional standards, laws, or regulations.
Joseph Wolfe is a risk management consultant at Aon Affinity. Stanley D. Sterna, J.D., is a vice president at Aon Affinity. For more information about this article, contact specialtyriskcontrol@ cna.com.
Continental Casualty Company, one of the CNA insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program. Aon Insurance Services, the National Program Administrator for the AICPA Professional Liability Program, is available at 800-221-3023 or visit cpai.com.
This article provides information, rather than advice or opinion. It is accurate to the best of the authors' knowledge as of the article date. This article should not be viewed as a substitute for recommendations of a retained professional. Such consultation is recommended in applying this material in any particular factual situations.
Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.