background image
24
www.ctcpas.org
W
hat is your client data
worth? On the dark web, an
individual's bank account
information can sell for $1,000 or
more. Starting price on one healthcare
record is $50. Volumes of sensitive
client information pass through our
firms daily. The information we collect
is valuable to cyber criminals.
Because CPA firms have access to
a virtual treasure trove of data, we're
vulnerable to hackers and, therefore,
held to higher levels of compliance
requirements at both the state and
federal levels.
As accounting professionals, we
should embrace these laws, because
standardization and guidance are
good for our industry and our clients.
However, the myriad cybersecurity-
related laws can be challenging to
navigate.
This article outlines what accounting
professionals need to know.
State Laws
Connecticut law requires all businesses
to:
Protect the personal information
of others and publish a privacy
protection policy (CT Gen Stat
42-471 Safeguarding of
Personal Information).
Investigate incidents to
determine if a breach occurred.
Report breaches in accordance
with CT Gen Stat 36a-701b/
or CT Public Act No. 15-142, if
you're covered under it.
If your business is under state con-
tract or under Connecticut Insurance
Department oversight, Connecticut
requires a Written Information Security
Program (WISP). For more information,
refer to CT Public Act No. 15-142.
Federal Laws
CPA firms fall under the Federal Trade
Commission (FTC) and the Gramm-
Leach-Bliley Act, which means firms
are considered "financial institutions."
Under this law, firms are required
to employ reasonable measures to
protect the security, confidentiality,
and integrity of consumer financial
information. Requirements include
annual risk assessments and client
acknowledgment of receipt of your
privacy notice.
CPA firms with healthcare clients are
considered Health Insurance Portabili-
ty and Accountability Act (HIPAA) busi-
ness associates, which means your
client will be required to have you sign
a business associate agreement (BAA)
under HIPAA. The healthcare provider
must have all parties that may come
in contact with their protected health
information (PHI) agree to comply
with HIPAA.
Client Data
Is a Virtual
Treasure Trove:
Why CPA firms
must be vigilant
about cybersecurity
By Mark R. Torello, CPA, CFE, CISA; Chair, CTCPA Technology Interest Group
1
Business Insider, "Here's how much thieves make by selling your personal data online," Cadie Thompson, May 27, 2015.