background image
Or, in other instances, the IRS may
contact your clients directly for addi-
tional information to perfect the filing.
Soon the floodgates start to open.
The Expenses Start Rolling In
Setting aside your initial anger, frus-
tration, and concern about potential
lawsuits from clients, you are about to
incur a variety of substantial first-par-
ty expenses (expenses that will take
place regardless of third-party legal
activity), including:
Forensic costs An expert will
need to be retained to determine
the nature and extent of the breach.
You will soon realize that your firm
has been subject to a phishing at-
tack and many clients have been
impacted.
Legal fees A law firm will need
to be hired to evaluate the forensic
investigator's findings for potential
notification purposes.
Notification expenses In part-
nership with your law firm, you will
determine that notification to im-
pacted victims (not to mention law
enforcement and attorneys gen-
eral) is required. Notification will be
driven by client (as opposed to firm)
location. Since there are 48 states
with breach notification require-
ments, in addition to federal com-
pliance requirements that apply to
accounting firms, e.g., the Gramm-
Leach-Bliley Act, you will incur sub-
stantial expenses. Having a diverse
clientele is impressive, but when it
comes to breaches, not all that it is
cracked up to be.
Monitoring and restoration fees
Based on the nature of the acquired
information, you will determine that
providing credit/identity monitoring
and restoration services to clients is
a key way to make them whole and
mitigate future losses. The dollars
for that lunch break are continuing
to mount.
Data restoration costs and busi-
ness interruption Beyond clien-
tele, you will also need to spend
significant dollars on restoring data,
correcting systems, and building
better defenses for next time (as-
suming there is a next time). It is
also likely that your existing sys-
tems will be down for a significant
period of time, which ultimately
equates to lost dollars in the form of
business interruption exposure.
Third-Party Liabilities
Once you have gotten your hands
around the first-party expenses, it is
safe to assume that third-party liability
will be equally (if not more) problem-
atic. Consider the following additional
exposures:
Enforcement proceedings
There will certainly be outside regu-
latory interest in assessing whether
you complied with your publicly
stated position on security and
privacy. As a result, and at a mini-
mum, you should anticipate incur-
ring regulatory defense expenses.
Realistically, you should also an-
ticipate fines/penalties being levied
against the firm along with consum-
er redress funds being established
to compensate victims.
Lawsuits Unfortunately, some
clients may not be satisfied with
monitoring/restoration and con-
sumer redress funds. While an in-
dividual suit might be costly, the
death blow might be in the form of
class action activity with similarly
situated victims suing in an aggre-
gated fashion.
Your Firm's Reputation
Beyond first-party expenses and third-
party liability exposures, there are con-
cerns about the reputational impact on
firms that sustain a data breach or pri-
vacy loss. Clients may leave the firm or
employees might jump ship.
Best Practices to Protect Your Firm
So, moving back in time, what are
some tips to avoid a phishing attack?
While there are various best practices
to consider, you should begin by fo-
cusing on the following:
1. Employee Training Show em-
ployees how to identify legitimate
vs. illegitimate emails. As a part of
the training, run mock exercises to
test employees with real scenarios.
2. Intrusion Detection Software
The earlier malware is detected, the
faster proactive steps (such as dis-
connecting an infected device) can
be taken to implement corrective
measures.
3. Passwords The firm should
provide guidance on strong versus
weak password implementation.
Passwords should be changed on
a quarterly basis if not more fre-
quently. Also investigate password
management software.
4. Two-factor authentication This
requires an initial proper password
plus another level of security, such
Setting aside your initial anger,
frustration, and concern about
potential lawsuits from clients,
you are about to incur a
variety of substantial first-
party expenses (expenses that
will take place regardless of
third-party legal activity).
(continued)
Whittlesey Technology
estimates that more than
80 percent
of the accounting firm data
breaches it investigates start
with a phishing attack.
www.ctcpas.org
24