background image
13
Connecticut CPA
g
May/June 2013
T
hese are not hypothetical sce-
narios. Rather, they represent
actual incidents of data secu-
rity breaches that occurred at differ-
ent types of businesses, including
accounting firms. According to public
data available from the Privacy Rights
Clearinghouse, more than 600 million
records have been breached since
2005.
1
Such records contain data ele-
ments useful to identify thieves such
as Social Security numbers, account
numbers, and driver's license num-
bers. The following are some of the re-
ported incidents of public accounting
firms collected by the Privacy Rights
Clearinghouse:
A public accounting firm experienced
a breach involving the information of
current and former employees of a cli-
ent. The client learned that a laptop
with employee names, Social Security
numbers, addresses, and the stock
administration information of a select
few had been stolen from the home of
an employee of the accounting firm.
In 2012, a public accounting firm was
contracted to perform financial state-
ment auditing services. An employee
of the accounting firm accidentally re-
moved one or more CD-ROMs from
the office. The CD-ROMs contained
a list of its client's workers' compen-
sation claimants and a list of equity
shareholders in the client's company.
The CD-ROMs appear to have been
stolen from the vehicle owned by the
employee of the accounting firm. The
workers' compensation information
contained names, claim numbers,
medical status, and date of loss. The
medical status information included
the employees' claim for injuries or ill-
nesses. No Social Security numbers
were involved. The partial equity roll
list contained names and Social Secu-
rity numbers.
This article offers strategies designed to
mitigate the threat of data breaches and
reduce potential liability for data-related
losses through contractual risk transfer
and insurance. It also includes guidelines
for mitigating damages and complying
with legal disclosure and notification re-
quirements in the event that confidential
information is compromised.
Preventive Strategies
In addition to required compliance with
professional standards on maintaining
client confidentiality, accountants are
required to comply with federal and
state privacy laws. A data security
breach can have devastating conse-
quences for accounting firms. Poten-
tial ramifications of a security breach
include damage to the firm's public
image and reputation, diminished cli-
ent confidence, and financial costs as-
sociated with the discovery, response,
and notification regarding a breach,
lost employee productivity, expenses
for credit monitoring, regulatory fines,
restitution, legal fees, and additional
security and audit requirements.
To reduce the likelihood of such an
occurrence, the following basic strat-
egies should be incorporated into the
firm's data security program:
Utilize an encryption system. Pass-
word protection of the firm's comput-
ers is necessary, but not sufficient, to
secure firm and client privacy. Confi-
dential data should be encrypted (i.e.,
readable only to those with the proper
electronic "key.") Under many breach
notification laws, the theft or loss of
encrypted data does not trigger the
duty to notify. However, notification
can be mandated if the loss of pass-
word-protected, unencrypted informa-
tion occurs.
Place controls on data storage and
access.
Clear, auditable, and enforce-
able policies controlling access to the
firm's information system should be
implemented to protect resources and
data from misuse by insiders, includ-
ing employees, independent contrac-
tors, vendors, and customers. Frequent
updates and upgrades of firewalls and
anti-virus systems can prevent unau-
thorized access to or corruption of data
by outsiders.
Protect Your Firm Against
Data Security Breaches
An increasing number of accounting firms have experienced data security breaches.
Consider the following examples and ask whether your firm may be vulnerable to
similar scenarios:
A hacker breaks into a firm's electronic files, exposing clients' confidential or
personal information.
A disgruntled employee of a firm steals clients' financial data, including social
security and credit card numbers.
A burglar breaks into a firm's office and steals its computers and backup drives.
An employee loses a laptop computer or flash drive containing clients'
confidential or personal information.
An employee surfs unprotected websites and gets spyware infections or uses a
personal webmail account and opens unsecured attachments.
1
"Chronology of Data Breaches," available for viewing at https://www.privacyrights.org/data-breach.
"Protect Your Firm Against Data Security Breaches" is available for access at www.cpai.com.
Copyright 2013 Continental Casualty Company. All rights reserved. Reprinted with permission.
u