background image
14
www.ctcpas.org
Regulate use of portable devices
and storage media.
According to
the Privacy Rights Clearinghouse, al-
most all accounting firm data security
breaches reported up to June 2008
involved laptop theft. Formal written
procedures governing the use, trans-
port and storage of laptops, disks,
flash drives, and other portable equip-
ment, therefore, should be established
and enforced. Users also should be
reminded that portable computers
represent prime targets for thieves.
Thus, the convenience of downloading
client data to a laptop computer must
be balanced against the possibility of
loss or theft. Avoid downloading cli-
ent information to a laptop computer
hard drive or portable flash drive un-
less employees are unable to access
the information from the firm's shared
drive, e.g., while performing audit field
work for that client. Even more impor-
tant is the need to delete client data
from these devices once it is no longer
needed to work remotely. Appropriate
sanitization techniques also should be
utilized when disposing of equipment
or media.
2
Most breaches to sensitive
data have resulted from the failure to
transfer this data to network systems
and delete it from portable devices.
Carefully dispose of old equipment
and outdated records.
Establish a
record retention policy to ensure that
only current, relevant records are re-
tained. Purge digital records in accor-
dance with the policy and document
the destruction. An effective means of
addressing the data exposure risk as-
sociated with obsolete computers and
storage media is to "scrub" old equip-
ment of all contents prior to its dispos-
al. Appropriate sanitization methods,
such as overwriting and degaussing,
should be used to remove information
from storage media.
Maintain a backup set of records
off-site.
By retaining an extra set of
records at a separate location or in
secure online storage, you can help
prevent large-scale data loss or cor-
ruption from a computer virus or other
system breach. Electronic data should
be backed up frequently, and process-
es should be instituted to back up the
data daily and automatically.
Communicate privacy and security
policies.
A sound internal communi-
cation strategy on the protection and
proper use of client information featur-
ing regular, comprehensive updates
can help increase awareness and miti-
gate the risk of lost or stolen data.
Third Party Vendors
Risk Transfer and Insurance
Increasingly, CPA firms are using cloud
computing and client portals to store
firm working papers and client records
in an effort to reduce costs associ-
ated with an in-house technology in-
frastructure. While this functionality is
becoming an industry standard, CPA
firms should be aware of the hidden
risks of allowing a third-party vendor
to manage and maintain the firm's and
their clients' data, and the associated
professional liability implications.
4
When outsourcing data storage to a
third party, a firm loses its ability to con-
trol the security of such data. A study
performed in 2012 reported that 41 per-
cent of reported data breaches were
caused by third parties, and that the
costs associated with these breaches
totaled $209 per record.
5
For this rea-
son, firms should consider contractual
risk transfer as a key element in ar-
rangements with third party vendors.
Whenever you entrust sensitive or non-
public personal information to such a
party, in addition to ensuring that the
third party is insured, you should re-
quire signed acknowledgment of the
following contractual protections:
An agreement regarding access to
and appropriate use of firm informa-
tion and networks, including com-
pliance with the firm's information
security standards.
Indemnification/hold harmless
agreements for all costs arising from
breaches of the third party's network
or the wrongful use of confidential
data by their employees, contrac-
tors, agents, or other associates.
Such agreements with third party ser-
vice providers should comply with the
requirements set forth in federal and
state privacy, confidentiality and se-
curity laws and regulations, as well as
applicable professional ethics codes.
6
When drafting contracts, it is important
to consult with an attorney experienced
in data security breach regulations.
The full range of damages associated
with a data security breach may not
be covered by the firm's general and
professional liability policies. Special-
ized insurance products are available
to address technology-related risks.
Consult with the firm's insurance ad-
visor about addressing any potential
gaps in the firm's coverage.
Post-Breach Response
If suspected that the firm's information
system has been targeted and client
information exposed, a rapid assess-
ment and mitigation of damage are im-
perative, as outlined below:
Evaluate the severity and scope of
the incident.
If a laptop computer or
other portable device is lost or stolen,
identify the data that may have been
exposed, and determine whether these
2
Sanitization is the process of removing information from media in a way which leaves no residual traces. It is commonly believed that erasing a file makes the data irretriev-
able National Institute of Standards and Technology IR 7298 Glossary of Key Information Security Terms.
3
Overwriting is an effective method for clearing data from magnetic media. As the name implies, overwriting uses a program to write (1s, 0s, or a combination) onto the media.
Common practice is to overwrite the media three times. Overwriting should not be confused with merely deleting the pointer to a file (which typically happens when a delete
command is used). Overwriting requires that the media be in working order National Institute of Standards and Technology Special Publication 800-12: An Introduction to
Computer Security The NIST Handbook.
4
For more information on risks associated with the use of cloud computing service providers and risk management tips, refer to the CNA authored article titled Professional
Liability Risk Related to Cloud Computing at www.cpai.com.
5
Ponemon Institute, "2011 Cost of Data Breach Study, United States," March 2012, pages 10 and 11.
6
Under Ethics Ruling No. 112 under Rule 102 Integrity and Objectivity, AICPA members are required to inform their clients of the use of third-party service providers prior to
disclosing confidential client information to the third-party provider. Refer to ET 391-1 of the AICPA Code of Professional Conduct, which requires AICPA members to enter
into a written confidentiality agreement with third-party service providers before disclosing confidential client information to the provider.
(continued)