and storage media. According to
the Privacy Rights Clearinghouse, al-
most all accounting firm data security
breaches reported up to June 2008
involved laptop theft. Formal written
procedures governing the use, trans-
port and storage of laptops, disks,
flash drives, and other portable equip-
ment, therefore, should be established
and enforced. Users also should be
reminded that portable computers
represent prime targets for thieves.
Thus, the convenience of downloading
client data to a laptop computer must
be balanced against the possibility of
loss or theft. Avoid downloading cli-
ent information to a laptop computer
hard drive or portable flash drive un-
less employees are unable to access
the information from the firm's shared
drive, e.g., while performing audit field
work for that client. Even more impor-
tant is the need to delete client data
from these devices once it is no longer
needed to work remotely. Appropriate
sanitization techniques also should be
utilized when disposing of equipment
transfer this data to network systems
and delete it from portable devices.
and outdated records. Establish a
record retention policy to ensure that
only current, relevant records are re-
tained. Purge digital records in accor-
dance with the policy and document
the destruction. An effective means of
addressing the data exposure risk as-
sociated with obsolete computers and
storage media is to "scrub" old equip-
ment of all contents prior to its dispos-
al. Appropriate sanitization methods,
such as overwriting and degaussing,
should be used to remove information
from storage media.
off-site. By retaining an extra set of
records at a separate location or in
secure online storage, you can help
prevent large-scale data loss or cor-
ruption from a computer virus or other
system breach. Electronic data should
be backed up frequently, and process-
es should be instituted to back up the
data daily and automatically.
policies. A sound internal communi-
cation strategy on the protection and
proper use of client information featur-
ing regular, comprehensive updates
can help increase awareness and miti-
gate the risk of lost or stolen data.
Risk Transfer and Insurance
computing and client portals to store
firm working papers and client records
in an effort to reduce costs associ-
ated with an in-house technology in-
frastructure. While this functionality is
becoming an industry standard, CPA
firms should be aware of the hidden
risks of allowing a third-party vendor
to manage and maintain the firm's and
their clients' data, and the associated
professional liability implications.
third party, a firm loses its ability to con-
trol the security of such data. A study
performed in 2012 reported that 41 per-
cent of reported data breaches were
caused by third parties, and that the
costs associated with these breaches
totaled $209 per record.
risk transfer as a key element in ar-
rangements with third party vendors.
Whenever you entrust sensitive or non-
public personal information to such a
party, in addition to ensuring that the
quire signed acknowledgment of the
following contractual protections:
and appropriate use of firm informa-
tion and networks, including com-
pliance with the firm's information
· Indemnification/hold harmless
agreements for all costs arising from
breaches of the third party's network
or the wrongful use of confidential
data by their employees, contrac-
tors, agents, or other associates.
vice providers should comply with the
requirements set forth in federal and
state privacy, confidentiality and se-
curity laws and regulations, as well as
applicable professional ethics codes.
to consult with an attorney experienced
in data security breach regulations.
with a data security breach may not
be covered by the firm's general and
professional liability policies. Special-
ized insurance products are available
to address technology-related risks.
Consult with the firm's insurance ad-
visor about addressing any potential
gaps in the firm's coverage.
system has been targeted and client
information exposed, a rapid assess-
ment and mitigation of damage are im-
perative, as outlined below:
the incident. If a laptop computer or
other portable device is lost or stolen,
identify the data that may have been
exposed, and determine whether these
command is used). Overwriting requires that the media be in working order National Institute of Standards and Technology Special Publication 800-12: An Introduction to
Computer Security The NIST Handbook.
into a written confidentiality agreement with third-party service providers before disclosing confidential client information to the provider.