Skip to main content

Professional Liability Risks Related to Cloud Computing

October 10, 2022

By Stan Sterna

Cloud technologies and other online collaboration tools have become a staple for CPA firms. These technologies and tools, along with online document management portals, provide CPA firms and their clients 24/7, on-demand, anytime anywhere, data exchange, organization and storage capabilities to manage important documentation and business needs. Just as importantly, they help reduce costs associated with in-house hardware purchases and direct software licensing and provide for easy collaboration among a CPA firm's team members.

Despite their attractiveness, cloud technologies are not a panacea, and CPA firms should have an understanding of and respect for the professional, legal and regulatory obligations around securing client data. A lack of understanding can have professional and cyber liability implications for the CPA firm.

Indeed, the risks of unauthorized disclosure of sensitive client and firm data by cloud vendors can be significant and catch even the most savvy businesses off guard. Consider the 2021 LinkedIn breach resulting in sensitive user data being posted to the dark web or the 2021 Accenture breach that resulted in the theft of proprietary corporate data. breach of customer systems and a demand for a $50 million ransom. In 2019, Facebook experienced a breach resulting in users' personal data being posted to public databases. Professional services firms are not immune from these threats given their bounty of sensitive client information.  

Consequently, CPAs must fully understand the professional obligations related to information privacy and security, as well as the risks associated with leveraging cloud computing technology before venturing into this area.

Professional Responsibilities

Professional Obligations

The Confidential Client Information Rule (ET §1.700.001) of the AICPA Code of Professional Conduct (the Code) states that a CPA shall not disclose any confidential client information without the specific consent of the client. In addition, Internal Revenue Code (IRC) §7216 prohibits anyone involved in the preparation of U.S. income tax returns from knowingly or recklessly disclosing or using the tax-related information provided other than in connection with the preparation of such returns. Practitioners who violate this IRC provision may be subject to fines or imprisonment.

While applicable professional standards are not intended to prohibit a CPA from utilizing third-party cloud computing service providers, the Code identifies relevant obligations of the CPA:

  • Enter into a contractual agreement with the third party regarding the confidentiality of client information[1].
  • Take steps to reasonably assure him/herself that the third party has appropriate procedures in place to maintain confidentiality1.
  • Disclose the use of third-party service providers to its clients, preferably in writing, before disclosing confidential information to the third party[2]. Note that client consent, depending on the nature of the third party's services and other procedures performed by the CPA, may not always be required, it is strongly recommended given the sensitivity surrounding the privacy and security of data.

The obligations noted in IRC §7216 differ slightly from the Code of Professional Conduct. IRC §7216 provides an exemption from the law for tax return preparers who disclose taxpayer information to a third party for the purpose of having that third party process the return, unless that third party is located offshore. However, CPAs should make third-party providers to which they have supplied protected client information aware of the requirements of IRC §7216. Even if there is no requirement in §7216 or its regulations for a CPA to inform the client that a third-party provider is being used, best practice and the sections of the Code noted above indicate notification should be made. 

Laws and Regulations

CPAs must comply with relevant state privacy laws and related breach notification requirements. Currently, all 50 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Island have breach notification statutes applying to disclosures of sensitive information and impose data security requirements on entities operating in the state or who hold data about state residents. If data stored by a cloud vendor is compromised, under state privacy and security laws, the cloud vendor is responsible only for notification to the data owner (the CPA firm), not to the CPA's individual clients. Once the CPA becomes aware of a potential privacy breach, he/she is ultimately responsible for responding to the breach on behalf of their clients, as well as compliance with state breach notification statutes. 

In addition, CPA firms that provide services to health care providers or health care plans are subject to the privacy and security rules contained in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH), as amended in 2021. Firms with access to protected health information, such as patient billing records, are business associates as defined in HIPAA, and, based on the passage of HITECH, are subject to the same privacy and privacy breach notification requirements as their health care clients. Consequently, CPA firms are subject to potential civil and criminal penalties and prosecution for violation of the federal health care privacy laws. CPA firms that utilize third-party service providers to store protected health information may be held responsible for the violations of their third-party service providers.

Costs of compliance to respond to a data breach can be significant and can include notification to clients, the provision of credit monitoring services for a period of time, and more. Insurance coverage for data breaches varies and may involve a practitioner's professional liability or another specialized policy. Practitioners should confer with their professional liability insurance agent or broker regarding the application of insurance coverage to data breaches. 

Risk Control Considerations

There are several practical actions CPAs can take to help ensure compliance with professional standards and laws, and to help safeguard client information. 

1.     Conduct Due Diligence

CPAs should investigate vendors thoroughly before making a selection. Information should be obtained related to the financial stability of the vendor, the processes and controls the vendor utilizes to protect data, and how and where data will be stored and backed up. The CPA should review these competencies prior to entering into any contract with the vendor. The location of data storage is also important. For example, if the vendor's data storage resides outside the U.S., the CPA may be subject to liability in the country in which the data is stored. In addition, the ability to produce data in a timely manner may be affected, and the laws of the relevant country may not provide adequate protection.

The use of strong encryption technology is essential to protecting the confidentiality of data stored with a cloud vendor. CPAs should understand what encryption technology is used by the cloud vendor.

Service Organization Control (SOC 2) reports issued under the guidance of the AICPA Statements on Standards for Attestation Engagements address a service provider's controls over a system's security, processing integrity, privacy, confidentiality and availability. CPAs should obtain and review the SOC 2 report for the prospective cloud vendor as it provides valuable information that CPAs may utilize to assess and address the risks associated with an outsourced service.

Diligence procedures performed, results obtained and the CPA's evaluation of the vendor should be thoroughly documented. Initial and subsequent periodic evaluations to confirm the initial assessment are recommended. Documenting investigations undertaken helps demonstrate compliance with the Code Conduct and helps protect the CPA if questions arise.

The Code states that a CPA should take steps to reasonably assure him/herself that the third party has appropriate procedures in place to maintain confidentiality. While there is no clear definition or determination of what is considered reasonable, the CPA should utilize professional judgment. The greater the sensitivity of client information, degree of data complexity, volume of data, or reliance on the cloud vendor, the more thorough the CPA's diligence efforts should be.

2.     Put It In Writing

Key commercial terms with the vendor should be agreed to in writing via a service level agreement or other contract that outlines the terms, services provided by the vendor, metrics by which that service is measured, and remedies or penalties, if any, if the agreed-upon service terms are not achieved. The CPA should not blindly accept the vendor's terms and conditions without reviewing them in detail to verify the inclusion of key contract terms in the service level agreement. An attorney can assist with this review. While vendor terms are not always negotiable, vendors will sometimes entertain reasonable negotiations. CPAs should not engage any vendor whose terms would be viewed as “unreasonable” or who attempt to disclaim liability for its own errors, omissions, or neglect.

3.     Tell Your Client

CPAs should inform clients of its use of cloud service providers and obtain written consent from the client before providing client files and documents to the provider. The inclusion of specific language in the engagement letter are ideal ways of obtaining client consent. While professional standards do not require CPAs to obtain written consent from the client, this is a recommended practice. Note that IRC §7216 requires, in certain circumstances, that the client's written consent be obtained prior to proceeding.

To help avoid misunderstandings with clients, the CPA should be responsive to client inquiries regarding the vendor's data security controls and questions about the use of client data in the cloud.

Conclusion

While cloud computing can be attractive for many reasons, CPAs should not access this functionality to simply adopt the latest technology. The benefits of cloud computing should be weighed against the needs of the practice and the ability of the CPA to control the associated professional liability risk.

Additionally, the CPA firms must ensure it has a robust disaster recovery plan, system infrastructure that's as secure as possible, and invest in prevention and detection technologies. Buying cybersecurity insurance is another step you can take to help ensure recovery.

Stan Sterna is a vice president with Aon Insurance Services, the broker and national administrator for the AICPA Member Insurance Programs, the nation's largest professional liability program for CPAs and the pioneer of cyber coverage for CPAs.

This information is produced and presented by CNA, which is solely responsible for its content. Continental Casualty Company, a member of the CNA group of insurance companies, is the underwriter of the AICPA Professional Liability Insurance Program.

The purpose of this article is to provide information, rather than advice or opinion. It is accurate to the best of the author's knowledge as of the date of the article. Accordingly, this article should not be viewed as a substitute for the guidance and recommendations of a retained professional. In addition, CNA does not endorse any coverages, systems, processes or protocols addressed herein unless they are produced or created by CNA.

Any references to non-CNA websites are provided solely for convenience, and CNA disclaims any responsibility with respect to such websites.

Examples are for illustrative purposes only and not intended to establish any standards of care, serve as legal advice, or acknowledge any given factual situation is covered under any CNA insurance policy. The relevant insurance policy provides actual terms, coverages, amounts, conditions, and exclusions for an insured. All products and services may not be available in all states and may be subject to change without notice.

“CNA” is a registered trademark of CNA Financial Corporation. Certain CNA Financial Corporation subsidiaries use the “CNA” trademark in connection with insurance underwriting and claim activities.

Copyright © 2022 CNA. All rights reserved.

[1] See paragraph .02a of ET §1.700.040, Disclosing Information to a Third party Service Provider.

[2] See paragraph .02 of ET §1.150.040, Use of a Third Party Service Provider, and paragraph .02a of ET §1.700.040.