Data protection laws are constantly evolving with new standards being released every year, Brie Allen, Esq., told the Eastern and Western Regional Meetings. Laws are changing on both the federal and state level. At the federal level there is a patchwork of requirements coming from the Federal Trade Commission, Department of Commerce, Department of Justice and the Federal Privacy Council. At the state level, all states have data breach notification requirements covering when a person’s data is released to third parties. Potentially a CPA firm doing business in multiple states would need to pay attention to all of those states’ laws, which include in the case of a breach providing notice to the state’s attorney general and other remedial steps. Ms. Allen pointed out that California has a new law that sets the “strictest requirements on the books,” covering when a firm processes personal information and shares it with a third party.

To give a very recent example of potential data breach, Barry Berkowitz (PA) reminded the Eastern Regional Meeting of the service outage from May 6-9, 2019 of Wolters Kluwer CCH, caused by malware. Wolters Kluwer, a Dutch company, claims 93 percent of the Fortune 500 companies are its customers, according to Bloomberg. The IRS gave taxpayers affected by the service interruption an additional seven days, until May 22, to file certain returns that had May 15 filing deadlines.

Mr. Berkowitz commented on June 12: “As recently as June 7, they were still confirming that no client data was breached…Just imagine what would have happened if this had occurred on April 6 and not May 6.”

Rick Reisig (MT) at the Western Regional reviewed the risk management steps his firm takes in respect to threats of data breach. These include: insurance coverage; employee training; backup procedures in the event of cyberattack; periodic third-party assessment and/or penetration testing; establishing information systems security policies and procedures; safeguarding physical information; and reviewing vendor due diligence procedures. He suggested the Boards point their licensees to the AICPA cybersecurity resource center as a starting point for learning vital information.

The American Bar Association has released model guidance for attorneys experiencing a data breach, Ms. Allen reported. It covers how to consult standards, prevent future breaches, notify clients and meet all 50 states’ requirements. The ABA has also approved a privacy law specialization.

Related News

Full Issue