Best Practices for Accountants to Mitigate the Risks of Handling Customer Data

Long gone are the days of merely being able to lock a file cabinet or shred documents to protect customer data. Dedicated servers are now moved to the cloud, storing information online. Accountants and accounting firms must develop protocols to adequately protect customer data across all aspects of their businesses, addressing both cyber and physical data.

The Gramm-Leach-Bliley Act provides requirements for customer data that the accounting industry must follow. This act requires businesses to explain their information-sharing practices with their customers. It also requires them to safeguard customer data. The Safeguards Rule within the GLBA instructs businesses on how they must protect the consumer information they collect.[1]

There are three areas that the Safeguards Rule considers to be particularly important to information security. These areas are:

1. Employee management and training

2. Information systems

3. Detecting and managing system failures

While eliminating all risks isn’t possible, following regulations, industry standards, and best practices will mitigate your firm’s risks. Consider the following best practices to mitigate risk to your accounting company when handling or storing customer data. Refer to the Safeguards section of the GLBA.

Manage Employee Risks to Customer Data

Recognizing your employees are one of your greatest assets; unfortunately, they can also present your most significant data risk, whether through intentional or negligent acts.[2] Employers are legally responsible for the actions of their employees.[3] These employee risks fall into several categories.

Best Practices in Hiring, Monitoring, and Termination

When hiring, perform background checks on employees who will have access to customer data. Consider credit checks for sensitive positions as well. Make sure that employees sign a confidentiality agreement to keep customer data confidential and secure, during, and after they leave employment with your firm.

Have employees sign a document acknowledging that they are aware of company policies and procedures relating to your information security program. Periodically review these policies and procedures with your employees and make them aware of changes. Enforce disciplinary measures if an employee violates one of these policies.

If your company allows employees to work remotely, special provisions are critical for these circumstances. Ensure that the device the employee uses has the appropriate software to prevent unauthorized access. Consider encrypting customer information on these devices and require robust security procedures, including password or biometrics protection. Determine whether your company will allow for physical documents containing customer information to be removed from your premises. If this is allowed, develop policies and procedures addressing how these documents should be kept secure.

Unfortunately, the situation occasionally occurs when you might need to terminate an employee, or an employee decides to resign. In this event, it is a best practice to remove any access immediately these employees have to all systems and, most critically, to customer data.

Employee Training

Employees can inadvertently cause a data breach of your customer information through something as simple as clicking on a malicious link in an email or being tricked into sharing sensitive information such as their passwords. They can also result from negligent practices such as leaving passwords lying around.

Moss Adams, one of the largest firms in the country, experienced a data breach due to a compromised email account near the end of 2019.[4] While the full details of this data breach were not released, so far, the company has had to send letters to affected customers and offer identity monitoring services.

CPAs and accounting firms are at risk of social engineering schemes. Best practices include keeping your employees informed of emerging threats and practices. Teach your employees about social engineering and how to identify a phishing email. Consider hiring an outside company to perform social engineering penetration testing. If employees fall victim to this, use it as a teaching moment. Follow these policies from the top of the organization down. Creating a culture of compliance is critical to protecting customer data.

Ensure That Customer Data Is Stored and Transmitted Securely

The Safeguards Rule requires companies to develop a written information security plan that describes their program to protect customer information. To protect customer data, limit access to customer data from employees who do not or should not need to access it. Track where customer data is stored and keep adequate backups.

Physical Security

Store client data in areas protected from the elements such as water and fire. Information should be in a secure area that locks when unattended. Consider implementing a clean desk policy in your accounting firm in which employees are responsible for keeping all sensitive information secured when not in use. Even in a locked office or an office in which there are no customers, outside vendors such as cleaning companies can pose a threat to unsecured customer data.

Online Security

Some scenarios when transmitting information online is unavoidable, such as if a customer is electronically submitting tax paperwork to you. Ensure you and the client shares the information via a secure connection. Create a policy forbidding employees to send customer information through an unsecured email. Discourage customers from this practice, too, by requiring your client to send information to send via encryption.

Use industry-standard password requirements and require password changes regularly. Ensure employees are not writing their passwords in places that someone cand find and that they do not share these passwords with anyone, even others within the organization.  There are several secured applications available for saving and securing passwords.

Securely Dispose of Customer Information

The FTC disposal rule outlines your responsibilities in protecting customer data for disposal. Also, the Safeguards Rule lists practices to follow.[5]

It is a best practice to establish a record retention program. This program should include a log keeping track of what customer information you keep and where it is stored. It should document guidelines for disposal of client data, and it should log when destroyed.

Destroy physical records before disposing of them through methods such as shredding. If you don’t shred the records yourself, ensure the company you hire is reputable and follows sound procedures. There have been reports on the news of sensitive information being found in dumpsters, resulting in reputation risk for the associated companies.

Erase data on electronic devices. Erasure will need to be done by an IT professional. Even if you believe that you have erased all of the data, if not done correctly, confidential customer information could still be recovered.

Vet Your Vendors

Vendors are a critical component in today’s business world. As an accounting firm, you likely use several different vendors throughout your daily processes, from tax software to payment providers. Vendors with access to customer data are higher-risk, requiring an increased amount of due diligence.

The first step to ensure that your customers’ data will remain secure is to create an iron-clad security agreement. In this agreement, make sure that the vendor agrees to give you access to their security program and data security policies. Review these to make sure they meet your organization’s expectations. Require applicable vendors to have an SSAE-16, or a SOC 1 or 2 performed and to provide your company with the results.

Require disclosure by the vendor if they have experienced lawsuits arising from a data breach.  Also, inquire if the vendor was the victim of a breach. Require disclosure of any circumstances that occur after the execution of the agreement. Periodically monitor the vendor website and other sources.

Ensure the vendor employs regular, industry-standard security software and updates. You can even request a walk-through of the vendor’s location to ensure adequate physical security. Keep in mind that due diligence does not end with the initial vendor review. It is a best practice to perform periodic reviews on high-risk vendors.

Failure to Protect Customer Data

Compromised information is not only extremely inconvenient to your customer; it can also cause significant harm to your business. Failure to comply with the Gramm-Leach-Bliley Act can result in severe penalties. Penalties can include up to five years in prison, fines of up to $100,000 for an organization, or $10,000 for an officer or director.  The penalties apply for each violation!

In addition to penalties listed for not complying with GLBA, if you are responsible for exposing your customers’ data, your losses could be significantly higher. Your company could face reputation risk, financial loss, and lawsuits. Breaches on a large scale even garner class-action lawsuits. If not prevented, data breaches can happen to companies of any size.

Accounting is an industry that inherently deals regularly with sensitive customer data. Accountants typically require a customer’s Social Security number, which can be valuable information to bad actors, making accounting companies a target for cyberattacks. Creating a culture of compliance and stressing the importance of protecting customer data within your organization is critical.

Implement the best practices in this newsletter and review the FTC Safeguards Rule to reduce your business’s risk of compromising customer data. It is advisable to have an employee at your company who is familiar with the Gramm-Leach-Bliley Act or a consultant to assist. Following these guidelines will protect your customers, protect your company, and increase your company’s trustworthiness.

Sources:

[1]https://www.govtech.com/workforce/Workers-Pose-the-Biggest-Cybersecurity-Threat-Report-Says.html

[2]https://legal-dictionary.thefreedictionary.com/respondeat+superior

[3]https://www.ecfr.gov/cgi-bin/text-idx?SID=143c754f3d2f9b1155ab5faff281b490&mc=true&node=pt16.1.682&rgn=div5

Can We Be of Assistance?

We may be able to help you by providing referrals to consultants, and by providing guidance relative to insurance issues, and even to certain preventives, including the development and application of sound human resources management policies and procedures.

Please call on us for assistance.

We’re a member of the Professional Liability Agents Network (PLAN).

WE’RE HERE TO HELP!

Contact us at 800-969-4041 or click here to request a confidential evaluation of your insurance policies and risk management needs.