Free Site Registration

CPAs Need a Defensible Breach Response Plan


Accounting firms are repositories of personal information and, as such, have become targets for criminal hackers; they are like an auto accident waiting to happen.

When you have a serious automobile accident, you have to report the accident to the local policing authorities. The police could make a determination as to who is at fault and citations and fines could be issued. Of course, you want to report the accident to your insurance carrier to protect yourself from ligation and you want to repair your vehicle. At some point, a determination is made as to who was at fault and who has the greatest liability; attorneys on both sides are always involved.

You will be asked for your current insurance card, your up-to-date license and registration. Your inspection sticker will be examined. You will have to show that all your records are up to date and in compliance with your state laws and regulations.

What happens when you have a Cybersecurity data breach? Once you have recognized your accounting firm has experienced a breach, under the Notification laws in 47 states you have to notify state authorities, in most cases at least two agencies and in some cases, three. If your firm conducts business in multiple states, perhaps even more. You will need to contact an attorney who specializes in the Privacy area to guide you thru the maze of requirements and defend your firm.

You will then have a definite and specific time limit to accomplish the state regulatory notification requirements, and prepare to notify all employees, clients or other affected parties. This is usually 60 days. Once you have notified the state or states you will probably notify your insurance carrier because of the potential ligation, losses and damages your enterprise could be subjected to. At this point reputation management becomes a serious issue.

The accident/breach has happened and you have reported it so be prepared for a potential visit or audit by the regulators to ascertain responsibility, and to determine if there have been any violations of state laws.

Ask yourself the following:

  • What compliance documents do you have in place?
  • What are your privacy or Breach Notification policies?
  • Do you have a Written Information Security Program (WISP) in place and operating?
  • Where do you keep your proof of employee training, or a comprehensive Defensible Breach Plan, etc.?
  • What are you doing in the Cybersecurity arena to develop a defensible breach approach to manage and limit your potential exposure?

In the case of your automobile, there is a long history of defensible ways to manage and limit firm or personal exposure: Insurance (liability/collision), proper maintenance, state inspection up to date, registration and license up to date, driving classes and more.

Reports are showing that the number of breaches effecting accounting firms and small enterprises are rising dramatically while the number of breaches effecting very large firms and enterprises are dropping. Large firms and enterprises have the manpower, expertise, money, and resources to develop cyber policies and defensible breach procedures. Small accounting firms and enterprises do not, so the criminal hackers are going where entry is easiest and most profitable for them, easy entry because controls are not in place.

Much like disaster recovery plans that are becoming more popular for firm as a result of climate emergencies, Defensible Breach Response Plans and WISP Plans are necessary for the reality of regulatory and/or litigation scrutiny. Criminal hackers, when breaking into firm’s systems, will often leave proof they were in your computer system and show they have had or can have complete access to personal information as well as sensitive data/intellectual properties.

In today’s environment, your firm could expect a federal or state regulatory agency visit and there could be a class action suit or some type of litigation as a result… as has happened repeatedly in recent months.

What you have done in regards to your firm’s systems and what you are doing concerning the incident should be looked at very carefully. The actions your firm takes because of a breach should be closely examined and your firm needs to be prepared for this eventuality.

Alan Heyman, CEO of the SMLR Group, Inc., has more than 30 years in the data communication world, having started one of the first Internet based Electronic Data Interchange (EDI) companies in the late 80’s. Heyman is a recognized expert in many phases of Cyber Security compliance, as well as procedures, privacy matters, and breach responsiveness compliance.  SMLR Group has numerous clients from regional banks to large financial services organizations concerned with compliance issues, as well as security issues.


Be the first to comment on this post using the section below.

Add Your Comments...

Already Registered?

If you have already registered to Accounting Today, please use the form below to login. When completed you will immeditely be directed to post a comment.



Accounting Technology


The Virtual Firm

November 7, 2013

Jennifer Katrulya, CEO of the Business Management Resource Group, discusses how to run an accounting practice from an iPad or other mobile device in a virtual environment, in an interview with managing editor Tamika Cody at Accounting Today's Growth & Profitability Summit in Orlando.

Social Media Tips for Professional Services Firms

October 9, 2013

Social media strategist Adrian Dayton and BeachFleischman PC chief marketing officer Eric Majchrzak discuss how accounting firms and other professional services firms can use LinkedIn, Google+ and other social networks to market their offerings to potential clients, and use search engine optimization to showcase their content, in an interview with Accounting Today senior editor Danielle Lee.

Top 10 Tech Trends for 2014

March 3, 2014

As companies gain more affordable access to new technology and platforms, they also seek to make smarter investments. As we begin 2014, James Cashin, partner at McGladrey, has identified ten common strategies in how companies are capitalizing on their IT investments to best implement process improvements and increase performance.