The Issue of Privacy


(Page 1 of 2)

For accountants, the issue of privacy has grown from an internal matter of safeguarding client data to the more challenging issue of helping corporate and organizational clients maintain a firm ethical stance. "You can't practice accounting today without a well-grounded privacy program in your own firm," says Ed Agee, whose CPA firm of Agee Fisher in Atlanta focuses on family-owned and private companies. "We started with the basics of shredding all our documents and maintaining confidentiality, but as the technologies of accounting expand, our privacy toolkit has had to expand as well. Today, we use internal audits of our IT system, sophisticated firewall and anti-virus programs, and even encryption for our filing and email systems."

"Even more important than a physical or technical firewall," he said, "is the professional firewall that is built and maintained around the client's data. And today, it is equally important to extend that professional firewall to the information-handling practices of our clients."

Agee, who helps clients develop privacy policies, says that one major problem is knowledge, because small companies simply aren't sufficiently aware of the issues. The other, larger side of privacy-issues related to the client's privacy policies and procedures-have only lately come to the fore, largely due to media attention and well-publicized failures of companies to keep information secure, he continues.

Partner Insights

"For a billion-dollar corporation, privacy has been an issue for some time," says Agee. "Now it is becoming an issue for the $100-million corporations as well. For ethical companies, the challenge is in developing the structure, the internal controls and the accountability to manage privacy in a way that you are protected against any abuse of customer information, even by a single employee. It has become a cultural issue within each organization."

Effective privacy policies have become the benchmark of ethical business behavior for companies of every size, and accountants have become the guardians of that benchmark.

A Privacy Law Scorecard

It is not possible to quickly cover the entire legal landscape regarding privacy, particularly given that it changes almost daily as new laws are formulated and court decisions announced. Unlike the comprehensive privacy laws of other nations, the U.S. has elected to provide privacy protections on a sector-by-sector basis.

The major federal U.S. laws covering privacy are:

* The Privacy Act of 1974, which covers the use of personal information by agencies of the U.S. government.

* The Fair Credit Reporting Act of 1970, enhanced by the Gramm-Leach-Bliley Act, which cover the use of personal data by financial institutions.

* The Cable Communications Policy Act of 1984, which guarantees privacy in viewing information and content over cable television.

* The Electronic Communications Privacy Act of 1986, covering protection of electronic communications such as email.

* The Video Privacy Protection Act of 1988, which provides similar protections for rental of video information and content.

* The Telephone Consumer Protection Act of 1994, which protects against invasion of privacy in the home
by telemarketers.

* The Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and the associated privacy rule issued by the U.S. Department of Health and Human Services, which protects the use and disclosure of personal medical information.

* The Family Educational Rights and Privacy Act (FERPA), which protects student information.

While these are the major federal laws protecting privacy, there are myriad state laws that also provide protections, as well as federal and state laws that limit privacy rights in the name of law enforcement and community protection. Notable among these are the laws of California, which makes it a specific and guaranteed right under the state constitution.

In addition, the laws are in a constant state of flux as privacy becomes an issue serious to American consumers. For example, in the current session of Congress, 485 new bills were introduced dealing with aspects of privacy. Of these, 193 were considered on the floor for a vote, and 16 were sent to the president for signature. These included the Can-Spam Act of 2003, which limits the ability of businesses to send unsolicited commercial electronic mail to consumers.

"In the age of Enron and other corporate misdeeds, the abuse of consumer information is limited only by the commitments of organizations to ethical standards," notes Jeffrey Zalusky, managing director of UHY Advisors' Washington, D.C. offices "When ethics are in question, privacy must also be in question."

What Is Privacy?

From a legal standpoint, the protection of privacy encompasses four elements:

* Unreasonable intrusion upon the seclusion of another.

* Appropriation of a person's name or likeness.

* Publication of private facts, for example, income tax data, sexual relations, personal letters, family quarrels, medical treatment, or photographs of a person in his home.

* Publication of information that places a person in a false light, which is similar to defamation.

Even here, the rules are not always clear. While the protection against unreasonable intrusion on seclusion is generally recognized, it applies only to the secret or surreptitious invasion of privacy. Privacy in the United States is not constitutionally guaranteed in the same way that free speech and the right to vote are guaranteed.

In other parts of the world, privacy is guaranteed-the European Union, for example, passed the Data Protection Directive in 1998, and Australia passed a Privacy Act in 1988 that outlines 11 specific areas in which personal information is protected. These nations and others view the U.S. approach as insufficient, which has led to greater requirements and risk for U.S. firms doing business overseas.

But in some ways, the issue of privacy has not changed as far as CPAs are concerned, says Ric Rosario, vice president of risk management for Camico, a Redwood City Calif.-based insuror.

"A CPA is not allowed to divulge information without client permission or court order. That is the fundamental rule that is more stringent than anything that has come along," he says.

So when it comes to disclosing client information, the rules are basically the same-practitioners must be vigilant about to whom they give client data. When it comes to print, there are issues about disclosing data when spouses are going through a divorce and a third party wants information, or if a company employee shows up at an accountant's office demanding copies of his company's information. The CPA needs to know that the person asking for the information has a right to it.

"You were not allowed to leave working papers in your car," says Rosario. "If you translate that into an electronic environment, you don't leave a laptop there either."

The big differences in the Internet environment are identity theft and the speed at which stolen information can be distributed. But in these days of hackers and spammers, just how much care must the CPA employ in protecting data? Must firms adhere to a certain minimum regarding the installation of firewalls and anti-virus software? Could a firm that has failed to upgrade to a new version of existing software be held liable if an intruder breaches security and steals data?

"The standard has yet to be proven in court," says Rosario. "There would be an expectation that there would be a standard of care within the walls of the firm. You've been entrusted with clients' information. There would be some minimal standard of care."

No matter what steps the firm has taken, it must be able to articulate what its policies and protections were if a data is stolen. "If the answer is, 'I don't know,' then you are going to have a problem," Rosario says.

Regardless of the strictures CPAs labor under, others have been emerging. Congress and many states responded with legislation to safeguard privacy, the threat of anti-spam legislation subsided, and the privacy issue seemed to abate. But in 2003 it blossomed again when Congress adopted the Can-Spam Act, seeking to limit the growth of spam emails by requiring businesses to document a relationship with each customer.

When the Can-Spam Act took effect earlier this year, privacy was already under assault from two other sources. First, the use of computers to store data-sometimes with minimal security, and always vulnerable to new hacks-made it increasingly difficult to safeguard the massive amounts of data that were being collected.

The Privacy Framework

All those companies are potential clients of CPAs for providing audit services of privacy policies-at least, that's the view of the American Institute of CPAs in establishing the Privacy Framework in partnership with the Canadian Institute of Chartered Accountants

The Privacy Framework: Spelling it Out

The AICPA's Privacy Framework defines the role of the CPA in providing privacy services.

The process is outlined this way: "If an organization collects, uses, retains, and discloses personal information, the challenge is to enhance the trust relationships with consumers, customers, employees, and third parties, as well as to comply with privacy laws and regulations and good fair information practices. "A CPA/CA can help an organization address privacy issues by:

* Developing a privacy strategy and plan.

* Providing privacy advice, recommendations, and training relating to one or more of the privacy components.

* Preparing or evaluating privacy policies and procedures.

Comments (0)

Be the first to comment on this post using the section below.

Add Your Comments:
Not Registered?
You must be registered to post a comment. Click here to register.
Already registered? Log in here
Please note you must now log in with your email address and password.

Register now for FREE site access and more