The news this week about the massive hacking and identity theft of credit card data should raise concerns at CPA firms about how good a job theyre doing at protecting client information.
A Miami computer hacker named Albert Gonzalez has been indicted for collaborating with two Russian accomplices to steal the information on more than 130 million credit and debit card accounts. Gonzalez apparently had been detained back in 2003 for his previous activities, but the feds released him after he worked as an informant to help them build a case against a group of fellow hackers. Unbeknownst to them, he simply relocated to Florida and went back to his old ways, enabling him to throw a $75,000 party to celebrate his own birthday.
While Gonzalez was mainly targeting retailers like TJ Maxx, 7-Eleven, and Hannaford, and payment processors like Heartland Payment Systems, accounting firms should still sit up and take notice. Companies can set up all kinds of elaborate security systems and still fall prey to hackers. Accounting firms too have a fiduciary duty to safeguard the security of their clients data, and its all too easy for the information to fall into the wrong hands.
One danger has been the increasing trend toward Web-based access of accounting data. While the systems make it much more convenient for accountants to work remotely, they also expose the information to many more potential touch points than they had previously gone through, as well as more opportunities to access the data surreptitiously. The Wall Street Journals account of the Gonzalez case mentions the explosion in cases of wire fraud in recent years as wire transfers are increasingly conducted over the Internet.
The same can be said of accounting. The trend toward cloud-based computing, with its exploitation of whatever servers and resources happen to be available in the cloud, could eventually spell trouble. Of course, data is still hackable even from a stand-alone computer not connected to a network. Just insert a writeable CD or a USB drive. But by adding Internet access to the accounting system, that system becomes that much more vulnerable. Simple password protection is not going to deter an experienced hacker.
The Federal Trade Commission has thrice delayed the implementation of a so-called Red Flags Rule that requires creditors and financial institutions to adopt written identity theft prevention programs, giving them more time to put those safeguards in place. So far, it hasnt been easy, especially for small businesses that provide credit to customers, and the new deadline is November 1 of this year. The AICPA has asked the FTC to exempt CPAs from certain provisions of the Red Flags Rule.
We are concerned with the potentially broad application of the Red Flags Rule to the accounting profession, and do not believe that there is any reasonably foreseeable risk of identity theft when CPA clients are billed for services rendered, AICPA president and CEO Barry Melancon wrote to the FTC earlier this month.
He argued that the burdens associated with the rules requirements outweigh the risks. The AICPA is asking state CPA societies to also write to the FTC and ask for the exemption.
Even if the exemption is granted, CPA firms will still need to do a better job of safeguarding their clients personal information. The risks are all too real, and for many people all too financially damaging.