Concerns over the safety and security of client data, as well as their own data, have increased among CPAs recently.
These fears, coupled with the rise in state and federal regulations concerning the electronic transfer of unencrypted data - not to mention the high cost of violating these rules - have more CPA firms turning to data security software and services for assistance.
The first such law governing the transfer of unencrypted data was passed in California in 2003; currently, 44 states and the District of Columbia have some form of the law that protects state residents, regardless of where the data breach occurred. Most states now provide for a civil or criminal penalty for willful failure to notify a customer of a breach. Penalties for violating data security rules can reach as high as $500,000, though according to the Identity Theft Resource Center, a nonprofit group that assists ID theft victims, the average cost per record breached is $202.
"Up to 86 percent of U.S. medium-sized businesses reported a security breach or data loss in the last 12 months," said Nichelle McKenzie, a research analyst at New York-based technology consulting concern Access Markets International Partners Inc. "The cost to these companies is about $7,000 per year."
EDUCATING THE PROFESSION
For the CPA community at large, continued education on these issues is what's needed most, and what technology consultants like Randy Johnston are trying to do.
"Generally, the clients are not asking the CPAs for help on this issue, as many of them already have systems in place to deal with their businesses," Johnston said. "As soon as CPA firms understand the issue, and the potential liability, they will act."
In addition, in response to growing demand from CPAs, the American Institute of CPAs, through its IT Section, has been providing a tremendous amount of content, including guidance, best practices, webinars, direct links to federal and state regulations, and a continually updated map depicting states with security breach legislation.
"CPA firms are absolutely concerned and affected by these rules," echoed Jim Bourke, a partner, CPA and Certified Information Technology Professional at Red Bank, N.J.-based WithumSmith+Brown. Bourke also chairs the CITP accreditation board.
Bourke said that WSB strictly prohibits the e-mailing of private client data to third parties. Instead of taking the encrypted e-mail route, they chose to establish client portals. The client portal is a secure and locked-down site, accessible by clients 24/7, containing all of their confidential and personal data.
"We've seen a tremendous increase in the volume of data being exchanged between our clients and our staff," noted Mark Baker, chief information officer at Milwaukee-based CPA and tech consulting firm Wipfli. "The real concern and greatest risk lies with the human factor. Social engineering (tricking a user into doing something through seemingly legitimate means) or accidental errors (wrong e-mail address, accidental loss, etc.) are impossible to foolproof," he said.
Baker said that the increased compliance requirements and increased sophistication of privacy theft techniques make it difficult to keep up with how best to address the issue. Wipfli currently has in place enhanced security policies and procedures, a continuing education program for its associates, and plans to roll out enhancements to its information security policy after tax season.
CPAS GET SECURE
Data storage companies like Millis, Mass.-based Kanguru Solutions are seeing significant growth in their business from the CPA community. Over the past few years, and especially the past six months, it has seen a large spike in its data storage business - particularly from the CPA channel. Nate Cote, Kanguru's vice president of product management, noted that his company's flash drive has been in high demand. "Essentially if you are part of a 10-person CPA firm going out in the field, you won't have to bug the IT department [for passwords or connection], you just plug and go," Cote explained. "A splash screen comes up, you get asked for a password, then it opens a new drive, drag and drop, you close it and leave. And if it's lost, the drive will delete itself if the password is entered incorrectly too many times."
Atlanta-based nuBridges Inc. provides data security for stored data-like applications, database files and for data in transit. "We give companies a safe harbor by encrypting the information and securing the encryption keys to the data, meaning that if the data is compromised/breached, it's useless to whoever gets it," according to vice president of product services Gary Palgon.
Palgon suggested that CPAs should look to their own application providers for the initial security of documents, assuming it's a CPA-centric application and not just, for example, Microsoft Office documents. For the latter, they have to utilize other forms of security on those documents, of which there are a few vendors and solutions on the market.
Other kinds of data security products on the market that are gaining popularity include secure e-mail services and file storage and transfer services like Newark, Calif.-based LeapFile Inc. and Raleigh, N.C.-based ShareFile, especially for those organizations that don't have the IT infrastructure to set up and maintain secure client portals for secure collaboration and exchange.
"Organizations must do some upfront homework, however, to confirm that the third parties they intend to work with are reputable and have the appropriate policies, procedures, steps and certifications to ensure data is handled confidentially," said David Cieslak, principal at Simi Valley, Calif.-based consultancy Arxis Technology Inc.
He claims that if firms are handling client data well, it's not uncommon for clients to ask for recommendations: "After all, CPAs are trusted advisors, and if they have done their due diligence regarding a third-party offering, then clients are happy to take advantage of their CPA's perspective and recommendations," Cieslak said.
