With nearly every state having either passed laws governing the electronic transfer of personal data or awaiting the passage of pending legislation, CPAs are looking more to data security and storage tools, and even engaging outside experts on how both they and their clients can remain protected.
"One way to think about [data security] even beyond the current laws is, if we started over today with everything we do with our data, what would we do?" proposed David Cieslak, a partner at Simi Valley, Calif.-based technology consultancy Arxis Technology. "Whatever you do, it has to be secure access first and convenience second. Today it makes sense for everyone, CPAs and businesses, to have some form of electronic file storage function and encrypted two-way portals for client/CPA use. Encryption with everything you touch; use encrypted devices and data folders."
The American Institute of CPAs, which has been tracking state and federal data security breach legislation, said at press time that there were only four U.S. states that did not yet have data security breach laws on the books - Alabama, Kentucky, New Mexico and South Dakota.
The strictest state laws belong to Massachusetts, California and Nevada, which have rules requiring security for covered data and notification of any breach of this information. Covered data could include first and last names, Social Security numbers, driver's license numbers or state ID card numbers, financial account numbers, credit or debit card numbers, access codes, personal ID numbers, or passwords that would permit access to an individual's financial account.
At the federal level, there are currently seven bills going through Congress that deal with data security and privacy. Most require the basic principles of privacy best practices, as well as breach notifications.
BAY STATE PRIVACY
Being headquartered in the most stringent state for data security laws has definitely had an impact on how Westborough, Mass.-based CCR conducts its practice.
The Massachusetts Privacy Law, which passed in March, mandates that any company that owns or licenses personal information - whether stored in electronic or paper form - about Massachusetts residents must comply with its privacy requirements, including notification of breaches and encryption of stored or transmitted personal data.
CCR has adjusted its internal policies on the issue and has been advising its clients to do likewise. "We went to certain seminars, saw people speak on the law, and we found a law firm to come in and address our firm's risk committee, which I serve on," said CCR partner Catherine Parente. "It gave us a good overview of the law and what we should be doing and advising our clients to do. We have clients all over, and the rules say that if they have any personally identifiable information in this state, they have to protect that data."
Parente explained that for the past few years, CCR had "rudimentary" data security and storage policies in place, such as using a portal with two-way capability as an option for clients to share and receive files. Now, they firmly encourage clients to utilize this method of file transfer, particularly around tax season. "Most clients still do want a paper copy of files and in the past we mailed and FedExed or put them on a disk for them, but portals are great for file sharing and more of our clients are doing that now," said Parente. "Some clients want files e-mailed too, but we discourage that. If we ever do e-mail a file, it is password-protected."
She also stressed that all of the firm's mobile and desktop devices are encrypted. In addition, the firm has a written information security plan that Parente and her team monitor and update as needed. Her team also educates staff on how and why data security measures are used. "Initially there was resistance to encrypting the PDAs, but we educated and explained that if someone picks up your PDA and you have data on there, that's a serious problem," said Parente. "There are more encrypted thumb drives available out there that can be wiped remotely; we use Iron Key, but I know there are others out there, and not that expensive either."
CHANGING SECURITY PARADIGMS
Los Angeles-based SingerLewak employs similar practices internally and externally for their clients in educating and implementing secure data technologies and practices.
Rick Mark, senior practice manager for the firm's technology services division, claims that the laws governing data security have stepped up many firms' efforts to keep information safe, including his. "We have done forensic and data recovery for 14 years, and we are taking that experience and putting that into any [software] implementation we do. Our customers are becoming more aware of their needs and appreciative we've been up to speed," said Mark. "A good number of the [data security] engagements we get involved in are a reactionary issue [to the new laws]."
Larger firms are also seeing more business in advising clients on data security risk and solutions, as well as best practices.
Bernie Wedge heads the Americas information technology risk and assurance practice at Ernst & Young, an Atlanta-based unit of the Big Four firm that has been working more with companies to help them assess their level of security and remain compliant.
"What we are seeing in this age of 'borderless' security is major technology transformations going on with our clients," explained Wedge. "The old paradigms of security have to be broadened. The outsiders are now the insiders, vendors and customers have more access to information, and you have to think of how you deal with that situation. The most requests we get are for security assessment. We look at where [clients] stand against industry best practices, as well as their own state rules."
The ITRA practice has a broad range of services for its clients, but has mainly been testing policies, checking system vulnerability, and instituting data leakage prevention programs. "Part of the challenge lately is that companies don't always know where all their data is. Sometimes it's in a database, a spreadsheet, or with vendors they deal with [in the cloud]," said Wedge. "We advise that companies define where their data is, inventory and understand what data is important, and assess how many systems is it in. We implement mechanisms to protect the data, and there are plenty of vendors that have tools to help watch data flow, though we tend to stay vendor-neutral."
SEEKING OUTSIDE HELP
Many firms themselves are seeking outside advice on how they can remain compliant and institute best practices. SecureState, a Cleveland-based information security assessments and protection services provider, has seen a notable increase in requests from CPAs for its assistance.
"CPA firms don't have enough experience with the financial impact of a security breach or noncompliance, so they have been coming to us to get educated. We also do penetration testing," said SecureState chief executive Ken Stasiak. "We have seen the legal profession secure their portals, but many accounting firms are lacking in technical security and protecting client data, storage, communications, and file sharing."
Stasiak advised that while firms are looking more to cloud-based solutions for data backup and storage, they could still be at risk, as data is often replicated in many different locations. "For some firms that's a good thing, but for others you may want to also keep files on a local server or your own online portal," he said. He also noted that firms should employ laptop encryption, application firewalls to protect their portals, and encrypted e-mail and thumb drives.
Michael Downey, an attorney at the St. Louis law firm of Hinshaw & Culbertson, has also been counseling more firms. "We say figure out what [client] information you have, where it is, how it's protected, and ask if it did get out would they be comfortable with the answer," he said. "It would be nice if someone had a list saying here's what you need to do and if you don't you are in violation. Smaller firms are definitely getting more in tune [with data security measures], tracking how information flows, and they are well-positioned to say to clients, 'Let's look at how you are handling information and protecting it."
Downey also advised that firms often forget to protect paper data, which although reduced, is still being generated and left unattended. "Nothing is 100 percent secure these days, so you have to ask if someone wants to get their hands on your client's information, how much work are you going to put them through to get it," he said.
