James Bourke

Privacy Management

Privacy Management — number two on the 2009 AICPA’s Top Technology Initiatives list — is one of the most-talked about issues when it comes to the transmission of client data.

March 5, 2009
by James Bourke, CPA.CITP

The AICPA describes Privacy Management as:

“The right to privacy is a commonly assumed fact, and failure to protect sensitive information can cause serious damage to an organization's reputation and subject it to legal penalties.  Privacy Management involves the strategies and safeguards used to protect the privacy of an organization’s records that include resources, restricted assets, personnel, client and customer personally identifiable information. Safeguards are enforced so that this information cannot be released to or accessed by unauthorized subjects. The initiative includes complying with local, national and international laws.”

In today’s CPA firm environment, nearly every piece of client data is either stored or has the capability of being printed and stored in digital format. Whether your firm specializes in tax preparation, financial statement preparation, litigation support, consulting or special projects, everything from the workpapers to the final deliverable has the capability of being easily stored digitally.

With this ease of storage and accessibility, all too often we are tempted to drag and drop many of these private and sometimes sensitive documents into e-mails and onto memory sticks, external storage devices, Smartphones, etc. As we do this, we take these documents out of their “sometimes” secure environments and place them into situations in which such data may be at risk of loss or breach.

Nearly every state across the country has enacted some form of legislation that serves to protect the privacy of its residents. The chart below is published on the AICPA’s Information Technology Center Web site and shows the current status of legislation enacted and pending across the country.

With California taking the lead in 2003, many states have followed with rules and regulations that are as protective as those originally passed by California.

As of today, Massachusetts is taking the lead amongst the states, with the most aggressive legislation in the world of privacy. If your company “owns, licenses, stores or maintains” personal information about Massachusetts residents, then the new rules in Massachusetts impose specific information security requirements that may call for your company to increase its standard of care.

Massachusetts’ new rule covers “personal information” of both consumers and employees, defined as a Massachusetts resident’s name in combination with his or her Social Security number, driver’s license or state ID card number or financial account, credit or debit card number that would permit access to the resident’s financial account. The rule applies to both paper and electronic records, but does not apply to publicly-available information.

Covered entities must develop, implement, maintain and monitor a comprehensive written information-security program that is reasonably consistent with industry standards and that contains administrative, technical and physical safeguards to ensure that security and confidentiality of records that contain personal information. The safeguards must be consistent with any safeguards required by other federal or state regulations to which the entity is subject.

Many of the new rules in the state of Massachusetts went into effect on January 1, 2009. However, the deadline for ensuring encryption of laptops has been extended from January 1, 2009 to May 1, 2009, and the deadline for ensuring encryption of other portable devices has been suspended until January 1, 2010.

So right now you are saying to yourself: “My firm is not located in the state of Massachusetts so this does not apply to me,” Right? Wrong! Many CPAs have clients who stretch beyond the borders in which they practice. Your firm does not necessarily need to be located in the state of Massachusetts for these rules to apply. The simple fact that you have data belonging to residents of that state now subject your firm to comply with the rules covering any dealings with those residents.


Don’t take the new rules lightly. Many states impose significant and painful penalties for violations. When it comes to reputation, the last thing your firm needs especially in the current environment, is the recognition that client data that it maintains may have encountered a breach in security. The fines and penalties, litigation costs, mandatory credit reporting for those potentially at risk and other related costs, could destroy your firm’s reputation, as well as jeopardize its ability to continue to exist.

So how do you protect yourself and your firm? The best way is through education. First, familiarize yourself with the privacy laws that are in place in your home state. Next, familiarize yourself with the privacy laws that are in place in the states in which your clients reside. There are tremendous resources available to assist you in this process including AICPA’s Infotech Web site.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

James C. Bourke, CPA.CITP, is a Partner at WithumSmith+Brown where he is Director of Firm Technology. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and the Chair of the AICPA CITP Credential Committee. He was recently named by Accounting Today as one of the Top 100 Most Influential People in the Profession.