James Bourke

Security Breach Laws and What a CPA Needs to Know About Privacy

Why every CPA, from the sole practitioner to those practicing within large international firms, must become knowledgeable of the rules surrounding privacy and confidentiality.

August 22, 2011
by James Bourke, CPA.CITP


Today, privacy includes the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure and disposal of personal information. That personal information today sits all over the firm internal file servers, desktops, laptops, mobile devices, smartphones, copiers and more, which include hardcopy in filing cabinets as some CPA firms still rely on paper files.

The AICPA definition of this initiative is:

“The right to privacy is a commonly assumed fact and failure to protect sensitive information can cause serious damage to an organization's reputation and subject it to legal penalties. Privacy Management involves the strategies and safeguards used to protect the privacy of an organization’s records that include resources, restricted assets, personnel, client and customer personally identifiable information. Safeguards are enforced so that this information cannot be released to or accessed by unauthorized subjects. The initiative includes complying with local, national and international laws.”

In today’s CPA firm environment, nearly every piece of client data is either stored or has the capability of being printed and stored in digital format. Whether the firm specializes in tax preparation, financial statement preparation, litigation support, consulting or special projects, everything from the workpapers to the final deliverable has the capability of easily being stored digitally.

With this ease of storage and accessibility, all too often we are tempted to drag and drop many of these private and sometimes sensitive documents into e-mails, onto memory sticks, into external storage devices and smartphones among others. As we do this, we take these documents out of their “sometimes” secure environments and place them into situations in which such data may be at risk of loss or breach. More often than not, that data may also include personal information that is protected under laws that currently exist across the country or internationally.

Nearly every state across the country has enacted some form of legislation that serves to protect the privacy of its residents. See table which shows that only four states currently exist with no privacy regulations in place.

With California taking the lead in 2003, many states have followed with rules and regulations that are as protective, if not more protective, than those originally passed in California.

As of today, Massachusetts still takes the lead among states with the most stringent and protective privacy regulations. If your firm “owns, licenses, stores or maintains” personal information about Massachusetts residents, then the new rules in that state impose specific security requirements on your firm that may require you to increase its standard of care substantially.

The regulations in Massachusetts cover “personal information” of both consumers and employees, defined as a Massachusetts resident’s name in combination with his or her Social Security number, driver’s license or state ID card number or financial account or credit or debit card number that would permit access to the resident’s financial account. The rule applies to both paper and electronic records, but does not apply to publicly available information.

Covered entities must develop, implement, maintain and monitor a comprehensive written information-security program that is reasonably consistent with industry standards and contain administrative, technical and physical safeguards to ensure that security and confidentiality of records that contain personal information. The safeguards must be consistent with any safeguards required by other federal or state regulations to which the entity is subject.

So right now you are saying to yourself: “My firm is not located in the State of Massachusetts, this does not apply to me … right?” Wrong! Many CPAs have clients that stretch beyond the borders where they practice. The firm does not necessarily need to be located within the state of Massachusetts for these rules to apply. The fact that you have data belonging to residents of Massachusetts, now subject your firm to comply with the rules covering any dealings with those residents.

Don’t take the new rules lightly. Many states impose significant and painful penalties for violations. In the current environment when it comes to reputation, the last thing your firm needs is the recognition that your company may have encountered a breach in client data that it maintains. The fines and penalties, litigation costs, mandatory credit reporting for those potentially at risk and other related costs, can destroy your firm’s reputation, as well as jeopardize its ability to continue to exist.

How to Protect Yourself and Your Firm

The best way is through education. Familiarize yourself with the privacy laws that are in place in your home state. Next, know the privacy laws that are in place in the states or countries in which your clients reside and those with whom you may do business.

There are tremendous resources available to assist you in this process. The following are "must view sites" available from the AICPA:


Privacy is a risk-management issue for all organizations, including CPA firms, regardless of size. Take the initiative and become educated on the regulations in place where you and your clients exist, put in place security solutions that meet your needs and finally check with your insurance carrier on coverage that may be available to protect you in the event of a failure or breakdown in the process.

Rate this article 5 (excellent) to 1 (poor). Send your responses here.

James C. Bourke, CPA.CITP.CFF, is director of Firm Technology at WithumSmith+Brown. He is a past president of the New Jersey Society of CPAs and currently serves on AICPA Council and is the Chair of the AICPA CITP Credential Committee. Accounting Today has continually named him as one of the Top 100 Most Influential People in the Profession.