When Are CPAs Liable for Cybersecurity?

Cybercrime’s global cost will exceed $1 trillion between 2017 and 2021. CPA firms should do three things to protect themselves.

Cathy Whitley

July 22, 2019

Cybersecurity attacks are inevitable. That’s the unfortunate reality. In fact, in a special report, Cybersecurity Ventures projects cybercrime’s global cost will exceed $1 trillion between 2017 and 2021. Safeguarding clients’ nonpublic information from cyber-criminals is a top priority for CPA firms. The latest data breach statistics from the 2017 Identity Theft Resource Center Data Breach Report show an alarming number of exposed consumer records in the U.S.

1,579 reported breaches, exposing 179 million records
55% of all breaches involved businesses
59% of all breaches resulted from hacking by outside sources
53% of all breaches exposed Social Security numbers

Now more than ever, organizations and accounting firms of all sizes need to be vigilant about protecting data and responding to threats. What’s my liability? “That’s a big question we hear from firms regardless of whether they’ve been attacked,” said Stan Sterna, vice president and risk control specialist for Aon. “There are actually no uniform federal laws on business cybersecurity. But there is a patchwork of state and federal rules.” Under certain state laws, CPAs can face liability for cybersecurity breaches that expose personal information. Most states have rules for handling breach notifications and for what remediation measures need to be taken. Breach requirements depend on where the client resides – not where your firm is located. We encourage you to learn the dynamic requirements of states that apply to you. The Texas data breach notification law has been amended several times since its passage in 2009. It requires notification of affected individuals in the event a data breach results in the disclosure of unencrypted personal information consisting of an individual’s first name or first initial, last name and certain personal information such as Social Security and driver’s license numbers. Federal rules and law The Safeguards Rule is enforced by the Federal Trade Commission and applies to all companies defined as financial institutions under the Gramm-Leach-Billey (GLB) Act. Businesses that prepare tax returns fall within this definition. Under the rule, businesses are required to develop a written information security plan that describes their program to protect customer information. There are five additional requirements. Learn about the rule and implement applicable compliance protocols. Do clients have standing to sue a CPA firm if they did not suffer damages as a result of a data breach? At the federal level, the circuit courts are split as to what constitutes sufficient standing to sue in cyber breach cases. Some courts hold that companies may be liable for damages if client or employee data is stolen, even if the theft causes no harm; instead, it’s sufficient to merely allege that the information was compromised. This broad interpretation will only further increase the risk of cyber liability claims. Two recent decisions illustrate these differences:

The Sixth Circuit court, citing the defendant’s offer for free credit monitoring as evidence, joined the Seventh and Ninth circuits in holding that a cyber victim's fear of future harm is real and provides sufficient standing to sue. This particular ruling specifically undermines the defense that if no actual cyber fraud or identity theft occurred, the victim has not been damaged and has no standing to sue.
However, in another case, the Fourth Circuit held that a plaintiff must allege and show that their personal information was intentionally targeted for theft in a data breach and that there is evidence of the misuse or accessing of that information by data thieves. The division among the circuit courts as to standing is not likely to be resolved unless the U.S. Supreme Court decides a case on the issue.

New cybersecurity regulation sets the stage for other states to follow In response to several highly publicized consumer data breaches, in 2017 the New York State Department of Financial Services enacted 23 NYCRR 500, “Cyber Requirements for Financial Services Companies,” with which all affected firms must now comply. These “first-in the-nation” data security regulations establish the steps that covered entities must take to secure customer data. The regulations are designed to combat potential cyber events that have a reasonable likelihood of causing material harm to a covered entity’s normal business operations. See also: 4 Ways to Boost Cybersecurity Specifically, insurers, banks, money services businesses and regulated vital currency operators doing business in New York with 10 or more employees and $5 million or more in revenues must comply with the new rules. Under the provisions, companies must:

Conduct a cybersecurity risk assessment, prepare a cybersecurity program subject to annual audit and establish a written policy tailored to the company's individualized risks that are approved by senior management;
Appoint a chief information security officer (CISO) responsible for the cybersecurity program who regularly reports on the integrity, security, policies, procedures, risks and effectiveness of the program and on cybersecurity events;
Establish multi-factor authentication for remote access of internal servers;
Encrypt nonpublic information (PII) and regularly dispose of any nonpublic information that is no longer necessary for conducting business (unless required to be retained by law).
Prepare a written incident response plan that effectively responds to events and immediately provides notice to the superintendent of the New York Department of Financial Services of any breaches where notice is required to be provided to any government body, self-regulatory agency or any other supervisory body or where there is a “reasonable likelihood” of material harm to the normal operations of the business;
Implement a written policy addressing security concerns associated with third parties who provide services to the covered entity that contain guidelines for due diligence or contractual protections relating to the provider’s policies for access, encryption, notification of cybersecurity events affecting the covered entity’s nonpublic information and representations addressing the provider’s cybersecurity policies relating to the security of the covered entity’s information systems or nonpublic information;
Annually file a statement with the New York Department of Financial Services certifying compliance with the regulations.

Meanwhile, the California Consumer Privacy Act of 2018 (CCPA) goes into effect on Jan. 1, 2020. The CCPA represents a significant expansion of consumer privacy regulation. Its GDPR-like statutory framework gives California consumers the:

Right to know what categories of their personal information have been collected
Right to know whether their personal information has been sold or disclosed, and to whom
Right to require a business to stop selling their personal information upon request
Right to access their personal information
Right to prevent a business from denying equal service and price if a consumer exercises rights per the statute
Right to a private cause of action under the statute

What is the impact of these new regulations on CPA firms? Whether or not a CPA provides professional services for an entity covered by the New York Department of Financial Services or the CCPA, these new rules are important:

Regulation in one state frequently results in regulation in other states; both the New York and California cybersecurity regulations may serve as a template for other states contemplating cyber security legislation.
The regulations create a framework for plaintiffs' attorneys to follow when alleging that a company (regardless of whether it is a New York or California covered entity) should have done more to protect private information, keep consumers informed or prevent a data breach or that a CPA firm should have detected data security issues while providing professional services.

Take preventative action now “If someone sues your firm because of a data breach, you may have a stronger case if you can show that you’ve taken reasonable measures to help prevent an attack or theft,” Sterna advised. “Setting up systems to assist in prevention is an important aspect of managing cybersecurity risk.” Here are three tips to get you started: Start with an assessment. What are your cybercrime defenses? Do you have gaps in your data security procedures? Do you have controls in place? How do you document incidents when they happen? What is your response plan when incidents occur? “Mapping where you stand today and your vulnerabilities is the best way to understand your next steps,” Sterna said. The AICPA’s cybersecurity risk management reporting framework helps you assess existing risk management programs. The Private Companies Practice Section cybersecurity toolkit can also help you understand the most common cybersecurity threats. Implement best practices. At a minimum:

Use encryption wherever appropriate to protect sensitive data. This includes laptops, desktops and mobile devices. Failing to do so threatens your data and your reputation.
Train employees to recognize threats and safeguard equipment and data.
Develop and practice your response plan for various situations such as a ransomware attack, hack or ID theft.
Back up your data so you’ll still have access to it if it’s lost or stolen.
Keep your equipment physically secure in your office and on the road.

Get an outsider’s perspective. What better way to learn your firm’s vulnerabilities than to hire an expert for penetration testing? Through a penetration test, a third-party consultant will perform a test tailored to your firm’s needs and budget. They’ll provide insights on your firm’s vulnerabilities and educate you about solutions for protecting your practice. A consultant can also help you implement regular drills that test your firm’s response in the case of various attack scenarios. See also: Cybersecurity for the Insurance Industry Legal and insurance considerations CPA firms should consult with their legal counsel to assess the firm's risk of first/third party data security claims and assess vendor data security coverage. The existence and adequacy of data security used by third-party vendors (including contract tax return preparers) is often overlooked. CPA firms also should consult with their insurance agent or broker to review their current cyber policy to ascertain the adequacy of coverage. This article is provided for general informational purposes only and is not intended to provide individualized business, insurance or legal advice. You should discuss your individual circumstances thoroughly with your legal and other advisers before taking any action with regard to the subject matter of this article. Only the relevant insurance policy provides actual terms, coverages, amounts, conditions and exclusions for an insured.