If you have a current CPA license, I am sure you are aware that your WISP (Written Information Security Plan) includes reporting any data breach incidents to any state where you do business. The FTC “Data Breach Response” guide reads, “All states, the District of Columbia, Puerto Rico, and the Virgin Islands have enacted legislation requiring notification of security breaches involving personal information. Depending on the breach's data type, other laws or regulations may apply. Check state and federal laws or regulations for any specific requirements for your business.”
This isn’t necessarily a bad thing; it can get you some much needed help. And yes, you will very much need that help.
Make sure you are doing what you say and not just checking box 11 on your PTIN Application (Form W-12)!
Surprisingly, I have talked to many CPA business owners who don’t have cyber insurance. They simply downloaded, templated, and signed their WISPs having no clue what is really in it.
I am sure all you wonderful people reading this have Multi-Factor Authentication enabled wherever possible. This one has been forced on us by the gorillas of the business world for self-preservation, but are you confident that you:
All these items are intended to protect consumer PII (Personally Identifiable Information), which is why you are required to report if you have a breach. You must report this to the state, but also to the victims whose PII was compromised.
Lawyers are often referred to as sharks. Looking at the positive connotation of that, they are a savage, strong, unrelenting advocate who uses all legal tools to win a case. Now, the data breach report is subject to the Freedom of Information Act. This is equivalent to blood in the water and a Captain Quint story: “1100 men went into the water. 316 men come out. The sharks took the rest.” I wonder how that quote translates to legal bills or revenue loss?
In doing my research, I looked at two of our biggest states: California and Texas. California has a user-friendly website that makes it easy to search for CPAs who have reported a data breach. Texas also has one, but unlike California, it does not include the actual notifications sent by victims whose cyber nightmare is just beginning. Pull up one of those links, press CTRL-F, and type in “CPA”. If you don’t have time to read the 931 words in this article, California has 41 hits, and Texas has 3.
Now armed with the names of these poor souls and a search engine, I found multiple sites from law firms “investigating the circumstances surrounding this data breach, including the adequacy of the firm’s data protection protocols and whether affected individuals may be entitled to compensation.” Lawyers investigating the circumstances surrounding a breach doesn’t give me the warm and fuzzies.
Need a little more salt in that wound? Each one of these sites has a nice banner that reads, “If you received a breach notification letter from XYZ CPA, we would like to speak with you about your rights and potential legal remedies."
If this was your first thought, you’re in good company. My first thought was “Well why put that target on, just don’t report it!” I quickly came up with three great reasons to report it.
So, would that be 900,002 instead of 3 reasons?
Do not feel helpless. You just need to ensure that you are doing what you say in your WISP and that you are complying with what is in the law. If you do find you had a breach, report it immediately. Client notification and communication are key.
The Journal of Accountancy published an article about a CPA firm that delivered a ‘textbook response’ to a data breach. In this article, I did find a silver lining in that they didn’t lose a single client and not one got mad at them, in part because of their proactively reporting the breach.
If you are not worried about an understaffed IRS checking your WISP, if you think cyber insurance is a waste of money, hopefully, the fear of lawsuits and lawyers will get you to take some action and avoid the worst fate of all.
Editor’s Disclaimer
The views and opinions expressed by the author are solely their own and do not reflect the views of The Woodard Report, Woodard Events, LLC, or any affiliated organizations. The content is provided for informational purposes and should not be interpreted as an official position of any Woodard entity.