Nov 23, 2020

The Safeguards Rule and CPAs: How to Prepare an Information Security Plan

James M. Paulino, CIPP/USNicholas J. PontzerBy James M. Paulino II, CIPP/US, and Nicholas J. Pontzer

You may not realize it, but federal law obligates CPAs across the country to maintain a written information security plan that annually assesses their security posture and ensures that "adequate safeguards are in place" to protect sensitive personal information. While you may turn your nose at the notion of greater government regulation, from a client services and business reputation perspective, meaningful compliance provides an ideal opportunity to assess and minimize your cybersecurity vulnerabilities and to protect clients and employees from the increasing threat of identity theft.

Yes…It's the Law

Fraud PreventionIn 1999, Congress passed the Gramm-Leach-Bliley Act (GLBA), also known as the Financial Services Modernization Act of 1999, requiring financial institutions to, among other things, implement written security safeguards for customer information. In May 2003, the Federal Trade Commission (FTC), pursuant to Subtitle A of Title V of the GLBA, promulgated the “Safeguards Rule” that established standards for financial institutions relating to administrative, technical, and physical safeguards for certain information. The Safeguards Rule requires a financial institution to develop, implement, and maintain a comprehensive, written information security program to handle all ways the institution accesses, collects, distributes, processes, protects, stores, uses, transmits, disposes of, or otherwise handles customer information. Pursuant to the Safeguards Rule, a financial institution must meet certain requirements:

  • Designate one or more employees to coordinate its written information security program.
  • Identify and assess reasonably foreseeable risks to customer information that could result in the unauthorized disclosure, misuse, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks. At a minimum, the risk assessment should include consideration of risks of each area of operations, including employee training and management, information systems, and the detection and prevention of attacks, intrusions, or other systems failures.
  • Design and implement information safeguards to control the risks identified through the risk assessment, and regularly monitor and test them.
  • Select service providers that can maintain appropriate safeguards, and contractually obligate service providers to implement and maintain those safeguards.
  • Evaluate and adjust the written information security program in light of relevant circumstances, including changes in the firm’s business or operations or the results of security testing and monitoring.

It would be a mistake to associate the GLBA exclusively with large banks or other financial institutions; it applies to all “financial institutions,” which are defined as businesses, regardless of size, that are “significantly engaged” in providing financial products or services, including professional tax preparers.1 Thus, CPAs must comply with the GLBA and its Safeguards Rule. Certain states, such as Massachusetts, require additional information to be included in a financial institution’s written information security plan, and those states assert jurisdiction over anyone who maintains information for their residents, regardless of your physical location.

Follow the Data to Create Your Plan

When we assist CPA firms in preparing a written information security plan, we start by locating all personal information stored on internet-connected devices—like Social Security and bank account numbers—and then work backward to craft reasonable technical and administrative measures to keep those "crown jewels" safe. Too often, clients lose sight of the cybersecurity forest for the trees by starting with largely technical concepts, such as firewalls, ransomware protection, and multifactor authentication, and miss the intuitive and simple protections such as deleting old emails and moving previous years' tax documents off the server to detachable USB drives.

Your first step, therefore, is to identify every jot and byte of personal information in your possession regarding clients, employees, 1099 contractors, and anyone else whose information you store on your servers, your email accounts, local hard drives, offsite backups, paper files, and any online vendor portals, including payroll and client file shares. The initial data mapping process can be tedious, but many hands make light work. No one person has a monopoly on information, so we encourage a team approach that includes human resources or business managers.

Once you've mapped the data, your next step is to spot the ways a criminal (we think of them as pirates trolling the high seas of the world wide web) can steal that information and to implement the policies, procedures, and technology necessary to plug the security holes as best you can. Policies and procedures are just as important as technology, recognizing that human errors, from weak passwords to opening virus-infected email attachments, account for many successful attacks. The safest data is the data removed from your system, and email shredding (delete everything not saved locally after a finite number of days), archiving on removable storage devices, encrypting data at rest, employing password-protection, and limiting access to those with a "need to know" help accomplish this goal. Does everyone in your organization need remote access? If not, shut it off. While it may sound old fashioned – if your computer does not require internet access, then do not provide it.

Step three is to train your employees to maintain cyber-hygiene. Let’s face it, the Internet is a dirty and dangerous place full of pirates waiting to attack. Every single device and program that accesses the Internet, therefore, is a potential opening for attack against your company—and employees need to realize this. So, prepare and implement policies that require complex passwords that are changed every 60 days and that teach employees to be suspicious of every email and attachment—regardless of the supposed sender. When in doubt, click Delete! Prohibit stored passwords in browsers or in Excel spreadsheets saved on the system. And, conduct both annual training, as well as regular reminders, to foster a culture of cyber-hygiene through the year.  

Step four is to inventory all of your technology, software, and online accounts to ensure you are using the most up-to-date programs, settings, and authentication methods to prevent unauthorized access. Does your payroll vendor use a secure website that masks personal information, or is everything accessible with a username and simple password? Is your firewall configured to prohibit data exports over a certain size or connections to questionable IP addresses (like Russia, Nigeria, or anywhere pirates might operate safe from law enforcement)? Do you use versions of Windows that are no longer supported? Have you deactivated user accounts for former employees? Is remote access limited to those with an absolute business need, or do you have Wi-Fi that is open to the public or a router with default settings? This is where an information security (IS) vendor can be a valuable ally, in addition to your information technology (IT) manager. But do not trust proposed solutions unless the vendor can identify and explain the problem they intend to fix.

A critical consideration or CPAs is to ensure the programs you use, including tax preparation software, are secure. (Often, many are not.) Stated simply, do not trust some big corporation that sells software to protect you. Moreover, default settings are generally intended to make things easy, not secure; so, be sure all security features are activated, including mandatory passwords for programs and files, multifactor authentication and encryption. We have found that some software does not include encryption for locally installed programs, but does encrypt data using online versions. Software websites are less than clear, so a telephone call to the developer may be a good idea when writing your plan.  

And…always use modern antivirus protection, preferably with active email and website scanning and endpoint monitoring to identify any suspicious processes and potential unauthorized access to the network. When clients ask if the "free" software they found online is sufficient, we always ask if they would ever skimp on the number of smoke detectors and sprinklers installed in their offices or in their homes. Would they buy door locks or security alarms that they know could fail…or use free ones from some unknown manufacturer? If you'd pay a little extra to keep yourself safe from a physical fire or break-in, the damage caused by a virus can be just as great and likely with a much higher risk of occurring.

Make It Social

Finally, you are required to review and update your plan on an annual basis. If your data is protected and your system is secure, that should provide an opportunity to celebrate another year as a "cyber-accident-free workplace" and an opportunity to examine how your firm has changed or grown over time. We always encourage our clients to schedule a lunch or a happy hour to review the plan, take stock of their position in the connected world, and ensure employees take the necessary steps to maintain their security over the coming year.

1 See 15 USC Section 6809(3)(A).

James M. Paulino II, CIPP/US, is a partner in the Goldberg Segalla LLP Data Privacy and Cybersecurity practice group, working in the firm’s Rochester, N.Y., office. He can be reached at jpaulino@goldbergsegalla.com.

Nicholas J. Pontzer is an associate at Goldberg Segalla LLP also working in the Rochester office. He can be reached at npontzer@goldbergsegalla.com.

Sign up for weekly professional and technical updates in PICPA's blogs, podcasts, and discussion board topics by completing this form

Leave a comment

Follow @PaCPAs on Twitter
Statements of fact and opinion are the authors’ responsibility alone and do not imply an opinion on the part of PICPA officers or members. The information contained in herein does not constitute accounting, legal, or professional advice. For professional advice, please engage or consult a qualified professional.