This blog was provided by Gallagher Affinity, a premier sponsor of the PICPA.

By James Vinocur, JD

Rare is the day that goes by without news of a ransomware attack or a data breach. These attacks target businesses of all sizes, especially those, such as CPAs, who handle and store the personal and private information of customers or clients.

More than 25 states have passed laws that require businesses that handle and store personal information to develop and implement a written information security program (WISP). WISPs document a business’s security policies and procedures for the data and personal information they store. Even in the absence of a statutory requirement, developing a WISP can help businesses think about what kind of data they store, how they store it, and how they safeguard it, thereby reducing the chances of a successful attack. Also, the ability to point to an implemented WISP in the aftermath of a cyberincident can help a business respond to government inquiries, protect its reputation, and mitigate legal liability.

CPA firms are frequent targets for cyberattack because they store the types of information bad actors want most: client names, addresses, Social Security numbers, email addresses, and financial account numbers. Perpetrators use this stolen information to commit further financial fraud, including identity theft and filing fraudulent tax returns. Any firm that keeps this type of data – which extends not just to computerized data but hard copies as well – is likely required to develop and implement a WISP. For example, if a firm uses email to receive their clients’ tax documents and data, uses accounting or tax preparation software, or even stores client information in filing cabinets, then it may need to develop a WISP.

Although 25 states have laws that require businesses to develop and implement WISPs, Pennsylvania only has a requirement for insurance providers. However, any Pennsylvania-based firm with out-of-state clients would likely need to comply with those states’ regulations since they store information about a resident of that state. In addition, both the Gramm-Leach-Bliley Act (GLBA) and the IRS (see IRS Publication 4557) require CPA firms to implement a written security plan for data under their control. The GLBA’s Safeguards Rule (to be covered further in an upcoming blog post) requires accounting firms of any size to implement a written security plan that, among other requirements, designates an employee to coordinate its security program, identify and assess risks to their clients’ personal information, and detail a safeguards plan with regular testing.

Even without such a requirement, developing and implementing a WISP can help a business by focusing it to think concretely about data management, risk assessment, training, and technical security:

• Where is your data stored?
• Do all employees have access to that data, or is it restricted to only those employees with a real business need?
• Is the data encrypted or password-protected?

Meanwhile, conducting a risk assessment will help identify where a threat may come from, and train employees on what to watch for. Finally, a technical review will help identify the technical safeguards it is using, including firewalls and regularly updated antivirus software. (It is perhaps for this latter reason that WISPs are often written with help from a firm’s IT department or outside IT vendor). It should be noted, being able to point to a WISP can provide a competitive advantage by demonstrating to potential clients that the firm takes the security and safety of their personal information seriously.

WISP templates and examples can be found online, but it is advised that firms consult with both their IT vendor and an attorney to ensure that it complies with all applicable state and federal laws. Implementing a WISP, however, is just one piece of the protective armor against cyber-risks. Attacks are becoming more frequent, more sophisticated, and more expensive. All firms, small and large, should seriously consider cyberthreat insurance to mitigate costs related to regulatory action, cyberattacks, and post-incident litigation. In addition, developing a cyberincident response plan can assist a firm with quickly recovering from an incident and reducing stress and costs.

James Vinocur, JD, is a partner at Goldberg Segalla in New York City, where he specializes in data privacy and cybersecurity issues. He frequently advises entities on data breaches and other cyberincidents, including ransomware attacks. Prior to joining Goldberg Segalla, he served as deputy chief of the Cybercrimes Bureau of the Manhattan District Attorney’s Office. He can be reached at jvinocur@goldbergsegalla.com.

Get more information on cyber insurance plans offered by PICPA premier sponsor Gallagher Affinity.

Sign up for weekly professional and technical updates from PICPA's blogs, podcasts, and discussion board topics by completing this form.